Government data does not mean data governance: Lessons learned from a public sector application audit

Public sector agencies routinely store large volumes of information about individuals in the community. The storage and analysis of this information benefits society, as it enables relevant agencies to make better informed decisions and to address the individual's needs more appropriately. Members of the public often assume that the authorities are well equipped to handle personal data; however, due to implementation errors and lack of data governance, this is not always the case. This paper reports on an audit conducted in Western Australia, focusing on findings in the Police Firearms Management System and the Department of Health Information System. In the case of the Police, the audit revealed numerous data protection issues leading the auditors to report that they had no confidence in the accuracy of information on the number of people licensed to possess firearms or the number of licensed firearms. Similarly alarming conclusions were drawn in the Department of Health as auditors found that they could not determine which medical staff member was responsible for clinical data entries made. The paper describes how these issues often do not arise from existing business rules or the technology itself, but a lack of sound data governance. Finally, a discussion section presents key data governance principles and best practices that may guide practitioners involved in data management. These cases highlight the very real data management concerns, and the associated recommendations provide the context to spark further interest in the applied aspects of data protection.

[1]  Li-Chiou Chen,et al.  Assessing the factors that determine compliance with the federal information security management act (fisma) , 2012 .

[2]  Wei Dong,et al.  Human factors in software security risk management , 2008, LMSA '08.

[3]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[4]  Sharon S. Dawes,et al.  Stewardship and usefulness: Policy principles for information-based transparency , 2010, Gov. Inf. Q..

[5]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[6]  Mark Mosley,et al.  DAMA guide to the data management body of knowledge , 2010 .

[7]  Larry P. English Information Quality Applied: Best Practices for Improving Business Information, Processes and Systems , 2009 .

[8]  Jason Hong,et al.  Computer security needs refocus, and be nice about it , 2013, CACM.

[9]  R. Peterson Crafting Information Technology Governance , 2004 .

[10]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[11]  Martha Rogers,et al.  Customer Data Integration: Reaching a Single Version of the Truth (SAS Institute Inc.) , 2006 .

[12]  Jason Hong,et al.  Considering privacy issues in the context of Google glass , 2013, CACM.

[13]  Boris Otto,et al.  One Size Does Not Fit All---A Contingency Approach to Data Governance , 2009, JDIQ.

[14]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[15]  Western Australian Auditor-General Information systems audit report , 2016 .

[16]  Kristin Wende,et al.  A Model for Data Governance - Organising Accountabilities for Data Quality Management , 2007 .

[17]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .