The key area of overlap between Information Quality, Data Governance, and Data Protection is in the area of outcomes. More accurately the key overlap area is the need to focus on the outcomes that are expected or required by key stakeholders in the process.
- Is the data being captured in a process of sufficiently high quality to support analytics or other “down stream” purposes (i.e. is the down stream outcome going to be met?)
- Are the controls and checkpoints that are being put in place sufficient to ensure that the data is maintained at the right level of quality and that everyone knows what the rules are for using that data for current and future purposes (i.e. are there enough controls in place to mitigate the risk of unexpected and unwanted outcomes?),
- Do the individuals who are giving you information understand what purposes and uses their data will be put to? (i.e. is there a risk that they will be surprised by an outcome that arises, such as receiving a marketing message?)
- Will a Privacy Regulator be happy that you have implemented appropriate controls (i.e. will you have an unexpected negative outcome of an audit or investigation, and will the Regulator be surprised by anything you are doing?)
Stephen Covey advises us to “begin with the end in mind”. My experience is that the only way to ensure a quality system approach to meeting and managing expectation around outcomes from data processing is to walk a mile in the other person’s mocassins. Look at the process from the perspective of the different stakeholders to understand their needs, expectations, and potential areas of confusion.
Imagine you are a manager in an organisation with a high-traffic website. You are approached by a company who is proposing a partnership where you will use your website to promote a survey they are running to capture data about a individuals and their attitudes and issues in relation to the effect of commuting on fitness and obesity levels in Ireland. The company is developing life-logging applications with potential uses in health monitoring.
Putting on the mocassins of your website visitors
What would your customers make of how you communicate this collaboration? How will you make sure that the roles and responsibilities with regard to the capture and use of the data are clearly communicated? As you are getting people to take part in a survey that is processing sensitive personal data, how will you make sure you are getting clear and explicit consent to the processing of that data by the technology company you are collaborating with? What is in it for your customers/site visitors? What might their concerns be about the potential future uses of their data? How can you communicate what you will be doing to prevent any such negative outcomes? How long will the data be retained for?
Don’t look at it from your own perspective. You need to wear the mocassins of your customers.
Putting on the mocassins of your “down stream” data users
You are capturing data for the purposes of this survey. But are there other uses that you might want to put this data do in the future? Who wants this? Looking at the way the scope and approach to gathering data is being described to the customer, are you sure you are actually telling people about these potential secondary purposes (for example – are you hoping to build a mailing list to promote a future product launch or product trial? That’s a secondary purpose that would require consent, and not disclosing it could be a breach of Research Ethics guidelines from the Market Research Society). Is the data being captured in a useable or useful format? How long will the data be retained for? Would the data still be useful if aggregated or anonymised?
Putting on the mocassins of the Regulator
Regulators are concerned with ensuring you have appropriate systems of control to ensure and assure compliance with relevant legislation. Data Protection regulation may be just one of a number of regulatory codes you need to comply with. And when the Regulator comes walking softly in their mocassins, what information will you be able to provide them to demonstrate the existence of effective controls processs, appropriate decision rules and rights, and required contractual and other controls over the use of data? What is the Data Protection Commissioner (for example) going to want to see to help them identify if you have communicated fairly the specific purposes for which you will be processing data? What will the Data Protection Commissioner look to review when trying to figure out the relationship between the parties to the project?
The role of the Devil’s Advocate
A good practice in journalism is that, where an organisation is about to run a story that is controversial and will be challenged aggressively, a second team of journalists is assigned to the story to disprove it and find the holes. Similar practices exist in other industries as a way of formally punching through “group think”. These “Devil’s Advocates” have the role of making sure the organisation has walked in the mocassins of other parties to the story or other stakeholders in the project.
In order to ensure good quality outcomes in Data Protection, it is always important to respect the Data Governance principle of Segregation of duties – having a second team whose role is simply to make sure that the right mocassins are being walked in and the right effort is being put in up front to set the highest possible standards to ensure that the outcomes from the data processing are properly understood.
And, if things still go wrong after you have walked that mile in the other person’s mocassins, it is important to remember that you will be a mile away. And you will still have their mocassins.
In other words, you will have extensive ‘homework’ done that can be demonstrated to Regulators, courts, or the court of public opinion.