Huwebes, Nobyembre 25, 2010
Personal Information Management..by Jolito Ortizo Padilla and included in the book "Managing People"
"Data protection is about much more than simply locking up personal information. It is about ensuring that the right information is being captured, for the right purpose, for the right amount of time and that it is being shared and used in an appropriate way"
It is 11 years since the publication of the Data Protection Act 1998 and eight years since it was implemented in 2001. Since that time , much has been written about how organizations should manage the personal information they hold and use for business purposes.
The management of personal information should be seen by all organizations as just one part of the overall information governance framework , a subject that is high on the agenda of most board meetings.
In recent years, the need for effective information governance has posed an ever increasing challenge for all organizations, whether in the public, private or third sector. It has been widely recognized that information , especially personal information is an asset. However, it can become a liability and to- paraphrase Richard Thomas , the former UK Information Commissioner-a toxic liability, if incorrectly managed.
Advances in technology are making it much easier for organizations to collect greater amounts of personal data and provide better services to their customers. However, these same advances also raise concerns about the effect this has on individuals privacy , especially with regards to proportionality and retention , and there are ever increasing challenges for organizations that can only be met by effective information governance.
Back in 1998 , BSI brought together a group of experts from across government and the business and public sectors that identified a need for practical guidance on the management of personal information. This led to the publication and continued development of BIP 0012: Guide to the Practical Implementation of the Data Protection Act 1998.
Then in 2007, the group identified a business need for more formal document that specified a management system that could easily be adopted by organizations. As a result , BS 10012, Information Management- Specification for a Personal Information Management System , was born.
One system to fit all
So, what role do standards play in helping organizations to achieve good information governance? Perhaps the best known example is the ISO/IEC 27000 series of information security management systems standards. The management system presented in these standards is essentially a systematic approach to managing people and processes than implementing technology. It also provides guidelines and common practice so that organizations do not have to continually reinvent the wheel.
Around the same time as the ISO/IEC 27000 was being developed , ISO also began work on the development of the first international records management standard , ISO 154989. In this instance, the catalyst as a pioneering Australian standard records management that was itself first developed in response to the need for" quality records," a need identified in ISO 9001, the international quality management systems standard.
One critical elements of records management involves managing and so reducing the risks associated with document retention and preservation. These issues are of particular relevance for private sector industries such as financial services, utilities and pharmacuetical where retention requirements are especially significant.
The management of personal information is a challenge to many organizations, as there is a need for both openness and security. Organizations need to be open when asked by individual about the processing of their personal information.
On the other hand , good security measures are needed in order to prevent the disclosure of the information to the wrong people. Such a requirement is of particular importance to organizations that provide public services because, as past experience has shown , they are in danger of prominent and sustained media coverage if any poor processes lead to security breaches and data loss.
Data protection is about much more than locking up personal information. It is about ensuring that the right information is being captured , for the right purpose, for the right amount of time and that is being used and shared in appropriate way -whether that be sharing it with other organizations or with the individual who are the subjects of the data.
Instead of defaulting to a mindset that data protection is all about locking personal data away and imposing burdensome restrictions on an organization, good management practice involves dealing with an asset value that needs to be handled with care.
Effective management can benefit an organization not just by reducing the risk of noncompliance with their obligations under the Data Protection Act, but also finding opportunities to deliver value to its customers as a consequence of ensuring responsible management of personal information.