The story broke in the Sunday Times just after Christmas and has been picked up as a discussion point on sites such as Boards.ie.  TJ McIntyre has also written about some of the legal issues raised by this.

Ultimately, at the heart of the issue is a fundamental issue of Data Protection Compliance and a failure to treat Personal Data (and Sensitive Personal Data at that) as an asset (something of value) that the Hospital held and holds on trust for the data subject. It is not the Hospital’s data. It is not the HSE’s data. It is my child’s data, and (as I’m of a certain age) probably my data and my wife’s data and my brothers’ data and my sisters-in-laws’ data…..

It’s of particular interest to me as I’m in the process of finishing off a tutorial course on Data Protection and Information Quality for a series of conferences at the end of February (if you are interested in coming, use the discount code “EARLYBIRD” up to the end of January to get a whopper of a discount). So many of the issues that this raises are to the front of my mind.

Rather than simply write another post about Data Protection issues, I’m going to approach this from the perspective of Information as an Asset which has a readily definable Life Cycle at various points in which key decisions should be taken by responsible and accountable people to ensure that the asset continues to have value.

Another aspect of how I’m going to discuss this is that, after over a decade working in Information Quality and Governance, I am a firm believer in the mantra: “Just because you can doesn’t mean you should“. I’m going to show how an Asset Life Cycle perspective can help you develop some robust structures to ensure your data is of high quality and you are less likely to fall foul of Data Protection issues.

And for anyone who thinks that Data Protection and Data Quality are unrelated issues, I direct you to the specific wording in the heading of Chapter 2, Section 1 of the Directive 95/46/EC.

The Information Asset Life Cycle

Information, just like any other asset, has a life cycle through which it needs to be managed. Just because you can keep throwing files into a filing cabinet (or, in Data Protection terms, a “relevant filing system“) or hold it forever in electronic storage doesn’t mean you should.

POSMAD model (thanks to Danette McGilvray)

The key stages in the Information Asset Life Cycle are listed below, and are mapped to the 8 Data Protection Principles in the diagram opposite as well.

• Plan
• Obtain
• Store and Share
• Maintain
• Apply
• Dispose

The answers posed to the questions asked at each of these stages affect the ability of the organisation to meet its obligations under the Data Protection Act, as can be seen by the mapping of DP Principles to POSMAD Life Cycle stages.

Just like any other asset, information needs to be managed.

When you are hiring new staff, you plan for what type of people you will need in your business. You’ll need to have strategies for obtaining those staff, planning in place for how to store them (offices, desks etc.). You will (ideally) want to maintain them (training, rewards and recognition, staff retention), and be sure you can Apply them to their job (right tools, adequate resources etc.). Inevitably, you are also going to have to have answers to the question of what you will do with your staff when you no longer need them and need to dispose of them (retirement, redundancy, etc.).

With Information, you need to Plan what type of data you will be capturing and why, and who you’ll share it with. You’ll need to define policies and methods for obtaining that data (e.g. standardised testing protocols such as the Guthrie Card and the structured information captured on hospital test request forms). You’ll need to plan how that data will be stored and shared so it can be found when needed, and can be readily linked to other data etc. You’ll need to have some  consideration to how you will maintain that data (e.g. keeping personal data up to date for as long as you are holding it), and you’ll need to have a clear plan and protocol for how to dispose of the data when it is no longer needed.

Note that in this context, disposal does not necessarily mean the destruction of the data. It could simply be a process or policy that defines when data has become “excessive” and mandates the anonymising of all the data to a level suitable for statistical reporting and study but that is no longer “personal data” in the meaning of the Data Protection Acts.

Of course, just as you have measures that help you track and manage the effectiveness with which you are managing other assets (e.g. tracking equipment services and outage statistics for office equipment or purchase volumes for stationery and paper clips), you should ideally look to develop some metrics that help you know how well you are answering the various questions at each stage in the Information Asset Life Cycle.

Finally, you need to bear in mind that the Data Protection Acts now cover personal data held in formats other than electronic files. So paper based data (e.g. patient information associated with a Guthrie Card) is protected by the Data Protection Act when it is held in a “Relevant Filing System”. So your paper filing needs to bear up to the scrutiny of the Information Asset Life Cycle

The Temple Street Situation

What appears to have happened in the Temple St situation is that there was a failure to properly plan for the management of a key information asset.

• While there was a plan to provide a national scheme for testing, some key questions were not asked at the planning stage. As a result, the answers are not necessarily forthcoming to parents when faced with the test.
  

  Good Data Protection requires Planning

  For example, parents do not always know that the test is being done in Temple St. Certainly, parents were not aware that the data was to be held indefinitely. Ultimately, if Aldi (see image) are able to tell me what my personal data (CCTV images) is to be used for and who I can contact if I have a query, then the HSE and its sub-division and constituent hospitals should have been able to do the same.

• There appears to have been no thought given to the conditions or criteria for reasonable disposal (either outright disposal or anonymising) of the data. This gave rise to a situation where a Data Protection breach was inevitable.
• Parents (acting as legal guardians of their children) were not given the opportunity to opt in or opt out of being part of further scientific research using the blood samples taken from children.
• Likewise, children and adults (and the DPA does not require someone to be an adult to be protected) who have data on file in Temple St. do not appear to have a clear mechanism available whereby they can request that their data be blocked from use in processes other than that for which it was initially provided. (I’ve looked at the list of Data Controllers and Data Processors registered with the Data Protection Commissioner and Temple St. doesn’t seem to be listed in its own right is listed as the “Children’s University Hospital” and it’s not immediately clear from the register whether HSE Dublin North East or Dublin Mid-Leinster covers Temple St.) [Thanks to Hugh Jones, the lead trainer on the Irish Computer Society's Data Protection course for the correction]
• The personal data attached to the blood samples will, in a large number of cases, be woefully out of date and inaccurate – in itself a breach of the Data Protection Act – as there is likely no process to keep that data up to date. If the data is not being maintained, it is not needed and is excessive to the stated purposes for which it is being used. If the personal data (e.g. name and address) on samples that are 26 years old is being used for specific purposes, then one would suggest that any action taken on foot of such analysis is likely to be wrong.

A number of commenters on Boards.ie and elswhere have commented to the effect that the personal data could be excised out when the blood test data or samples were being used. That misses the fundamental point. There is a point in time beyond which having my daughter’s name and address cease to have an actionable value in any analysis of blood tests taken from her. If you don’t need it, then the data you are holding is excessive (in the meaning of the DPA and the EU Data Protection Directives) and should be permenantly removed. Aggregation of samples into clusters based on geographic region would likely allow for data sets suitable for scientific and statistical analysis.

But then we are right back to the Plan stage of the POSMAD model. What was intended to be done with this data? What are the stated purposes for which it is being captured? At what point does the data become excessive for those purposes? What is the plan to dispose of the excessive data (while retaining data appropriate to the stated purposes?

Conclusion

Information is an Asset. It needs to be managed and protected as such. Adopting an Asset Life Cycle approach to planning, with your Data Protection Duties forming the basis for your Key Questions can help your organisation properly plan to manage your Asset in a compliant manner. Furthermore, the Data Protection rules are enablers rather than restrictions as they provide a clear framework within which you can manage the expectations and worries of Data Subjects so that you get better up-take and happy and informed consent to you having the relevant data for as long as you plan to need it.

A key message coming from “DPA-Aware” bloggers affected by this issue is that if they had been asked if they minded anonymised data being held for research purposes they would not necessarily have objected. Investing time in planning and in valuing the Personal Data Asset which the HSE holds on Trust for the affected Data Subjects (they don’t own it) would have avoided the negative reaction and push back from rightly concerned parents and Civil Rights groups.

Want to learn practical approaches to avoiding this type of boo boo in your organisation? Why not come along to my tutorial at the 2010 IDQ Seminar Series event in Dublin on the 22nd and 23rd of February. Use the code “EarlyBird” before Jan 31st to get big savings on the event. If you are interested in just my tutorial, use the code “DoBlog” when registering.

I recently wrote an industry report for a UK publisher on Information Quality strategy. The publisher then swapped all my references to Information Quality to references to Data Quality as that was their ‘brand’ on the publication. I prefer the term Information Quality for a variety of reasons.

As this runs to over 100 pages of A4 it has a lot of words in it. My fingers were tired after typing it. Unlike Twenty’s book, I’ve got pictures in mine (not those kind of pictures, unfortunately, but nice diagrams of concepts related to strategy and Information Quality. If you want the other kind of pictures, you’ll need to go here.)

In the marketing blurb and bumph that I put together for the publisher I mentioned this blog and the IQTrainwrecks.com blog. Imagine my surprise when I opened a sales email from the publisher today (yes, they included me on the sales mailing list… the irony is not lost on me… information quality, author, not likely to buy my own report when I’ve got the four drafts of it on the lappytop here).

So, for the next few weeks I’ll have to look all serious and proper in a ‘knowing what I’m talking about’ kind of way to encourage people to by my report. (I had toyed with some variation on booky-wook but it just doesn’t work – reporty-wort… no thanks, I don’t want warts).

So things I’ll have to refrain from doing include:

1. Engaging in pointless satirical attacks on the government or businesses just for a laugh, unless I can find an Information Quality angle
2. Talking too loudly about politics
3. Giving out about rural/urban digital divides in Ireland
4. Parsing and reformatting the arguments of leading Irish opinion writers to expose the absence of logic or argument therein.
5. Engaging in socio-economic analysis of the fate of highstreet purveyors of dirty water parading as coffee.
6. Swearing

That last one is a f***ing pain in the a**.

If any of you are interested in buying my ‘umble little report, it is available for sale from Ark Group via this link.. . This link will make them think you got the email they sent to me, and you can get a discount, getting the yoke for £202.50 including postage and packing (normally £345+£7.50p&p. (Or click here to avoid the email campaign software…)

And if any of you would like to see the content that I’d have preferred the link in the sales person’s to send you to (coz it highlights the need for good quality management of your information quality) then just click away here to go to IQTrainwrecks.com

Thanks to Larry, Tom, Danette, the wifey for their support while I was writing the report and Stephanie and Vanessa at Ark Group for their encouragement to get it finished by the deadline.

First off, courtesy of a source who enquired about the investigation, the Data Protection Commissioner has finished their investigation and the IBTS seems to have done everything as correct as they could, in the eyes of the DPC with regard to managing risk and tending to the security of the data. The issue of why the data was not anonymised seems to be dealt with on the grounds that the fields with personal data could not be isolated in the log files. The DPC finding was that the data provided was not excessive in the circumstances.

[Update: Here's a link to the Data Protection Commissioner's report. ]

This suggests to me that the log files effectively amounted to long strings of text which would have needed to be parsed to extract given name/family name/telephone number/address details, or else the fields in the log tables are named strangely and unintuitively (not as uncommon as you might think) and the IBTS does not have a mapping of the fields to the data that they contain.

In either case, parsing software is not that expensive (in the grand scheme of things) and a wide array of data quality tools provide very powerful parsing capabilities at moderate costs. I think of Informatica’s Data Quality Workbench (a product originally developed in Ireland), Trillium Software’s offerings or the nice tools from Datanomic.

Many of these tools (or others from similar vendors) can also help identify the type of data in fields so that organisations can identify what information they have where in their systems. “Ah, field x_system_operator_label actually has names in it!… now what?”.

If the log files effectively contained totally unintelligible data, one would need to ask what the value of it for testing would be, unless the project involved the parsing of this data in some way to make it ‘useable’? As such, one must assume that there was some inherent structure/pattern to the data that information quality tools would be able to interpret.

Given that according to the DPC the NYBC were selected after a public tender process to provide a data extraction tool this would suggest that there was some structure to the data that could be interpreted. It also (for me) raises the question as to whether any data had been extracted in a structured format from the log files?

Also the “the data is secure because we couldn’t figure out where it was in the file so no-one else will” defence is not the strongest plank to stand on. Using any of the tools described above (or similar ones that exist in the open source space, or can be assembled from tools such as Python or TCL/TK or put together in JAVA) it would be possible to parse out key data from a string of text without a lot of ‘technical’ expertise (Ok, if you are ‘home rolling’ a solution using TCL or Python you’d need to be up to speed on techie things, but not that much). Some context data might be needed (such as a list of possible firstnames and a list of lastnames, but that type of data is relatively easy to put together. Of course, it would need to be considered worth the effort and the laptop itself was probably worth more than irish data would be to a NYC criminal.

The response from the DPC that I’ve seen doesn’t address the question of whether NYBC failed to act in a manner consistent with their duty of care by letting the data out of a controlled environment (it looks like there was a near blind reliance on the security of the encryption). However, that is more a fault of the NYBC than the IBTS… I suspect more attention will be paid to physical control of data issues in future. While the EU model contract arrangements regarding encryption are all well and good, sometimes it serves to exceed the minimum standards set.

The other part of this post relates to the letter template that Fitz kindly offered to put together for visitors here. Fitz lives over at http://tugofwar.spaces.live.com if anyone is interested. I’ve gussied up the text he posted elsewhere on this site into a word doc for download ==> Template Letter.

Fitz invites people to take this letter as a starting point and edit it as they see fit. My suggestion is to edit it to reflect an accurate statement of your situation. For example… if you haven’t received a letter from the IBTS then just jump to the end and request a copy of your personal data from the IBTS (it will cost you a few quid to get it), if you haven’t phoned their help-line don’t mention it in the letter etc…. keep it real to you rather than looking like a totally formulaic letter.

On a lighter note, a friend of mine has received multiple letters from the Road Safety Authority telling him he’s missed his driving test and will now forfeit his fee. Thing is, he passed his test three years ago. Which begs the question (apart from the question of why they are sending him letters now)… why the RSA still has his application details given that data should only be retained for as long as it is required for the stated purpose for which it was collected? And why have the RSA failed to maintain the information accurately (it is wrong in at least one significant way).

Vincent McBurney’s Blog Carnival of Data Quality has invited submissions on the theme “Happy New Year”, so I thought I’d take a look back over 2007 and see what emerging trends or movements might lead to a Happy New Year for Information Quality people in 2008.

Hitting Mainstream
In 2007 Information Quality issues began to hit the mainstream. It isn’t quite there yet but 2007 saw the introduction of taught Master’s degree programmes in Information Quality in the University of Arkansas at Little Rock and there have been similar developments mooted in at least one European University. If educators think they can run viable courses that will make money then we are moving out of the niche towards being seen asa a mainstream discipline of importance to business.

The IAIDQ’s IDQ Conference in Las Vegas was a significant success, with numbers up on 2006 and a wider mix of attendees. I did an unofficial straw poll of people at that conference and the consensus from the delegates and other speakers was that there were more ‘Business’ people at the conference than previous Information Quality conferences they’d attended, a trend that has been growing in recent years. The same was true at the European Data Management and Information Quality Conference(s) in London in November. Numbers were up on previous years. There were more ‘Business’ people in the mix, up even on last year. – this of course is all based on my unofficial straw poll and could be wrong.

The fact that news stories abounded in 2007 about poor quality information and the initial short sharp shock of Compliance and SOx etc. has started to give rise to questions of how to make Compliance a value-adding function (hint – It’s the INFORMATION people) may help, but the influence of bloggers such as Vincent, and the adoption of blogs as communications tools by vendors and by Professional Associations such as the IAIDQ is probably as big if not more of an influence IMHO.

Also, and I’m not sure if this is a valid benchmark, I’ve started turning down offers to present at conferences and write articles for people on IQ issues. because a) I’m too busy with my day job and with the IAIDQ (oh yeah… and with my family) and b)there are more opportunities arising than I’d ever have time to take on.

Unfortunately, much of the ‘mainstream’ coverage of Information Quality issues either views it either as a ‘technology issue’ (most of my articles in Irish trade magazines are stuck in the ‘Technology’ section) or fails to engage with the Information Quality aspects of the story fully. The objective of IQTrainwrecks.com is to try to highlight the Information Quality aspects of things that get into the media.

What would make 2008 a Happy Year for me would be to have more people contributing to IQ Trainwrecks but also to have some happy path stories to tell and also for there to be better analysis of these issues in the media.

Community Building
There is a strong sense of ‘community’ building amongst many of the IQ practitioners I speak with. That has been one of the key goals of the IAIDQ in 2007 – to try and get that sense of Community triggered to link like-minded-people and help them learn from each other. This has started to come together. However it isn’t happening as quickly as I’d like, because I have a shopping list of things I want yesterday!

What would make 2008 a happy new year for me would be for us to maintain the momentum we’ve developed in connecting the Community of Information/Data Quality professionals and researchers. Within the IAIDQ I’d like us to get better at building those connections (we’ve become good… we need to keep improving).

I’d like to see more people making contact via blogs like Vincent’s or mine or through other social networking facilities so we can build the Community of Like Minded people all focussing on the importance of Information Quality and sharing skills, tips, tools, tricks and know how about how to make it better. I’d be really happy at the end of 2008 a few more people make the transition from thinking they are the ‘lonely voice’ in their organisation to realising they are part of a very large choir that is singing an important tune.

Role Models for Success
2007 saw a few role models for success in Information Quality execution emerging. All of these had similar stories and similar elements that made up their winning plan. It made a change from previous years when people seemed afraid to share – perhaps because it is so sensitive a subject (for example admitting you have an IQ problem could amount to self-incrimination in some industries)? In the absence of these sort of ‘role models’ it is difficult to sell the message of data quality as it can come across as theoretical.

I’d be very happy at the end of 2008 if we had a few more role models of successful application of principles and tools – not presented by vendors (no offence to vendors) but emerging from within the organisations themselves. I’d be very happy if we had some of these success stories analysed to highlight the common Key Success Factors that they share.

Break down barriers
2007 saw a lot of bridges being built within the Information Quality Community. 2006 ended with a veritable bloodbath of mergers and acquisitions amongst software vendors. 2007 had a development of networks and mutual support between the IAIDQ (as the leading professional organisation for IQ/DQ professionals) and MIT’s IQ Programme. In many Businesses the barriers that have prevented the IQ agenda from being pursued are also being overcome for a variety of reasons.

2008 should be the year to capitalise on this as we near a signicificant tipping point. I’d like to see 2008 being the year were organisations realise that they need to push past the politics of Information Quality to actually tackle the root causes. Tom Redman is right – the politics of this stuff can be brutal because to solve the problems you need to change thinking and remould governance all of which is a dangerous threat to traditional power bases. The traditional divide between “Business” and “IT” is increasingly anachronistic, particularly when we are dealing with information/data within systems. If we can make that conceptual leap in 2008 to the point were everyone is inside the same tent peeing out… that would be a good year.

Respect
For most of my professional life I’ve been the crazy man in the corner telling everyone there was an elephant in the room that no-one else seemed able to see. It was a challenge to get the issues taken seriously. Even now I have one or two managers I deal with who still don’t get it. However most others I deal with do get it. They just need to be told what they have. 2007 seems to be the year that the lights started to go on about the importance of the Information Asset. Up to now, people spoke about it but didn’t ‘feel’ it… but now I don’t have trouble getting my Dept Head to think in terms of root causes, information flows etc.

2008 is the year of Respect for the IQ Practitioner…. A Happy New Year for me would be to finish 2008 with appropriate credibility and respect for the profession. Having role models to point to will help, but also having certification and accreditation so people can define their skillsets as ‘Information Quality’ skill sets (and so chancers and snake-oil peddlers can be weeded out).

Conclusion
2007 saw discussion of Information Quality start to hit the mainstream and the level of interest in the field is growing significantly. For 2008 to be a Happy New Year we need to build on this, develop our Community of practitioners and researchers and then work to break down barriers within our organisations that are preventing the resolution of problems with information quality. If, as a community of Information/Data Quality people we can achieve that (and the IAIDQ is dedicated to that mission) and in doing so raise our standards and achieve serious credibility as a key management function in organisations and as a professional discipline then 2008 will have been a very Happy New Year.

2008 already has its first Information Quality problem though…. looks like we’ve got a bit of work to do to make it a Happy New Year.

In his post he asks if we are at a ‘tipping point’ for Information Quality where

organisations are starting to move from ‘unconscious incompetence’ to ’conscious incompetence’ and see the need to spend money in this area (hence the growing number of vendors and consultancies) which are feeding off the back of this.

He mentions that he gets calls from recruiters looking for Data Quality Management roles to be filled and wonders when we will reach the stage of ‘Concious Competence’.

My personal feeling is that we are at a very large tipping point. Those organisations that truly make the leap will gain significant advantage over those that don’t. Those that make the leap half-heartedly by putting a few job titles and tools in the mix with no commitment or plan will limp along, but the pressure of competing with lean and efficient opposition (those who jump in wholeheartedly) will squeeze on these organisations. Those that don’t leap at all will fall foul of Darwinian evolution in the business context.

The danger that we face at this juncture is that when the ship is sinking any bandwagon looks like a lifeboat. The risk that we face is that we will not have learned the lessons of the CRM adoption age when organisations bought ‘CRM’ (ie software) but didn’t realise the nature of the process and culture changes that were required to successfully improve the management of Customer Relationships. Tools and job titles do not a success make.

The same was true of Quality management in manufacturing. As Joseph Juran said:

“They thought they could make the right speeches, establish broad goals, and leave everything else to subordinates… They didn’t realize that fixing quality meant fixing whole companies, a task that cannot be delegated.”

So, what can be done?

The International Association for Information and Data Quality was founded in 2004 by Tom Redman and Larry English (both referenced in Mr Brook’s article) to promote and develop best practices and professionalism in the field of Information and Data Quality.

As a vendor neutral organisation part of the Association’s mission is to cut through the hype and sales pitches to nail down, clarify and refine the core fundamental principles of Information Quality Management and to support Information/Data Quality professionals (I use the terms interchangeably, some people don’t…) in developing and certifying their skills so that (for example) the recruiter looking for a skilled Data Quality Manager has some form of indicator as to the quality of the resource being evaluated.

The emergence of such an organisations and the work that is being done to develop formal vendor independent certification and accreditation evidences the emergence of the ‘early adopters’ of the ‘Concious committment’ that Mr. Brooks writes about. As an Information Quality professional I am concious that there is a lot of snake-oil swilling around the market, but also a lot of gems of wisdom. I am committed to developing my profession and developing the professional standards of my profession (vocation might be another word!).

Having a rallying point where interested parties can share and develop sound practices and techniques will possibly accelerate the mainstreaming of the Concious Committment… IQ/DQ professionals (and researchers… must’t forget our colleagues in academia) need no longer be isolated or reinvent the wheel on their own.

Let me know what you think….

At the end of September I’m off to Las Vegas to deliver a presentation at the IAIDQ’s North American conference the IDQ 2007 Conference.

At the end of October I’m off to sunny London for the IRMUK Data Management and Information Quality Conferences. This will be my sixth year at this conference and my fourth as a presenter. This year I hit the ‘big leagues’ with a 3 hour tutorial on some of the legal aspects of Information Quality, going head to head with Larry English (amongst others)on the time table.

Then in November the Irish CoP of the IAIDQ, the IQ Network will be hosting our IQ Forum… we’re planning it to co-incide with World Quality Day on the 8th of November to tie in with some IAIDQ events that will be taking place world wide.

Who knows, maybe I’ll meet somebody from Dell at one of those conferences who might be able to fix my laptop problem before Christmas.
That would be nice.