Data Protection and its Information Quality Implications
July 2008: Originally published in IDQ Newsletter Vol 4 Issue 3
Daragh O Brien
INTRODUCTION AND CONTEXT
In recent years, both sides of the Atlantic have seen a number of high profile losses of personal data (and doubtless in other areas that don’t get as much publicity).
Whether it was the loss of credit card and other customer information by TJMaxx  , the loss of millions of taxpayer records by the authorities in the UK  , the theft of a laptop containing personal data of Irish citizens from a contractor in the United States  , or the loss of laptops containing personal information on thousands of customers by a leading Irish bank , such events have made customers more aware of (a) the type of information that companies and organisations have about them; (b) the impact and costs to customers arising from the loss of such data; and (c) the relevant legislation and legislative models governing the protection of personal data.
In the simplest analysis, there are two basic schools of thought around Data Protection. The first, which I call the ‘US model,’ evolved reactively through the addition of data privacy provisions in disparate pieces of legislation. Each piece of legislation was introduced in reaction to a specific issue or context,  and each State has slightly different standards. For example, California was the first state to adopt a Breach notification requirement  . Under the US model, privacy and data protection are contractual obligations, and individuals must ‘opt-out’ of having their personal data shared.
The other school of thought is the ‘European model,’ which is based on the fundamental right to privacy as enshrined in the European Charter on Human Rights. Unlike it’s more reactive US counterpart, the European model sets out a prescriptive set of principles and guidelines against which organisations that process personal data can check their conduct to ensure they are meeting the expectations of privacy and protection of personal data.
The focus, at all times, is on the ‘data subject’ (the person the information relates to), and the obligations of the ‘data controller’ and the ‘data processor’ (the organisation and any other agency working with that information on their behalf) to the individual whose information it has.
Ultimately, the ‘European Model’ views the personal data of individuals as their information, which they give to organisations and businesses on trust. The ‘data controllers’ must then live up to that trust by acting as careful and responsible stewards of that information, applying it in a manner that is consistent with the reasonable expectations of the ‘data subject.’ The key to compliance in the ‘European model’ is to recognise and exercise that stewardship in a way that builds and maintains that trust between you and your customers (or members).
Commentators  have referred to the EU Data Protection Directive as “one of the best articulated privacy laws in existence today.” Many countries (such as South Africa) are ‘localising’ these principles into their respective Data Privacy regulations.
As a discussion of the US Model requires a treatment of a number of pieces of legislation, the rest of this article will focus on the Information Quality aspects of Data Protection/Privacy from the European perspective, which is based on a single core set of principles and an over-arching legal framework. Readers from outside the EU  should consider how these principles may be reflected in their national laws and how the management of information quality may help them improve compliance with such regulations and, more importantly, protect the interests of their customers.
BASIC DATA PROTECTION PRINCIPLES AND INFORMATION QUALITY
As already mentioned, the European Model is based on a core set of basic principles, which in turn, are based on the European Charter of Human Rights. Much of the detail of the related Directives and other legislation in the EU is concerned with (a) ensuring that these principles are enforced, and (b) providing relatively transparent mechanisms to help organisations conduct business in a manner that is congruent with these principles.
Many of these principles either explicitly relate to data quality (e.g. the guidance information on these principles or national laws specifically mention data quality), or implicitly require organisations that capture and control ‘personal data’ to address information quality issues to ensure compliance with Data Protection principles.
The EU directive that forms the basis of Data Protection law in the EU (27 countries) clearly recognises Data Quality (their term) as a key component of Data Protection.
Basic Data Protection Principles
In Directive 95/46/EC  , Section I addresses “Principles Relating to Data Quality.” Under that heading, Principles 1, 2, 3 5, 6, and 7 outlined in the table below are described as being related to Data Quality.
(what should you do?)
What it means Expectation Context
Obtain and process the information fairly
Amongst other things, you need to identify who is collecting the information, what purpose it may be used for, and who it may be disclosed to (either specifically or as a ‘category’ or ‘class’ of discloses).
Keep it only for one or more specified and lawful purposes
You must have a clear purpose for capturing the information and that must be communicated. Collection of information on the basis that you’ll “figure out later what we’ll do with” is not acceptable
Process it only in ways compatible with the purposes for which it was given to you initially
You need to ‘walk the talk’. Using information for other purposes or ‘scope creep’ affects the expectations of the data subjects and could be a breach of their trust.
In practice, most organisations set broad purposes to avoid tying their hands
Keep it safe and secure
You need to protect personal data through appropriate policies and controls (e.g. encryption, password protection etc)
Keep it accurate and up to date
Are your clerical and computer procedures adequate to ensure high levels of data accuracy?
Has the general requirement to keep personal data up-to-date been fully examined?
Have appropriate procedures been installed to ensure that each data item is kept up-to-date?
Ensure that the information is accurate, relevant, and not excessive
Collecting information just because you can or because you “might need it later” or “might find a use for it” is not permitted. Collect only what you need for your stated purposes
Retain it for no longer than is necessary for the stated purposes
Do you have a data retention policy? How long do you hold onto personal data? Is that a reasonable period of time?
Give a copy of the information held by you relating to them to an individual when requested
Can you find all the information about a person that your organisation has?
Do you know where it is stored? Can you link it together?
To understand the Information Quality aspects of Data Protection/Privacy, I’ve mapped the principles above to the POSMAD Information Life Cycle Framework that forms part of Danette McGilvray’s methodology (see table below).
By mapping the Data Protection Principles to the POSMAD model in this manner, we begin to see clear IQ drivers and issues emerge; such issues affect the organisation’s ability to meet the expectations of the Data Protection Principles and adequately deliver on their duty as stewards of personal information provided to them on trust.
Plan Obtain Store/Share Maintain Apply Dispose
Examples of questions to ask yourself – (not an exhaustive list)
What information do I need to capture?
How will I get the data?
Where do I store the information?
What are my processes for Information Maintenance?
Are we using the info for the purposes we identified back in ‘PLAN’?
Do we have a data retention policy?
Why do I need to capture it?
How will I tell people about the “hows and whys” of this data capture?
Can I find it again?
How do we ensure information is kept up-to-date?
Do we work with our suppliers / data service providers (e.g. mailing houses) to ensure they have adequate procedures in place to protect the data we hold on trust?
Do we retain data?
What will I use it for?
What are my info gathering processes?
Do we have ‘disparate data’?
How do we correct errors in our information?
How do we dispose of old data?
Who will I share it with?
Can these processes capture complete, relevant and accurate information?
Have we considered data integrity in our storage?
Does our staff know we need to keep information accurate and up-to-date?
Does our data become ‘excessive’ over time even if it was appropriate when captured (do we prune for relevance?)
Why would I share it?
Might these processes create inaccurate or incorrect information?
Is it secure?
Do our metrics and processes support this?
Do protect copies of data on laptops etc.?
Is the amount of info I’m capturing too much for my needs or can its capture be justified?
Do we keep copies of data secure? (e.g. spreadsheets)
Can we find the information when we need it?
Is our data disposal secure?
Related Data Protection Principle
THE INFORMATION QUALITY AGENDA
Organisations must first know clearly what information they need to execute their business processes. Information that is not needed by those processes may be irrelevant and could pose a risk to compliance, especially when such data is not kept up-to-date or accurate because it is not part of a core business process execution.
The principles of Kaizen teach us that we should seek to eliminate waste in processes and increase efficiency. If you don’t have a purpose for the information, you are incurring costs to capture and store the data, while running the risk of non-compliance with Data Protection provisions.
TJMaxx apparently held information on customer drivers licences, etc., which was taken when their systems were hacked. Was the capture of that information excessive? Did they have a purpose for retaining it? The Irish Bank referred to in our introduction held loan and life assurance application information in an unencrypted form on laptops. Was that necessary? Was there an alternative way to obtain and apply the information in the operation of business processes?
Secondly, organisations need to think about how they get that information from people or about people to ensure that it is accurate and up-to-date. Issues such as form design on websites, definition of and operation of processes for getting information, and management of 3rd party suppliers of information are all relevant here.
Also relevant is the need to communicate to individuals what information you are capturing, and why and who you might share it with; all of which requires you to have given some thought to those issues and their implications in your organisation. For example, if you are buying information from a 3rd party, what Quality controls should you apply or should you expect your supplier to have applied to ensure the trustworthiness of the information?
Thirdly, organisations need to consider how they operate with that information. For example, if they are presenting information in call centers, do they provide call centre staff with processes and capabilities to update that information and correct errors? If they are delivering services over the web, do their customers have the ability to ‘self-serve’ and correct errors in personal information? Do the metrics used by the organisation support or defeat the Data Protection principles? Are staff measured on the right things? Are there metrics around the accuracy and frequency of validation of personal data in the organisation?
Finally, organisations need to consider Information Quality in its broadest context; the ability of information to meet or exceed the expectations of Knowledge workers and Information Consumers. If there is an expectation set by you with your customers that you will treat their information with respect and with appropriate levels of stewardship, then you must ensure that you can meet that expectation. Implementing appropriate planning, policies, and processes that ensure you capture information only for defined purposes, that you share it only in keeping with those purposes, and that your organisation can keep it safe, accurate, and up-to-date can help you meet the Data Protection principles in the ‘European Model.’
While the ‘European Model’ may appear onerous at first, it is based largely on common sense principles of stewardship, and aligns with many of the core principles of Information Quality. Its adoption as a template or benchmark in jurisdictions outside the EU evidences the effectiveness of the common sense principles of Data Protection. Each of these principles raises issues for Information Quality and effective Governance with the objective of ensuring that you maintain Information Assets about identifiable people in an appropriate manner.
Regardless of your organisation’s view of information as a Corporate Asset, it is helpful to recognize that you hold personal data about individuals on trust for them and have responsibilities to them to ensure adequate stewardship of that information.
This principle may require organisations to think differently about their information assets, but is an important foundation principle in Data Protection, with significant implications for Information Quality.
5 Example. Graham-Leach–Biley Act requires an annual ‘Privacy Statement’ for Financial Services customers, HIPPA raises requirements around Data Privacy, and the Video Rental Privacy Act raises privacy requirements around video rental habits and arose directly from the leaking to the media of the video rental habits of a Supreme Court nominee, Robert Bork, in 1987.
6 The Data Privacy model in Australia is similar to the US situation.
7 Olinger Hanno N., Britz, Johannes J., Olivier, Martin S., “Western privacy and/or Ubuntu? Some critical comments on the influences in the forthcoming data privacy bill in South Africa”, The International Information & Library Review, 2007, vol. 39, no1, pp. 31-43. (Note that the ‘Ubuntu’ referred to in the title is the original African concept of Social collaboration and not the popular Linux distribution).
8 Australian readers may be interested in the submissions by Electronic Frontiers Australia ( www.efa.org.au ) that the failure of current Australian legislation to meet standards equivalent to what I’ve termed the ‘European Model’ could jeopardise “opportunities for Australia to take its place in the global information economy” (http://www.efa.org.au/Issues/Privacy/privacy.html)
Copyright © 2008 Daragh O Brien
About the Author
Daragh O Brien is the Managing Director of Castlebridge Associates (http://castlebridge.ie), a leading Information Quality and Governance training and consulting company based in Ireland. Daragh has over a decade and a half of experience in IQ, DG, Data Protection/Privacy, and Regulatory Compliance roles on projects as diverse as CRM Single View (MDM) and Regulatory Compliance and Remediation. Current clients include organisations in National and Local Government, Education, Financial Services, Telecommunications, and Oil Distribution.
He is a Charter Member of the IAIDQ, an Information Quality Certified Professional (IQCPSM), a Certified Data Protection Practitioner, and a Fellow of the Irish Computer Society. Daragh has served on the IAIDQ’s Board of Directors and continues to lead the Irish CoP. He is a frequent speaker at conferences worldwide, and has written countless articles on Information Quality topics, as well as maintaining his personal blog (obriend.info) and the IAIDQ’s IQTrainwrecks blog (iqtrainwrecks.com). Daragh has also devised course modules in Information Quality and related disciplines for FETAC (Fetac.ie) and Dublin City University (DCU.ie).
His most recent publication, The Data Strategy and Governance Toolkit, provides a complete framework for developing an effective information management strategy.
He can be reached via email at daragh [dot] obrien [AT] iaidq [dot] org