I’ve been doing some work with a client recently looking at how they are currently managing their information assets. What I’m bringing to the table with this client is a wealth of experience seeing what happens when you silo problems or issues or objectives into neat little stove pipes that can be managed along the vertical of an organisation’s traditional hierarchy, as well as experience of what happens when you turn things on their side and start managing horizontally.

Because Information is a wonderful asset that has magical properties that allow it to span an organisation, it is essential that organisations who are looking to tackle Information Quality, Data Protection, or Data Governance issues start to think along the Horizontal and build coherent teams that break down barriers to people doing good work.

In fact, that is one of W. Edward’s Deming’s 14 Points for Management Transformation.

So, having done all this good work with my clients I was a bit dismayed to read about the forthcoming Finance Bill (very soon to become the Finance No.1 Act 2011) which contains sections which replicate (imperfectly and incompletely) the provisions of the Data Protection Acts 1988 and 2003. By bolting in provisions like this into a piece of legislation, the Government (and the Opposition) are adding yet more fudge and confusion to the management and governance of Data Protection in Ireland. Rossa McMahon, an Irish lawyer with an interest in Data Protection has written a critique of the legislation on his blog.

This is a VERY bad thing for a number of reasons.

  1. It sends a signal that the Data Protection Acts are not as important as other legislation. It appears that consultation and discussion is required before any changes to the DPA can be made. But poorly thought through provisions can be thrown into the Finance Bill without any apparent consideration of whether existing laws might meet the need.
  2. At the current state of knowledge and awareness that pervades in Ireland having a second (actually a third if you count FOI) set of legislative provisions which address Data Protection issues is just an invitation for Chinese Whispers and confusion about what is involved in Data Protection. The fact that s.73 relates only to breaches of Data Security by the Revenue Commissioners is an invitation for people to think they can ignore the Data Security Breach Code of Practice.
  3. For a number of years industry experts and privacy activists have been calling for increased penalties and enhanced enforcement mechanisms for the Data Protection Commissioner, including the creation of specific offences re: breaches of Data Security. It would be FAR better to pull s73 from the Finance Bill and instead create a new offence under the Data Protection Acts which would then apply to ALL Data Controllers and Data Processors.
  4. The Data Protection Acts will probably be reviewed and renewed in the coming months on foot of the EU/European Commission review of the underlying Directive 95/46/EC. What then for the provisions of s.73?
For a set of rules to be effective in a Governance model there must be one set of rules and people need to know where to look for them. It was this reasoning that brought about the Taxes Consolidation Act (pulling all the various tax laws into one codex). It makes no sense from a good governance perspective to fragment already misunderstood legislation, particularly when standing back from the stovepipe gives you the opportunity to actually improve the impact and value of the reasoning behind the legislative provision by putting it in the right place.