Fine Gael’s website: some thoughts

It looks like there’s been some rework done on the FG website to address Data Protection concerns.

This good and is to be commended. It is also in line with how the Data Protection Commissioner works with organisations who have compliance issues.  However, issues did exist prior to yesterday which will continue to present challenges to FG regarding their compliance with the Data Protection Acts.

Here’s a screen shot I took yesterday

finegael 2011 screenshot 7th Jan 2011

Screenshot of FG website on 7th January

It is a bit small to read in the image, but the tick boxes on the site (after you submit your personal data) have the following text beside them:

  • I agree to receive campaign messages on my mobile telephone
  • I agree to share my comments on the website.

So, if you posted a comment prior to yesterday, the only communication you could provide any consent to was an SMS. If you found you had been added to a mailing list the data had not been fairly obtained (you didn’t know you were going to be getting emails) and any processing of your personal data to send you an email is technically a breach of  S.2 of the Data Protection Acts.

Given that a number of people apparently complained to the Data Protection Commissioner about getting unsolicited emails when they had posted comments the website is changed as of this morning with a very subtle edit to the wording of the text next to the first tick box…

I agree to receive campaign messages from Fine Gael.

… is what your choice is now when you post your comment. That is a broader statement that does now permit FG to email you (and potentially SMS you as well) with their campaign messages if you don’t ensure that you uncheck the box. Please note that this is an OPT OUT of their mailing list, not an OPT IN.

So, one compliance issue addressed. Of course, that leaves the question as to what they will do with the emails they captured prior to yesterday which cannot be used as it is unclear if the person has opted in or out of the use of their email address for campaign mailings. This is one of those areas where Data Protection and Information Quality overlap – where the meaning of a flag in the database changes at a point in time and the interpretation of that flag can have significant regulatory and compliance impacts.

I encountered this when running data migrations in a telco many years ago. The billing system had a flag “Junk Mail”, which allowed a “Yes” or a “No”. The problem was that there was no agreement on whether “Junk Mail =Y” meant people wanted junk mail or “Junk Mail = N” meant people wanted junk mail – the meaning of the value had been lost in the mist of time and the absence of formal documentation about the processes.

Suggestion: FG should use the date stamp (that they hopefully have) in their database to exclude any email address created on their database prior to January 8th from any email messages… just to be on the safe side. And as they don’t have a use for that data (they can’t email people) they would  be required under the Data Protection Acts to get rid of it they can’t hold data for longer than they have a legitimate purpose for it.

The Privacy Statement

I’ve written a few times over on the company site about the need for Privacy Statements to actually reflect the reality of what is happening with personal data that you are obtaining and the balance that needs to be struck by Data Controllers.

Fine Gael Privacy Statement Screenshot

Screenshot of FG2011.com Privacy Statement

FG finally got around to putting up a Privacy Statement on their website late in the day yesterday (check the image above… its’ not there in the morning when I took the screen grab). They copied the privacy statement from their old website, which was accessible yesterday (along with all their policies etc.) at http://finegael.org but appears to have gone away as the screenshot from today below shows. Perhaps their web sites have moved (for security reasons, as FG say in today’s Irish Times).

Screenshot of finegael.org backup site as of 8th Jan 2011 14:14

Finegael.org - Gone away?

While they have a link and can tick the box about having a Privacy Statement, in my personal view they get 10 out 10 for effort, but fail the test of whether that Privacy Statement actually reflects what they are doing in reality.

The first test is failed in the very first paragraph which says that

Visitors can use most of the site without being personally identified by Fine Gael.

OK. If by “Use” you mean “Sit and Read” then that is a correct statement. But if you want to engage with any of the primary functions of the site (like having your voice heard, telling them your opinions and complaints, all the good and wholesome stuff that Enda is inviting us to do) then you HAVE to provide them with personally identifying information. And in some cases that information can end up being quite granular. For example, if I was to put in my name and village I live in I would be uniquely identifiable as I’m the only person of that name in that village.

The fact that the Privacy Statement doesn’t address many of the specific  points that the Data Protection Commissioner and the legislation actually require to be addressed in a Privacy Statement is another key issue.

Compare the Fine Gael Privacy Statement (or Fianna Fail’s) to the equivalent statements on websites from UK political parties:

The UK Greens (like their Irish counterparts) don’t have a Privacy Statement on their website.

Given that FG have moved to new servers, with a website with new functionality and new purposes for personal data at the very least they should have reviewed their Privacy Statement to make sure it is still valid.

Indeed, that type of regular review is a recommendation of the Data Protection Commissioner and is a requirement of the BS10012:2009 standard for Personal Information Management Systems.

Suggestion: FG should review their Privacy Statement to make sure it actually matches what is actually going on. This should form part of their regular and on-going governance of data to ensure compliance.

Some Thoughts

Fine Gael seem to have made significant efforts in the past day or so to address a problem that earlier in the week they didn’t want to engage with. Indeed, up to yesterday morning they were telling TheJournal.ie that they “weren’t interested“. In that context, the steps that they have taken are a laudable effort.

But if they had actually taken the time to plan and build their Data Protection obligations into their new processes and website and ensure that they were demonstrably in compliance with the legislation before launching their site then this story would never have existed for anyone to be interested in at all!

The lesson that needs to be learned from the Fine Gael experience is that it is always far better to design privacy and data protection concerns into systems and processes rather than having to inspect out defects and errors. Just like with any quality process, if you don’t design quality in you will inevitably find yourself having to fire-fight issues in crisis mode, which means that you will almost always miss something else.

Privacy by Design is a key concept in Data Protection circles. The fact that the Data Protection Acts create a Duty of Care, then care should be taken when embarking on the processing of personal data to ensure that you understand that Duty of Care and how to meet the associated Standard of Care.

Not do so means you risk regulatory penalties, litigation (where there is damage suffered as a result of the breach of the Data Protection rules), and damage to your brand and commercial reputation. Regulatory penalties can be paid, court cases can be settled, but the media coverage and comment on your brand, particularly in the age of Twitter, blogging and Google will have a half-life all of its own.

A lawyer friend of mine often tells people:

There’s only one thing worse than being sued and losing, and that’s being sued and winning. Because no one will remember that you won! It’s always better to avoid being sued in the first place.

Red Herrings, Hosting, and Data Protection

I’ve written a new post over on my business website that looks at some of the issues that have been raised by TheJournal.ie in an article today. I won’t rehash the whole thing here – please follow the link to read the full post on the other site.

Suffice it to say, there is a big difference between compliance with EU legislation and taking business decisions based on patriotic motives or a desire to “buy Irish”.

The fact that various parties have their sites hosted in the UK is not a compliance issue per se – the UK is still in the EU and has equivalent legislation to us based on the same root Directive. Norway is a member of the EEA and as such has legislation that is derived from the same Directive as underpins our Data Protection laws (I may be the only person in the country who has actually READ the Norwegian Data Protection Act… it’s very similar in intent and execution to our own law).

A big issue is hosting personal data, including sensitive personal data outside the EU or EEA or other “Safe Country” without any apparent controls in place, such as using a Data Processor who is registered with Safe Harbor and ensuring you have a written contract in place.

It is extremely wrong for anyone to claim that hosts don’t have to comply with the Data Protection legislation. They do. As Data Processors, their obligations are not as extensive as those owed by Data Controllers, but the relationship between the Data Controller and the Data Processor is critical to the end-to -end governance of Data Protection obligations.

New Data Protection post over on the company site

I’ve just written a new article over on the company website about Director’s liability for data security breaches. An expert in the Sunday Business Post over the weekend was waving a big stick at Company Directors saying that they could become liable for prosecution for security breaches if Ireland transposes the Convention on Cybercrime into law.

But this expert missed the important points of Section 29 of the Data Protection Acts 1988 and 2003 which create effectively a cascading liability for the  directors, officers, managers, and employees of an organisation that is processing personal data.

Check out my post here:

Bruce Schneier on Privacy

Via the Twitters I came across this absolutely brilliant video of Bruce Schneier talking about data privacy (that’s the American for Data Protection). Bruce makes some great points.

One of the key points that overlaps between Data Protection and Information Quality is where he tells us that

Data is the pollution problem of the Information Age.  It stays around, it has to dealt with and its secondary uses are what concerns us. Just as… … we look back at the the beginning of the previous century and sort of marvel at how the titans of industry in the rush to build the industrial age would ignore pollution, I think… … we will be judged by our grandchildren and great-grandchildren by how well we dealt with data, with individuals and their relationships to their data, in the information society.

This echoes the Peter Drucker comment that I reference constantly in talks and with clients of my company where Drucker said that

So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.  The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

Bruce raises a number of other great points, such as how as a species we haven’t adapted to what is technically possible and the complexity of control is the challenge for the individual, with younger people having to make increasingly complex and informed decisions about their privacy and what data they put where and why (back to meaning and purpose).

I really like his points on the legal economics of Information and Data. In college I really enjoyed my “Economics of Law” courses and I tend to look at legalistic problems through an economic prism (after all, the law is just another balancing mechanism for human conduct). I like them so much I’m going to park my thoughts on them for another post.

But, to return to Bruce’s point that Data is the pollution problem of the Information age, I believe that that statement is horribly true whether we consider data privacy/protection or Information Quality. How much of the crud data that clutters up organisations and sucks resources away from the bottom line is essentially the toxic slag of inefficient and “environmentally unfriendly” processes and business models? How much of that toxic waste is being buried and ignored rather than cleaned up or disposed of with care?

Is Information Quality Management a “Green” industry flying under a different flag?

The Who/What/How and Why

Data protection and Information Quality are linked in a number of ways. At one level, the EU Directive on Data Protection (95/46/EC) describes the underlying fundamental principles of Data Protection as “Principles for Data Quality”.
While that is great pub quiz content, it helps to be able to make some more pragmatic and practical links as well.
On a project a while ago, I was asked to help a client ensure that certain business processes they were putting in place with a partner organisation were data protection compliant. They’d been asked to do this by the partner organisation’s lawyers.
I leaped into action, assuming that this would be an easy few days of billable. After all, all I needed to know was what data the partner organisation needed when and why to document some recommendations for my client on how to build a transparent and compliant set of policies and procedures for data protection.

Unfortunately the partner organisation seemed to lack an understanding of the what’s, why’s, when’s, and how’s of their data. This was perplexing as, nice and all as a blank canvas is, sometimes you need to have a sense of the landscape to draw your conclusions against.
The engagement I had from the partner organisation was focussed on their need to be able to take certain steps if certain circumstances came to pass. While the focus on the goal was commendable, it served to generate tunnel vision on the part of the partner that put a significantly valuable project at risk.
Goals and objectives (why) are all well and good. But Knowledge Workers need to be able to link these to processes (how) and information needs (what). Deming famously said that if you can’t describe what you are doing as a process then you don’t know what you are doing. I’d go further and say that if you can’t identify the data and information you need to do what you are doing then you can’t be doing it- at least not without massively increased costs and risks (particularly of non-compliance with regulations).
In the end I made some assumptions about the what’s and how’s of the partner organisation’s processes in order to meet the goal that they had focussed on so narrowly.
That enabled me to map out an approach to data protection compliance based on a “minimum necessary” principle. And that got my client and their partner over the hump.
But, from an information quality perspective, not being able to answer the why/why/how questions means you can’t set meaningful measures of “fitness for purpose”. If you don’t know what facts are needed you don’t know if information is missing. if you don’t know what use data will be put to you can’t possibly tell if it is accurate enough.

So, both Data Protection and Information Quality require people to know the what/why/how questions about their information to allow any meaningful outcome to ensue. If you can’t answer those questions you simply cannot be doing business.
To paraphrase Deming – we need to work on our processes, not their outcome.

Putting Teeth In the Tiger

This post was originally published in August 2010 on the Irish Computer Society’s Data Protection Blog. I’ve copied it to here as it is my work and I want to put all my Data Protection musings in one place. Please feel free to go and look at it on the ICS site as well.

The Information Commissioner’s office in the UK has recently flagged their lack of powers to the European Commission. This is slightly amusing for those of us working under the Irish data protection regime, who look at the powers that the UK ICO have to levy penalties for breaches of the UK Data Protection Act, compared to the relatively limited powers of the Irish Data Protection Commissioner to issue Enforcement or Prohibition Notices and only to take prosecutions for breaches of the e-privacy regulations.

Of course, the Irish Commissioner does have the power since the 2003 Act to conduct audits and investigations on their own account (i.e. not on foot of an actual complaint). The UK ICO has limited powers by comparison. Likewise, they lack an equivalent Data Breach provisions that the Irish Data Protection  Commissioner introduced last month (but there are plans to do so in the UK soon).

There is a new draft Data Protection Directive in the pipeline (albeit stalled at the request of the French to allow sufficient time for effective consultation). Just as Directive 95/46/EC (the root of Ireland’s 2003 Data Protection Amendment Act) was introduced to address divergences in the implementation of the previous Convention on Data Privacy (Convention 108), it is likely that this revised directive will seek to address some of the remaining areas of divergence in national laws which implement Directive 95/45/EC.  One area which is likely to be addressed will be the nature and type of penalties which will be applicable to various categories of breach.

The drafting of the revised Directive has been delayed. Even when the Directive comes into being, the Irish Government’s track record in implementing Data Protection regulations in a timely manner has been less than impressive. So it may well be that, from point of view of EU mandated changes, we could be in for a long wait.

However there is a significant elephant in the room. The State needs to balance the books. The two traditional levers which can be pulled by the State are either Taxation or reductions in spending. Both of these levers are politically difficult to pull. Increasing taxes creates resistance and revolution  (increases in taxation historically trigger revolutions – particularly taxes on property or on the middle classes). Cutting spending likewise creates resistance and exacerbates social disadvantage (in many cases undoing valuable work previously done using tax euros).

Both of these are the items on the current agenda.

Of course, there is a third lever which can be used to generate revenue for the State and which can (at least in the short to medium term) bring about a change in behaviour. That third lever is the levying of fines and penalties. While this lever may not contribute as quickly or substantially to balancing the books, it would be remiss of the government to overlook any potential source of revenue at this time. And as this revenue is being generated on foot of behaviour which is illegal, under legislation which has been in existence for a number of years, and (unlike a tax) it can be avoided by simply taking the necessary steps to comply with the legislation.

The introduction of such penalties would require a minor amendment to the existing legislation.

So, given that there are indications emerging which suggest upcoming changes to standardise the types of penalty which will apply to breaches of the Data Protection regulations across the EU27 States, and that the State has an increasingly urgent need to generate revenue, I would not be surprised if we were to see some changes in the Data Protection legislation in Ireland sooner rather than later which would introduce some penalties which will put some additional teeth in the Data Protection Commissioner’s enforcement powers.

But this is only a worry for anyone who isn’t complying with the Data Protection Acts. The prudent course of action for anyone processing personal data would be to make sure that they get their house in order ahead of any potential changes, either emerging from Europe or from the Government’s need to claw in as much income as possible.

Profound Profiling

Over the past few weeks at a number of events and speaking engagements I’ve found myself talking about the multifaceted benefits of Data Profiling from the perspectives of:

  • Complying with EU Data Protection regulations
  • Ensuring Data Migrations actually succeed
  • Enabling timely reporting of Regulatory risks

My mantra in these contexts seems to be distilling down to two bald statements:

  • It’s the Information, Stupid.
  • Profile early, profile often.

But what do I mean by “Data Profiling”? For the purposes of these conversations, I defined “Data Profiling” as being the analysis of the structure and content of  a data set against some pre-defined business rules and expectations. For example, we may want to know how many (or what percentage) of records in a data set are missing key data, or how many have inconsistencies in the data, or how many potential duplicates  there are in the data.

Why is this of benefit? While a journey of a 1000 miles starts with a single step, that journey must start from somewhere and be headed somewhere. The destination is encapsulated in the expected business rule outcomes and expectations. These outcomes and expectations are often defined by external factors such as Regulatory requirements (e.g. the need to keep information up to date under EU Data Protection principles, or the need to track bank accounts of minors in AML processes) or the strategic objectives of the organisation. The starting point is, therefore, a snapshot of how close you are (or how far you are) from your destination.

In my conversations, I advised people (none of whom were overly familiar with Information Quality principles or tools) that they should consider investing in a tool that allows them to build and edit and maintain Data Profiling rules and run them automatically. Regular Information Quality geeks will probably guess that the next thing I told them was about  how the profile snapshots could provide a very clear dashboard of how things are in the State of Data in their organisations.

Just as, when we are embarking on our journey of 1000 miles, it makes sense for us to regularly check our map against the landmarks to make sure we are heading in the right direction. The alternative is to meander down cul de sacs and dead end trails. Which equates in Information Management terms to wasted investment and scrap and rework. So, profile early and profile often seems to be a good philosophy to live by.

By applying  business rules that relate to your regulatory compliance, risk management, or data migration objectives, you can make Information Quality directly relevant to the goals of the organisation, increasing the likelihood of any changes you bring in becoming “part of the way things get done around here” rather than “yet another darned thing we have to do”.  Quality for the sake of quality was a luxury even in the pre-recession period. In today’s economy it is more important than ever to demonstrate clear value.

And that is the real profoundity of profiling. Without it you can’t actually know the true value of your Information Asset or determine if your current course of action might turn your Asset into a Liability.

It’s the Information, Stupid. So Profile Early and Profile Often.

For the want of a nudie pen Tom Happens is exposed

One of the most popular presenters on one of the most popular radio stations in Ireland recently launched a great idea – a loyalty card for his listeners. This card seems to be the replacement for his previous gimmick, a “Nudie Pen”.

Visit the radio station website (NewsTalk.ie, tell them your name, your address, your email address, your 3 favourite bands and your favourite foods and a piece of plastic featuring a picture of the host will wend its way to your door.

Simple.

At least it is unless you step back and think about the process from the point of view of Data Protection principles.

Personal data must be obtained and processed fairly for specific purposes. What are the purposes for which NewsTalk wants my personal data? If it is just to send me a card then we walk right into another issue – information gathered should not be excessive to that purpose.

So, if you are just sending me a card, why do you need to know my music and food preferences?

Sensitive personal data, such as data pertaining to medical conditions or political beliefs or ethnic origins is treated with more seriousness under the Data Protection Act. So, depending on the responses to those questions about music and favourite foods, sensitive personal data could be being processed.

The explanation of the loyalty card scheme that is on the NewsTalk website is great and in keeping with the light hearted nature of Tom’s show. However it doesn’t go far enough in explaining or setting out the purposes for which the data is being captured.

Other issues arise as a result of processing personal data via a website, such as the legal requirement to have a privacy policy displayed on the site and the data protection requirements of keeping the data safe and secure and only keeping it for as long as it is needed for the specified purpose. I’ll explore these in later posts.

It is all too easy to fall foul of the simple rules that exist to ensure trust and transparency in how personal data can be processed. Prior planning can ensure that Compliance is an enabler of business and customer interaction rather than a nagging fear of being caught dragging at your actions.

Taking out your Nudie Pen and mapping out what your information objectives, purposes, etc. are (see this tutorial on my company website for an example) is time well spent to make sure you aren’t creating a rod to beat yourself with. Using your Nudie pen to sign up for some Data Protection Training (such as that offered by the Irish Computer Society or my company) would also be a worthwhile step, particularly given the Data Protection Commissioner’s recent findings on the need for the management teams in businesses to be aware of the Data Protection implications of their actions.

Information Quality – Do we have an app for that?

A few weeks back I got a new iphone. I’d resisted for years, enjoying the pleasures of Nokia and Symbian and the challenges of Palm and Windows Mobile 6.1.

The fun part for me of any new mobile phone purchase is playing with the new toy  tool and seeing what it can do that my old one couldn’t. For example, back in the 1990s when I did my first upgrade from my first mobile phone (an ericsson model so old that I actually can’t find it referenced on the internet), I found that the new phone was so much smaller and lighter I was actually able to carry it around.

The irritation I have is when it comes to moving my contacts and synchronising with my various other technologies that hold contact details (laptop, gmail, company address book). Inevitably I wind up with duplication and triplication of contacts. I thought I had the problem licked on the iphone though as there are a number of apps available for managing contact details and reducing duplicates.

However, having spent a few days using them I am unimpressed as they seem to be making a the traditional rookie mistake in de-duping records – assuming that name matching is enough.

My brother and father share a given name and a family name. They have different middle initials, different addresses, different phone numbers, different email addresses (all the stuff that you would have in a contact record on your phone). Each application I tried decided that they were a duplicate entry and merged the records. This was annoying.

In other cases, I have duplicate entries with varying degrees of record completeness. For example, my friend Cathal exists at least 4 times, with one entry having most of his contact details,  with spurious email addresses or social networking nicknames in the others.  The “data quality tool” very kindly merged all the records into the entry that had the least amount of data, and deleting the other records.

Right now I’m considering firing up talend, datanomic, or informatica tools to dedupe a dump from my iphone and reload it to the phone, and then hopefully that will cascade through the rest of my data stores when I synchronise.

But I’ll need to draw a data flow map of all of that to make sure.

Grrrrhhh.

So. If the existing tools for data quality on the iphone are not up to the jobs, what is missing? The good news is that the data sets are fairly clearly structured (once they get into the iphone), so that is less of a concern than the actual processing of matching and consolidation of records.

  1. Probability scoring across multiple fields would be nice. If two people have the same name but significantly different contact details then it is very probable they are not the same person. A corollary – if there are two records with the same name and one has contact information and the other record has only a name, chances are they are duplicates.
  2. Presentation of matches for review. While the machine can make good guesses where the name and contact details are the same, where there is confusion, the matches should be flagged for a review by the phone user (the “Data Controller”). This way we can avoid having to unpick erroneous matches.
  3. Merging of records should be done on a more structured basis, with mapping of fields being user-customisable based on a standard template. I despair of important contact information being dumped into a notes field (it reminds me too much of when I had to try and migrate data out of a Siebel call centre system a few years ago).
  4. The matching should be able to cater for multi-lingual input (as phones don’t all live and work in english speaking lands).

There may be other requirements that I am not thinking of here at the moment, but those 4 are a starting point. Perhaps an obliging Data Quality tool vendor will develop an iphone app to a web service for matching contact records.

Personally, I think that having such a service available would help raise awareness of the value of quality non-duplicated contact information to individuals and to organisations.  However, the app on its own isn’t enough as the average smart-phone user may have personal information held in a variety of places and, just like in a large enterprise with lots of data stores, creating a “Single View of Contact” will require you to understand the flow of your contact information around your tools (i.e. does the phone update the laptop and does the laptop synch to google apps and does google apps synch to the phone?) to avoid the cleanup work being undone the next time you plug your phone into your PC.

Information Quality Management poses challenges for the enterprise, but can also create friction for the individual trying to manage something as simple as a list of contacts across multiple information stores.

Do we have an app for that?

Sometimes it is the simplest things…

Yesterday I took some time out from work to help hang some new light fittings at home. Our local handyman/neighbour was doing the hard work as my wife has seen enough of my father’s DIY exploits to have put an embargo on me even looking sideways at power tools.

The estimated duration of the job was to be about 45 minutes to an hour to hang three fittings. The first two fittings went up in about 20 minutes. The final one, that took us about 4 hours (and as of this morning still isn’t finished. We hadn’t factored on the “creativity” of the electricians who installed the original wiring.

When we opened up the existing light fitting in the living room we were faced with a spaghetti junction of cables. When we wired them into the new light fitting, the light went on but the switch wasn’t controlling it. It seemed we’d wired the light into a loop going somewhere else. We were faced with 5 live wires which had been going into 4 connectors on a connector block. So we had to then test each of the possible live/neutral combinations in turn to find the ones that actually related to the switch (which necessitated our handyman/neighbour having to play with live 240 volt electricity, which is never a good idea).

When we traced the correct cable pair I did a very simple thing. I dug out my label maker and put a label on the cables that related to the lighting circuit in that room. It struck me that that 30 seconds of effort was something that the electrician who wired the house could have easily done when they were installing the cables, making life simpler for him (or her) and for anyone who came after.

We wired everything up and fitted it up for a quick test before finishing the job. I turned the power back on.

Then there was a loud bang and the power went out.

It turned out that there was a break in the live wire we’d just labelled (the important one for the task at hand) slightly further up the cable from where the label was which had pierced through the insulation and come into contact with the metal mounting plate for the light fitting.

As a result, the magic smoke had escaped from the circuit breaker and the light switch.

What had ensued for my neighbourhood handyman and I was instead frustration as  a task which should have taken a half hour stretching into nearly six hours (over 2 days) and additional expense (to the handyman) in replacing the blown components.

To put it another way, for the want of €0.15 of labelling on the part of the original vendor to identify the attributes of the various wires we found (such as “this one runs the lights”), I expended a full half-day of work and the handyman was unavailable for other jobs which would have paid him a lot more than the rate we’d struck for fitting the lights – and that was before the additional cost and complication of having to go to the electrical wholesalers this morning to buy replacement parts and fit them as well.

It struck me that this is a situation we encounter on a regular basis with the information assets of an organisation.

Very often the important data for a given process in a given area is not clearly identified. Management say “give us everything and we’ll figure it out” and call centre screens and web-forms are cluttered with a variety of information capture points.

A failure to understand (or label) the purpose of that information, where it comes from and where it goes to, and its critical path in the business can result in undesired outcomes as soon as anything starts to change in the business, business processes, or technology platform (such as replacing your front end systems with a new one, the nearest analogy I can think of for changing a light fitting).

This results in expended effort on scrap and rework trying to get the blasted thing to work right with the desired outcomes (such as throwing illumination on a problem), and quite often can result in a critical information path way being blown and needing replacement or an internal control process in the business stopping a process.

Of course, things can often be worse in the Information Quality space where the internal controls on quality may not function as efficiently as a circuit breaker and a light switch which have planned failure built in to them to isolate the end user from the dangers of domestic electricity supply. When controls like circuit breakers fail, the results can be… shocking.

Sometimes it is the simplest things that are important, such as knowing what wires relate to the circuit you are fitting a light into, or what items of information are actually critical to the success or failure of a process (both the immediate process and down stream -remember  there were 4 other live wires relating to other circuits that had to be dealt with as well) is a key contributor to the success or failure of any change effort.

What controls do you have to protect your business knowledge workers from the dangers of a high voltage low quality information? Are the mission critical data in your organisation clearly labelled?