On Data Privacy Day it is important to look at some of the common themes at the root of high profile data protection issues in Ireland and elsewhere over the last while.
From Irish Water to Mass Surveillance, one of the common causes of failure has been a lack of focus on the Information Asset Life Cycle and what that means for the governance of data and information in organisations. All too often organisations and government departments jump to obtain data with limited investment of time or effort in planning for the use, governance, and control of the asset. Whether it is unnecessary collection of PPS (social insurance) numbers for a water utility or the mass collection and retention of passenger name record data for travellers into and out of the EU, the life cycle of information is essential to ensure privacy challenges can be balanced.
Many of these initiatives are innocuous in their initial forms. Indeed, many have potentially significant benefits. But the road to heck is often paved with good intentions, as IBM learned in the 1930s and 1940s with one of their largest clients. This month, not only do we celebrate #DataPrivacyDay, but we commemorate the negative impacts of excessive data processing in its ugliest form. It is worth remembering that simple fact. It is that fact that resulted in the UN Declaration of Human Rights, and ultimately lead to Directive 95/46/EC, the EU Charter of Fundamental Rights (particularly Article 8), and the current structures and principles for Data Protection in Europe. (Cynically, one might say there is a very good reason for ensuring that the Data Protection Authority of a country is fully independent of Government based on our history).
Common issues in recent Irish Government data-driven initiatives have included:
- A move to begin gathering data without the ability to answer simple questions about what the purpose for the data will be, how long it will be retained for, who it might be shared with (and why), and what purposes it might be put to.
- A mantra-like iteration of the phrase “We have discussed this with the Data Protection Commissioner”, or similar words, with little consideration to either the actual role of the DPC (enforcement), or the time-lag between the consultation with the DPC and the “go-live” for the project.
- A fall-back to “mushroom management” approaches to dealing with queries from data subjects, political representatives, and the media.
This is all avoidable.
The Information Asset Life Cycle sets out a set of generic Asset Life Cycle steps that all assets, including data and information, go through.
- When organisations begin at the “Obtain” stage, they invariably find that they encounter challenges at the “Store and Share” stage because they don’t know who they were going to share data with, what format it needed to be in, what controls and structures need to be in place, and what the critial risks are that need to be mitigated. This often results in data being shared in appropriately, using inappropriate technologies, or with excessive data being transferred. It can also result in data being stored in an inappropriate location, in an insecure manner, or in a format that is cumbersome to search and retrieve data from
- Organisations then encounter problems at the “Maintain” stage. How is the data to be kept up to date? What scenarios might arise that would result in a change in the data? How will copies of data that exist be kept in synch? What are the required quality standards for the data? Who is responsible for the quality of the data?
- At the “Apply” stage, the organisation actually gets to get value from the data. It can be used to save money, improve return on investment, improve decision making, improve delivery of services. But only if the right data was obtained. And only if it is stored and shared correctly. And only if it is maintained to the right level of quality so it can be trusted.
- At the “Dispose” stage, the organisation has to get rid of the data once its useful life has ended. When is that? How will the data be disposed of? What level of anonymisation might be applicable to the data? Can derived data be retained even if personally identifiable data must be destroyed?
These are all factors that need to be considered in the PLAN stage. That is where an organisation can conduct a Privacy Impact Assessement (PIA) or an Information Risk Impact Assessment (IRIA). It’s where the Data Governance structures and principles about “how to decide” can be defined for those things that might be unknowns at the outset. For example, if there are potential future uses for data, a clear Data Governance framework with clear decision rights, responsiblities, and accountabilities could be put in place that allows for transparent and appropriate decisions to be taken on future access to data. In the “Plan” stage of the life cycle, the overall Data Strategy should be defined, and aligned with appropriate governance. “Build databases” is not a data strategy, unless you have hired the Underpants Gnomes as your consultants.
It is a Cycle for a Reason….
Of course, the PLAN is not a static thing. It must be reviewed and renewed regularly. Things change. Technologies change. Intended uses for sharing of data change. Mechanisms for obtaining data change. Laws change.
In that context, the mantra of “We’ve checked with the Data Protection Commissioner” is a cop-out. What it means is that, on a particular day, when presented with a particular set of facts, the Office of the Data Protection Commissioner indicated that there was nothing immediately non-compliant in the proposed processing, based on the interpretation of the law as it applied on that day. But if any of the facts change, then the risks of non-compliance change. This is why we strongly recommend to clients that they take internal control of their Data Protection compliance and have it as an active management function. Outsourcing to the Regulator gives a false sense of security as that is not the job of the Regulator, it is the responsibility of the Data Controller.
Organisations need to ensure that they have appropriately trained staff engaged in making appropriate planning and design decisions for personal data. We also recommend that organisations work hard to avoid “Group Think” in their internal Privacy Impact Assessements, either by having a dedicated “Red Team” (a parallel project team that challenges assumptions and presents alternative scenarios for decision making) or by hiring in appropriately skilled external advisors to play that “devil’s advocate” role and to ensure that the organisation has their homework done before they ask the Data Protection Commissioner to correct it.
How Castlebridge Associates can help
Castlebridge Associates provides a range of services that can help organisations properly manage their data protection obligations through the Information Asset Life Cycle. Drawing on proven methodologies in Information Quality, Data Governance, and Privacy Engineering, we can provide:
- Structured frameworks for Privacy impact assessments, based on best practice and quality and risk management principles.
- Data Governance frameworks for Data Protection compliance
- Privacy by Design and Privacy Engineering training
- Data Governance and Data Quality Training
- Training and coaching for key staff
- Policy definition and process design
Contact us if you would like to find out more![Header image is a Public Domain image sourced from Wikipedia Commons]