The DOBlog

Category: The Business of Information

  • New Data Protection post over on the company site

    I’ve just written a new article over on the company website about Director’s liability for data security breaches. An expert in the Sunday Business Post over the weekend was waving a big stick at Company Directors saying that they could become liable for prosecution for security breaches if Ireland transposes the Convention on Cybercrime into law.

    But this expert missed the important points of Section 29 of the Data Protection Acts 1988 and 2003 which create effectively a cascading liability for the  directors, officers, managers, and employees of an organisation that is processing personal data.

    Check out my post here:

  • Bruce Schneier on Privacy

    Via the Twitters I came across this absolutely brilliant video of Bruce Schneier talking about data privacy (that’s the American for Data Protection). Bruce makes some great points.

    One of the key points that overlaps between Data Protection and Information Quality is where he tells us that

    Data is the pollution problem of the Information Age.  It stays around, it has to dealt with and its secondary uses are what concerns us. Just as… … we look back at the the beginning of the previous century and sort of marvel at how the titans of industry in the rush to build the industrial age would ignore pollution, I think… … we will be judged by our grandchildren and great-grandchildren by how well we dealt with data, with individuals and their relationships to their data, in the information society.

    This echoes the Peter Drucker comment that I reference constantly in talks and with clients of my company where Drucker said that

    So far, for 50 years, the information revolution has centered on data—their collection, storage, transmission, analysis, and presentation. It has centered on the “T” in IT.  The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?

    Bruce raises a number of other great points, such as how as a species we haven’t adapted to what is technically possible and the complexity of control is the challenge for the individual, with younger people having to make increasingly complex and informed decisions about their privacy and what data they put where and why (back to meaning and purpose).

    I really like his points on the legal economics of Information and Data. In college I really enjoyed my “Economics of Law” courses and I tend to look at legalistic problems through an economic prism (after all, the law is just another balancing mechanism for human conduct). I like them so much I’m going to park my thoughts on them for another post.

    But, to return to Bruce’s point that Data is the pollution problem of the Information age, I believe that that statement is horribly true whether we consider data privacy/protection or Information Quality. How much of the crud data that clutters up organisations and sucks resources away from the bottom line is essentially the toxic slag of inefficient and “environmentally unfriendly” processes and business models? How much of that toxic waste is being buried and ignored rather than cleaned up or disposed of with care?

    Is Information Quality Management a “Green” industry flying under a different flag?

  • The Who/What/How and Why

    Data protection and Information Quality are linked in a number of ways. At one level, the EU Directive on Data Protection (95/46/EC) describes the underlying fundamental principles of Data Protection as “Principles for Data Quality”.
    While that is great pub quiz content, it helps to be able to make some more pragmatic and practical links as well.
    On a project a while ago, I was asked to help a client ensure that certain business processes they were putting in place with a partner organisation were data protection compliant. They’d been asked to do this by the partner organisation’s lawyers.
    I leaped into action, assuming that this would be an easy few days of billable. After all, all I needed to know was what data the partner organisation needed when and why to document some recommendations for my client on how to build a transparent and compliant set of policies and procedures for data protection.

    Unfortunately the partner organisation seemed to lack an understanding of the what’s, why’s, when’s, and how’s of their data. This was perplexing as, nice and all as a blank canvas is, sometimes you need to have a sense of the landscape to draw your conclusions against.
    The engagement I had from the partner organisation was focussed on their need to be able to take certain steps if certain circumstances came to pass. While the focus on the goal was commendable, it served to generate tunnel vision on the part of the partner that put a significantly valuable project at risk.
    Goals and objectives (why) are all well and good. But Knowledge Workers need to be able to link these to processes (how) and information needs (what). Deming famously said that if you can’t describe what you are doing as a process then you don’t know what you are doing. I’d go further and say that if you can’t identify the data and information you need to do what you are doing then you can’t be doing it- at least not without massively increased costs and risks (particularly of non-compliance with regulations).
    In the end I made some assumptions about the what’s and how’s of the partner organisation’s processes in order to meet the goal that they had focussed on so narrowly.
    That enabled me to map out an approach to data protection compliance based on a “minimum necessary” principle. And that got my client and their partner over the hump.
    But, from an information quality perspective, not being able to answer the why/why/how questions means you can’t set meaningful measures of “fitness for purpose”. If you don’t know what facts are needed you don’t know if information is missing. if you don’t know what use data will be put to you can’t possibly tell if it is accurate enough.

    So, both Data Protection and Information Quality require people to know the what/why/how questions about their information to allow any meaningful outcome to ensue. If you can’t answer those questions you simply cannot be doing business.
    To paraphrase Deming – we need to work on our processes, not their outcome.

  • John Gormley, Commercial motor tax, and Data Protection Penalties

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection blog. It has been republished here as it is my original work and I’m trying to get all my Data Protection musings in one place. Some links have been updated to point to different targets here and on my company’s website.

    I listened with interest this morning to the media coverage of how John Gormley was introducing a new tax on commercial vehicles. My interest was twofold. My wife used to work in the Motor Tax section of a local authority. She left there nearly 4 years ago. Even then drivers of light commercial vehicles had to sign a declaration that the vehicle was for commercial purposes and not for private use. Back then, she used to have private motorists trying to register their large 4x4s as commercial to avoid the higher rates of motor tax on private vehicles. And I’ve recently written about how penalties for breaches of legislation are the third lever the government has to help balance the books.

    So, the existence of a declaration form isn’t really anything new it seems. What is new is that the Minister is asking people to take it seriously and some penalty is now attached to making a false declaration. It may well be that the specifics of enforcement will be difficult, and it is likely that a blanket ban on “mixed use” will ever be 100% effective. But it does show that the Government are seeking to maximise the income they can generate from existing processes by increasing the enforcement and the penalties associated.  This is precisely the point I made in my last post on this blog when I wrote about how the introduction of penalties for breaches of the Data Protection Acts was probably inevitable, regardless of when the new Directive comes into being, simply by reason of the State needing to open as many sources of revenue as possible.

    Of course this “change” in the Motor Tax regime is, to an extent, unfair as commercial vehicle owners have gotten used to being able to drop the kids to school and use their vehicles on weekends for leisure purposes etc, enjoying all the benefits of private vehicle use on a fraction of the tax. The media response (particularly from the AA) has been to suggest that the Minister will drive people to buy second cars or is imposing a burden on small businesses. And that is unfair. Personally, I think a change to the motor tax regime where a “mixed use” category would be introduced might have merit.

    However, thinking back to my last post on this blog, would there be as much of an outcry if penalties for breaches of the Data Protection Acts were introduced? Bear in mind that the Commissioner operates on a conciliatory basis, seeking to promote Compliance, not punish non Compliance. Also bear in mind that breaches of the Data Protection Acts occur when Data Controllers fail to respect the Duty of Care that they owe to individuals to hold their personal data on trust and to respect their privacy.  I would suspect that, when penalties are introduced (I say “when” because it will happen either through domestic legislation or further alignment of EU frameworks through a revised Directive) they will be applied only where a Data Controller has failed to act, or acted with willful neglect of their duties under the legislation.

    Where currently the Commissioner can dangle the carrot of constructive engagement and guidance, in the future that will be supplemented by the big stick of fines or other penalties.

    I suspect that penalties that might be levied for breaches such as (for example) operating CCTV without adequate Fair Processing Notices would be quite small (at least initially), perhaps just enough to get the Data Controller to engage with the DPC. But persistent offending might lead to higher penalties

    In short – only the worst offenders will likely be penalised.

    So, the morning talk-radio interview might go:

    Data Controller: “These new penalties are a burden on us”

    Interviewer: “But they are just penalties for stuff you are supposed to be doing anyway to protect people’s privacy etc.”

    Data Controller: “But it’s a big cost to our business if we get a fine every time we do this”.

    Interviewer: “But you shouldn’t be doing it, and the fine is only imposed after the Commissioner tries to get you to correct your behaviour”

    Data Controller: “That’s not the point”

    Interviewer: “That is the point. If you want to avoid the penalty, stop playing fast and loose with people’s personal data”.

    And that’s the point…  while it may be unfair and burdensome in the land of soundbites to expect a small business owner to buy and run a second car or face a penalty for misusing a commercial vehicle, penalties under the Data Protection Acts would be avoidable simply by complying with the legislation.

    So long as you know the rules of the game, work on being compliant, and respect the Duty of Care you owe to your Data Subjects (all things a Data Controller should be doing anyway) there is no additional burden. As such, any increase in penalties would likely be easier to defend than an increase in taxes or restrictions on how a vehicle is used.

    It would also be easier to enforce.

    So, the call to action from this article? I am suggesting that anyone processing personal data in the course of their commercial activities should start getting their house in order now ahead of any changes which might bring in penalties. Ensure your staff are properly trained in the principles of Data Protection. Start working now to make it part of “how things get done” in your organisation, not “another bloody thing to do”.

  • Putting Teeth In the Tiger

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection Blog. I’ve copied it to here as it is my work and I want to put all my Data Protection musings in one place. Please feel free to go and look at it on the ICS site as well.

    The Information Commissioner’s office in the UK has recently flagged their lack of powers to the European Commission. This is slightly amusing for those of us working under the Irish data protection regime, who look at the powers that the UK ICO have to levy penalties for breaches of the UK Data Protection Act, compared to the relatively limited powers of the Irish Data Protection Commissioner to issue Enforcement or Prohibition Notices and only to take prosecutions for breaches of the e-privacy regulations.

    Of course, the Irish Commissioner does have the power since the 2003 Act to conduct audits and investigations on their own account (i.e. not on foot of an actual complaint). The UK ICO has limited powers by comparison. Likewise, they lack an equivalent Data Breach provisions that the Irish Data Protection  Commissioner introduced last month (but there are plans to do so in the UK soon).

    There is a new draft Data Protection Directive in the pipeline (albeit stalled at the request of the French to allow sufficient time for effective consultation). Just as Directive 95/46/EC (the root of Ireland’s 2003 Data Protection Amendment Act) was introduced to address divergences in the implementation of the previous Convention on Data Privacy (Convention 108), it is likely that this revised directive will seek to address some of the remaining areas of divergence in national laws which implement Directive 95/45/EC.  One area which is likely to be addressed will be the nature and type of penalties which will be applicable to various categories of breach.

    The drafting of the revised Directive has been delayed. Even when the Directive comes into being, the Irish Government’s track record in implementing Data Protection regulations in a timely manner has been less than impressive. So it may well be that, from point of view of EU mandated changes, we could be in for a long wait.

    However there is a significant elephant in the room. The State needs to balance the books. The two traditional levers which can be pulled by the State are either Taxation or reductions in spending. Both of these levers are politically difficult to pull. Increasing taxes creates resistance and revolution  (increases in taxation historically trigger revolutions – particularly taxes on property or on the middle classes). Cutting spending likewise creates resistance and exacerbates social disadvantage (in many cases undoing valuable work previously done using tax euros).

    Both of these are the items on the current agenda.

    Of course, there is a third lever which can be used to generate revenue for the State and which can (at least in the short to medium term) bring about a change in behaviour. That third lever is the levying of fines and penalties. While this lever may not contribute as quickly or substantially to balancing the books, it would be remiss of the government to overlook any potential source of revenue at this time. And as this revenue is being generated on foot of behaviour which is illegal, under legislation which has been in existence for a number of years, and (unlike a tax) it can be avoided by simply taking the necessary steps to comply with the legislation.

    The introduction of such penalties would require a minor amendment to the existing legislation.

    So, given that there are indications emerging which suggest upcoming changes to standardise the types of penalty which will apply to breaches of the Data Protection regulations across the EU27 States, and that the State has an increasingly urgent need to generate revenue, I would not be surprised if we were to see some changes in the Data Protection legislation in Ireland sooner rather than later which would introduce some penalties which will put some additional teeth in the Data Protection Commissioner’s enforcement powers.

    But this is only a worry for anyone who isn’t complying with the Data Protection Acts. The prudent course of action for anyone processing personal data would be to make sure that they get their house in order ahead of any potential changes, either emerging from Europe or from the Government’s need to claw in as much income as possible.

  • Profound Profiling

    Over the past few weeks at a number of events and speaking engagements I’ve found myself talking about the multifaceted benefits of Data Profiling from the perspectives of:

    • Complying with EU Data Protection regulations
    • Ensuring Data Migrations actually succeed
    • Enabling timely reporting of Regulatory risks

    My mantra in these contexts seems to be distilling down to two bald statements:

    • It’s the Information, Stupid.
    • Profile early, profile often.

    But what do I mean by “Data Profiling”? For the purposes of these conversations, I defined “Data Profiling” as being the analysis of the structure and content of  a data set against some pre-defined business rules and expectations. For example, we may want to know how many (or what percentage) of records in a data set are missing key data, or how many have inconsistencies in the data, or how many potential duplicates  there are in the data.

    Why is this of benefit? While a journey of a 1000 miles starts with a single step, that journey must start from somewhere and be headed somewhere. The destination is encapsulated in the expected business rule outcomes and expectations. These outcomes and expectations are often defined by external factors such as Regulatory requirements (e.g. the need to keep information up to date under EU Data Protection principles, or the need to track bank accounts of minors in AML processes) or the strategic objectives of the organisation. The starting point is, therefore, a snapshot of how close you are (or how far you are) from your destination.

    In my conversations, I advised people (none of whom were overly familiar with Information Quality principles or tools) that they should consider investing in a tool that allows them to build and edit and maintain Data Profiling rules and run them automatically. Regular Information Quality geeks will probably guess that the next thing I told them was about  how the profile snapshots could provide a very clear dashboard of how things are in the State of Data in their organisations.

    Just as, when we are embarking on our journey of 1000 miles, it makes sense for us to regularly check our map against the landmarks to make sure we are heading in the right direction. The alternative is to meander down cul de sacs and dead end trails. Which equates in Information Management terms to wasted investment and scrap and rework. So, profile early and profile often seems to be a good philosophy to live by.

    By applying  business rules that relate to your regulatory compliance, risk management, or data migration objectives, you can make Information Quality directly relevant to the goals of the organisation, increasing the likelihood of any changes you bring in becoming “part of the way things get done around here” rather than “yet another darned thing we have to do”.  Quality for the sake of quality was a luxury even in the pre-recession period. In today’s economy it is more important than ever to demonstrate clear value.

    And that is the real profoundity of profiling. Without it you can’t actually know the true value of your Information Asset or determine if your current course of action might turn your Asset into a Liability.

    It’s the Information, Stupid. So Profile Early and Profile Often.

  • “It’s the Information, Stupid”

    This post was first published in the Irish Computer Society Data Protection blog. I’m republishing it here as it is my original work and I am putting my Data Protection musings in one place.

    A recent news story in the Irish Times about the data protection compliance problems faced by the Irish Insurance industry serves as a timely reminder of one of the mantras for Data Protection compliance:

    Just because you can, doesn’t mean you should.

    In this instance, a perfectly legitimate process existed for sharing data in certain circumstances (when a claim was being made) to help flag instances of insurance fraud etc. All of that processing is legitimate and legal.

    The problem arose where the information was being shared when a claimmight be made, resulting in disclosures of personal data between insurance providers without any legal justification. It was these disclosures that the Commissioner has flagged as being in breach of the Data Protection Acts.

    Technology is great. It allows for the analysis of data quickly to find important nuggets of information. However, only if you have obtained that source data legally will you be able to legitimately act on the facts you uncover.

    Just because you can, doesn’t mean you should.

    This case also highlights another aspect of Data Protection Compliance – it is not all about technology or the IT department. In this case, business decisions were taken to share information. Without business rules to restrict or permit disclosure of information (e.g. “only disclose if a claim is in progress”), information was disclosed without due cause.  Business managers need to step up to the mark and be proactive about how they manage their core business asset (information) in a way that ensures and assures compliance, trust and, at the end of the day, their ability to keep using that information.

    To paraphrase Bill Clinton – “It’s the Information, Stupid”.

  • For the want of a nudie pen Tom Happens is exposed

    One of the most popular presenters on one of the most popular radio stations in Ireland recently launched a great idea – a loyalty card for his listeners. This card seems to be the replacement for his previous gimmick, a “Nudie Pen”.

    Visit the radio station website (NewsTalk.ie, tell them your name, your address, your email address, your 3 favourite bands and your favourite foods and a piece of plastic featuring a picture of the host will wend its way to your door.

    Simple.

    At least it is unless you step back and think about the process from the point of view of Data Protection principles.

    Personal data must be obtained and processed fairly for specific purposes. What are the purposes for which NewsTalk wants my personal data? If it is just to send me a card then we walk right into another issue – information gathered should not be excessive to that purpose.

    So, if you are just sending me a card, why do you need to know my music and food preferences?

    Sensitive personal data, such as data pertaining to medical conditions or political beliefs or ethnic origins is treated with more seriousness under the Data Protection Act. So, depending on the responses to those questions about music and favourite foods, sensitive personal data could be being processed.

    The explanation of the loyalty card scheme that is on the NewsTalk website is great and in keeping with the light hearted nature of Tom’s show. However it doesn’t go far enough in explaining or setting out the purposes for which the data is being captured.

    Other issues arise as a result of processing personal data via a website, such as the legal requirement to have a privacy policy displayed on the site and the data protection requirements of keeping the data safe and secure and only keeping it for as long as it is needed for the specified purpose. I’ll explore these in later posts.

    It is all too easy to fall foul of the simple rules that exist to ensure trust and transparency in how personal data can be processed. Prior planning can ensure that Compliance is an enabler of business and customer interaction rather than a nagging fear of being caught dragging at your actions.

    Taking out your Nudie Pen and mapping out what your information objectives, purposes, etc. are (see this tutorial on my company website for an example) is time well spent to make sure you aren’t creating a rod to beat yourself with. Using your Nudie pen to sign up for some Data Protection Training (such as that offered by the Irish Computer Society or my company) would also be a worthwhile step, particularly given the Data Protection Commissioner’s recent findings on the need for the management teams in businesses to be aware of the Data Protection implications of their actions.

  • Information Quality – Do we have an app for that?

    A few weeks back I got a new iphone. I’d resisted for years, enjoying the pleasures of Nokia and Symbian and the challenges of Palm and Windows Mobile 6.1.

    The fun part for me of any new mobile phone purchase is playing with the new toy  tool and seeing what it can do that my old one couldn’t. For example, back in the 1990s when I did my first upgrade from my first mobile phone (an ericsson model so old that I actually can’t find it referenced on the internet), I found that the new phone was so much smaller and lighter I was actually able to carry it around.

    The irritation I have is when it comes to moving my contacts and synchronising with my various other technologies that hold contact details (laptop, gmail, company address book). Inevitably I wind up with duplication and triplication of contacts. I thought I had the problem licked on the iphone though as there are a number of apps available for managing contact details and reducing duplicates.

    However, having spent a few days using them I am unimpressed as they seem to be making a the traditional rookie mistake in de-duping records – assuming that name matching is enough.

    My brother and father share a given name and a family name. They have different middle initials, different addresses, different phone numbers, different email addresses (all the stuff that you would have in a contact record on your phone). Each application I tried decided that they were a duplicate entry and merged the records. This was annoying.

    In other cases, I have duplicate entries with varying degrees of record completeness. For example, my friend Cathal exists at least 4 times, with one entry having most of his contact details,  with spurious email addresses or social networking nicknames in the others.  The “data quality tool” very kindly merged all the records into the entry that had the least amount of data, and deleting the other records.

    Right now I’m considering firing up talend, datanomic, or informatica tools to dedupe a dump from my iphone and reload it to the phone, and then hopefully that will cascade through the rest of my data stores when I synchronise.

    But I’ll need to draw a data flow map of all of that to make sure.

    Grrrrhhh.

    So. If the existing tools for data quality on the iphone are not up to the jobs, what is missing? The good news is that the data sets are fairly clearly structured (once they get into the iphone), so that is less of a concern than the actual processing of matching and consolidation of records.

    1. Probability scoring across multiple fields would be nice. If two people have the same name but significantly different contact details then it is very probable they are not the same person. A corollary – if there are two records with the same name and one has contact information and the other record has only a name, chances are they are duplicates.
    2. Presentation of matches for review. While the machine can make good guesses where the name and contact details are the same, where there is confusion, the matches should be flagged for a review by the phone user (the “Data Controller”). This way we can avoid having to unpick erroneous matches.
    3. Merging of records should be done on a more structured basis, with mapping of fields being user-customisable based on a standard template. I despair of important contact information being dumped into a notes field (it reminds me too much of when I had to try and migrate data out of a Siebel call centre system a few years ago).
    4. The matching should be able to cater for multi-lingual input (as phones don’t all live and work in english speaking lands).

    There may be other requirements that I am not thinking of here at the moment, but those 4 are a starting point. Perhaps an obliging Data Quality tool vendor will develop an iphone app to a web service for matching contact records.

    Personally, I think that having such a service available would help raise awareness of the value of quality non-duplicated contact information to individuals and to organisations.  However, the app on its own isn’t enough as the average smart-phone user may have personal information held in a variety of places and, just like in a large enterprise with lots of data stores, creating a “Single View of Contact” will require you to understand the flow of your contact information around your tools (i.e. does the phone update the laptop and does the laptop synch to google apps and does google apps synch to the phone?) to avoid the cleanup work being undone the next time you plug your phone into your PC.

    Information Quality Management poses challenges for the enterprise, but can also create friction for the individual trying to manage something as simple as a list of contacts across multiple information stores.

    Do we have an app for that?

  • Sometimes it is the simplest things…

    Yesterday I took some time out from work to help hang some new light fittings at home. Our local handyman/neighbour was doing the hard work as my wife has seen enough of my father’s DIY exploits to have put an embargo on me even looking sideways at power tools.

    The estimated duration of the job was to be about 45 minutes to an hour to hang three fittings. The first two fittings went up in about 20 minutes. The final one, that took us about 4 hours (and as of this morning still isn’t finished. We hadn’t factored on the “creativity” of the electricians who installed the original wiring.

    When we opened up the existing light fitting in the living room we were faced with a spaghetti junction of cables. When we wired them into the new light fitting, the light went on but the switch wasn’t controlling it. It seemed we’d wired the light into a loop going somewhere else. We were faced with 5 live wires which had been going into 4 connectors on a connector block. So we had to then test each of the possible live/neutral combinations in turn to find the ones that actually related to the switch (which necessitated our handyman/neighbour having to play with live 240 volt electricity, which is never a good idea).

    When we traced the correct cable pair I did a very simple thing. I dug out my label maker and put a label on the cables that related to the lighting circuit in that room. It struck me that that 30 seconds of effort was something that the electrician who wired the house could have easily done when they were installing the cables, making life simpler for him (or her) and for anyone who came after.

    We wired everything up and fitted it up for a quick test before finishing the job. I turned the power back on.

    Then there was a loud bang and the power went out.

    It turned out that there was a break in the live wire we’d just labelled (the important one for the task at hand) slightly further up the cable from where the label was which had pierced through the insulation and come into contact with the metal mounting plate for the light fitting.

    As a result, the magic smoke had escaped from the circuit breaker and the light switch.

    What had ensued for my neighbourhood handyman and I was instead frustration as  a task which should have taken a half hour stretching into nearly six hours (over 2 days) and additional expense (to the handyman) in replacing the blown components.

    To put it another way, for the want of €0.15 of labelling on the part of the original vendor to identify the attributes of the various wires we found (such as “this one runs the lights”), I expended a full half-day of work and the handyman was unavailable for other jobs which would have paid him a lot more than the rate we’d struck for fitting the lights – and that was before the additional cost and complication of having to go to the electrical wholesalers this morning to buy replacement parts and fit them as well.

    It struck me that this is a situation we encounter on a regular basis with the information assets of an organisation.

    Very often the important data for a given process in a given area is not clearly identified. Management say “give us everything and we’ll figure it out” and call centre screens and web-forms are cluttered with a variety of information capture points.

    A failure to understand (or label) the purpose of that information, where it comes from and where it goes to, and its critical path in the business can result in undesired outcomes as soon as anything starts to change in the business, business processes, or technology platform (such as replacing your front end systems with a new one, the nearest analogy I can think of for changing a light fitting).

    This results in expended effort on scrap and rework trying to get the blasted thing to work right with the desired outcomes (such as throwing illumination on a problem), and quite often can result in a critical information path way being blown and needing replacement or an internal control process in the business stopping a process.

    Of course, things can often be worse in the Information Quality space where the internal controls on quality may not function as efficiently as a circuit breaker and a light switch which have planned failure built in to them to isolate the end user from the dangers of domestic electricity supply. When controls like circuit breakers fail, the results can be… shocking.

    Sometimes it is the simplest things that are important, such as knowing what wires relate to the circuit you are fitting a light into, or what items of information are actually critical to the success or failure of a process (both the immediate process and down stream -remember  there were 4 other live wires relating to other circuits that had to be dealt with as well) is a key contributor to the success or failure of any change effort.

    What controls do you have to protect your business knowledge workers from the dangers of a high voltage low quality information? Are the mission critical data in your organisation clearly labelled?