I attended the UCAS Data Matters conference today. There was an interesting presentation from Phil Jones, Assistant Commissioner in the Information Commissioner’s Office who highlighted the impact of the loss of Child Benefit data by HMRC. Such a huge loss of personal data naturally put data protection higher up organisations’ agendas. This in turn resulted in an upsurge in confessions of loss of data and a the number of requests for advice, often on quite trivial matters. Although the incident resulted in an increase in requests for advice, the downside was that data protection was seen more as a security issue, rather than focusing on the accuracy and appropriate use of data. A further consequence was that organisations became less willing to share data, putting security first resulting in a risk that the recipient organisation could not deliver what it was aiming to do.
Coincidentally the ICO were launching a number of initiatives around the time of the HMRC loss. The ICO are encouraging organisations to make privacy impact assessments which look to ensure that the impact on privacy that may result from a change of policy is understood. This can be more easily achieved if an organisation looks to include privacy considerations when designing systems and processes rather than identifying uses of the data after it has been collected. The need for senior management ownership of information governance was stressed. I don’t believe there is much evidence of this taking place in the higher education sector – often the use of data is aligned purely to the process that uses it and there is still no holistic view of information and data requirements. But there remains a need to take that overall view to better inform management decisions and planning.