Personal Data – an Asset we hold on Trust

There has been a bit of a scandal in Ireland with the discovery that Temple St Children’s Hospital has been retaining blood samples from children indefinitely without the consent of parents.

The story broke in the Sunday Times just after Christmas and has been picked up as a discussion point on sites such as Boards.ie.  TJ McIntyre has also written about some of the legal issues raised by this.

Ultimately, at the heart of the issue is a fundamental issue of Data Protection Compliance and a failure to treat Personal Data (and Sensitive Personal Data at that) as an asset (something of value) that the Hospital held and holds on trust for the data subject. It is not the Hospital’s data. It is not the HSE’s data. It is my child’s data, and (as I’m of a certain age) probably my data and my wife’s data and my brothers’ data and my sisters-in-laws’ data…..

It’s of particular interest to me as I’m in the process of finishing off a tutorial course on Data Protection and Information Quality for a series of conferences at the end of February (if you are interested in coming, use the discount code “EARLYBIRD” up to the end of January to get a whopper of a discount). So many of the issues that this raises are to the front of my mind.

Rather than simply write another post about Data Protection issues, I’m going to approach this from the perspective of Information as an Asset which has a readily definable Life Cycle at various points in which key decisions should be taken by responsible and accountable people to ensure that the asset continues to have value.

Another aspect of how I’m going to discuss this is that, after over a decade working in Information Quality and Governance, I am a firm believer in the mantra: “Just because you can doesn’t mean you should“. I’m going to show how an Asset Life Cycle perspective can help you develop some robust structures to ensure your data is of high quality and you are less likely to fall foul of Data Protection issues.

And for anyone who thinks that Data Protection and Data Quality are unrelated issues, I direct you to the specific wording in the heading of Chapter 2, Section 1 of the Directive 95/46/EC.

The Information Asset Life Cycle

Information, just like any other asset, has a life cycle through which it needs to be managed. Just because you can keep throwing files into a filing cabinet (or, in Data Protection terms, a “relevant filing system“) or hold it forever in electronic storage doesn’t mean you should.

Diagram showing POSMAD model and some example questions which might be asked at each stage in life cycle

POSMAD model (thanks to Danette McGilvray)

The key stages in the Information Asset Life Cycle are listed below, and are mapped to the 8 Data Protection Principles in the diagram opposite as well.

  • Plan
  • Obtain
  • Store and Share
  • Maintain
  • Apply
  • Dispose

The answers posed to the questions asked at each of these stages affect the ability of the organisation to meet its obligations under the Data Protection Act, as can be seen by the mapping of DP Principles to POSMAD Life Cycle stages.

Just like any other asset, information needs to be managed.

When you are hiring new staff, you plan for what type of people you will need in your business. You’ll need to have strategies for obtaining those staff, planning in place for how to store them (offices, desks etc.). You will (ideally) want to maintain them (training, rewards and recognition, staff retention), and be sure you can Apply them to their job (right tools, adequate resources etc.). Inevitably, you are also going to have to have answers to the question of what you will do with your staff when you no longer need them and need to dispose of them (retirement, redundancy, etc.).

With Information, you need to Plan what type of data you will be capturing and why, and who you’ll share it with. You’ll need to define policies and methods for obtaining that data (e.g. standardised testing protocols such as the Guthrie Card and the structured information captured on hospital test request forms). You’ll need to plan how that data will be stored and shared so it can be found when needed, and can be readily linked to other data etc. You’ll need to have some  consideration to how you will maintain that data (e.g. keeping personal data up to date for as long as you are holding it), and you’ll need to have a clear plan and protocol for how to dispose of the data when it is no longer needed.

Note that in this context, disposal does not necessarily mean the destruction of the data. It could simply be a process or policy that defines when data has become “excessive” and mandates the anonymising of all the data to a level suitable for statistical reporting and study but that is no longer “personal data” in the meaning of the Data Protection Acts.

Of course, just as you have measures that help you track and manage the effectiveness with which you are managing other assets (e.g. tracking equipment services and outage statistics for office equipment or purchase volumes for stationery and paper clips), you should ideally look to develop some metrics that help you know how well you are answering the various questions at each stage in the Information Asset Life Cycle.

Finally, you need to bear in mind that the Data Protection Acts now cover personal data held in formats other than electronic files. So paper based data (e.g. patient information associated with a Guthrie Card) is protected by the Data Protection Act when it is held in a “Relevant Filing System”. So your paper filing needs to bear up to the scrutiny of the Information Asset Life Cycle

The Temple Street Situation

What appears to have happened in the Temple St situation is that there was a failure to properly plan for the management of a key information asset.

  • While there was a plan to provide a national scheme for testing, some key questions were not asked at the planning stage. As a result, the answers are not necessarily forthcoming to parents when faced with the test.
    A Data Protection notice from Aldi showing the reasons for which CCTV is being captured (its use), who it will be disclosed to, and who the Data Controller is and how to contact them.

    Good Data Protection requires Planning

    For example, parents do not always know that the test is being done in Temple St. Certainly, parents were not aware that the data was to be held indefinitely. Ultimately, if Aldi (see image) are able to tell me what my personal data (CCTV images) is to be used for and who I can contact if I have a query, then the HSE and its sub-division and constituent hospitals should have been able to do the same.

  • There appears to have been no thought given to the conditions or criteria for reasonable disposal (either outright disposal or anonymising) of the data. This gave rise to a situation where a Data Protection breach was inevitable.
  • Parents (acting as legal guardians of their children) were not given the opportunity to opt in or opt out of being part of further scientific research using the blood samples taken from children.
  • Likewise, children and adults (and the DPA does not require someone to be an adult to be protected) who have data on file in Temple St. do not appear to have a clear mechanism available whereby they can request that their data be blocked from use in processes other than that for which it was initially provided. (I’ve looked at the list of Data Controllers and Data Processors registered with the Data Protection Commissioner and Temple St. doesn’t seem to be listed in its own right is listed as the “Children’s University Hospital” and it’s not immediately clear from the register whether HSE Dublin North East or Dublin Mid-Leinster covers Temple St.) [Thanks to Hugh Jones, the lead trainer on the Irish Computer Society’s Data Protection course for the correction]
  • The personal data attached to the blood samples will, in a large number of cases, be woefully out of date and inaccurate – in itself a breach of the Data Protection Act – as there is likely no process to keep that data up to date. If the data is not being maintained, it is not needed and is excessive to the stated purposes for which it is being used. If the personal data (e.g. name and address) on samples that are 26 years old is being used for specific purposes, then one would suggest that any action taken on foot of such analysis is likely to be wrong.

A number of commenters on Boards.ie and elswhere have commented to the effect that the personal data could be excised out when the blood test data or samples were being used. That misses the fundamental point. There is a point in time beyond which having my daughter’s name and address cease to have an actionable value in any analysis of blood tests taken from her. If you don’t need it, then the data you are holding is excessive (in the meaning of the DPA and the EU Data Protection Directives) and should be permenantly removed. Aggregation of samples into clusters based on geographic region would likely allow for data sets suitable for scientific and statistical analysis.

But then we are right back to the Plan stage of the POSMAD model. What was intended to be done with this data? What are the stated purposes for which it is being captured? At what point does the data become excessive for those purposes? What is the plan to dispose of the excessive data (while retaining data appropriate to the stated purposes?

Conclusion

Information is an Asset. It needs to be managed and protected as such. Adopting an Asset Life Cycle approach to planning, with your Data Protection Duties forming the basis for your Key Questions can help your organisation properly plan to manage your Asset in a compliant manner. Furthermore, the Data Protection rules are enablers rather than restrictions as they provide a clear framework within which you can manage the expectations and worries of Data Subjects so that you get better up-take and happy and informed consent to you having the relevant data for as long as you plan to need it.

A key message coming from “DPA-Aware” bloggers affected by this issue is that if they had been asked if they minded anonymised data being held for research purposes they would not necessarily have objected. Investing time in planning and in valuing the Personal Data Asset which the HSE holds on Trust for the affected Data Subjects (they don’t own it) would have avoided the negative reaction and push back from rightly concerned parents and Civil Rights groups.

Want to learn practical approaches to avoiding this type of boo boo in your organisation? Why not come along to my tutorial at the 2010 IDQ Seminar Series event in Dublin on the 22nd and 23rd of February. Use the code “EarlyBird” before Jan 31st to get big savings on the event. If you are interested in just my tutorial, use the code “DoBlog” when registering.

Posted in Business, Ethics & Law of Information, Information Quality, Information/Data Quality Issues, The Business of IQ and tagged , , , , .