Tuesday, 23 June 2020

We have scored 75% against the criteria – is that OK?

As a data, risk and logic guy my life is models and numbers. I have check-lists models and guides for data protection, information security, data governance, records management and  IT strategy to name but a few.

If you want to talk to be about business or change I can point to balanced score-cards, Kotter and Kublar Ross, EFQM and Investors in People and many more.

Indeed, having been through distance leaning I now have an MBA and a variety of PostGrad qualifications which are all about learning outcomes, criteria and evidence. I am a tutor / mentor for the Chartered Management Institute and I have check-lists models and guides used to educate, inform, appraise and grade students.

Even in my hobbies, formerly as a Triathlete and more recently as a Rower, I can point to numbers to indicate ability: That might be watts per kilo, a sub-3 hour marathon or a top 10 ranking against my peers.

What ever the circumstance I can find a number that flatters.

What I worry about is that people are too easily impressed by numbers, often without context. Too many students are satisfied with a pass-mark rather than a deep understanding. Too many businesses are content with an above-average ranking without actually understanding the implications. This tick-box compliance has been the undoing of many people and organisations and it is really important that the numbers guide the conversation rather than replace it.

There are many excellent books in risk, modelling, change, prediction and economics and I will happily provide a reading list rather than attempt to convey the genius of the authors, but I would like to make a point.

75% of these homes look OK. What does the data suggest you should do?

 


Perhaps the data is a bit out-of-date, perhaps the actual situation isn’t on the tick-list and it is not reflected in the score. Where would you put your attention (time, people, money, priority) in this next scenario?
 

Sure enough you can report to the CEO or the Risk Committee that you have scored 75% out of a possible 100, but that isn’t the whole truth now is it?!

The problem with things like data protection, information security and even business planning in these times of COVID-19 is that whilst data is necessary there is much more that needs to be done than compile the numbers.

How about this as a scenario? Where would you your attention (time, people, money, priority) now? I have avoided making matters financially or morally complicated by adding values or salaries, but most risk, project and planning is based on ROI. Moreover these houses may be departments, business units or investments.

 

I want to conclude by making a clear distinction between governance, evidence, culture and compliance. Governance is about accountability and controls, evidence is something you can monitor and measure, culture however is much more difficult and compliance is when they align.

 

This is over simplistic and I commend books in risk, modelling, change, prediction and economics. I will also defend all the models that I have mentioned. I would just like to emphasis that it is really important that the numbers guide the conversation rather than replace it.


Tuesday, 2 June 2020

YOU MAY NOT NEED A DATA SHARING AGREEMENT

SOME USEFUL GUIDANCE: YOU DO NOT NEED A DATA SHARING AGREEMENT TO PROVIDE INFORMATION THAT IS REQUIRED BY LAW

I recently received this useful guidance....

You don't need a sharing agreement to provide information to the Government of Jersey GoJ - there is a legal obligation for an entity to provide that information. For example, if I had staff I would have to give Social Security that manpower information. My legal basis for sharing the information with Social is because the Social Security Law says I have to.

{Schedule 2 Item 8  Employment and social fields: The processing is necessary for the purposes of exercising or performing any right, obligation or public function conferred or imposed by law on the controller in connection with employment, social security, social services or social care.}

There is nothing in the DPJL that says that formal data sharing agreements have to be in place between two entities and the DPJL doesn't refer to 'data sharing agreement' at all nor does GDPR (other than where there is a controller/processor relationship); data sharing just needs to be done in accordance with the Art.8 principles (etc) and a formal data sharing agreement simply helps an entity to evidence that the sharing is being done lawfully.

The place where data sharing agreements really come into play is, for example, if I’m selling my business and providing my data to the purchaser so they can do their due diligence. You want an agreement in those circumstances to set out exactly what is being shared, confidentiality provisions, return of information if the transaction doesn't go ahead etc. You also see them in cases where information is being passed across for research purposes.

The UK ICO has a code of practice out for consultation: https://ico.org.uk/media/2615361/data-sharing-code-for-public-consultation.pdf

It's pretty helpful but doesn't say when you'd have one. Pg 25 has good stuff about what you would likely want to include but the rest of the doc focuses really on the accountability of controllers and their being able to evidence why processing is necessary and transparency.