Skip to main content

Golden copies, data stewards, and sensitivity

The University stores and manages quite a lot of data - nothing like the scale of Google or similar behemoths, but not insignificant either.  Some of this data is quite sensitive.  It can include personal information (including the "protected characteristics" such as race or sexuality); medical information (for staff & students, or for NHS patients on research projects), commercially sensitive information, and information vital to the teaching process such as exam questions.  We are responsible for looking after this data and keeping it secure, a set of procedures that goes by the dry name of "data governance".

One of the key concepts in our approach to data governance is the "golden copy"; the one true source for a particular kind of information.  For example, the student record is the golden copy for data about students.  I have made this one of our Enterprise Architecture principles:
Principle D1: All data held in enterprise systems have a golden copy that holds the definitive value of that data.
We have had this principle in practice for many years. But if you want to know which system is the golden copy for a particular type of data, or who looks after that system, or how you access the data for yourself, you have had to know who to ask.  So I am creating a golden copy data catalogue that publicises this information.  I'm also working with the data governance group to come up with a default process for requesting access.

This throws a spotlight on the people who look after our data.  The usual name for this role in EA circles is the data steward.  As the name implies, someone who has this role is responsible for looking after the data, ensuring it is up-to-date and good quality.  Their responsibilities also include assessing requests for access, and making the data available to people who need it.  So we are working to define this role and work with people across the university so that our data is stewarded consistently.

I am also working with our Chief Information Security Officer (CISO) and our Data Protection Office (DPO) to agree a classification for information sensitivity.  The goal is to provide consistent advice for which data can be made public, which needs "normal" levels of security, and which needs more stringent controls.

So far, the response to this work has been very positive.  Much remains to be done, not least wider consultation with the people who do the crucial role of looking after our data.



Comments

Popular posts from this blog

Presentation: Putting IT all together

This is a presentation I gave to an audience of University staff: 

In this seminar, I invite you to consider what the University’s online services would be like, if we worked together to design them from the perspective of the student or member of staff who will use them, instead of designing them around the organisational units that provide them. I’ll start with how the services might appear to that student or member of staff, then work back from there to show what this implies for how we work, how we manage our data, and how we integrate our IT systems. It might even lead to changes in our organisational structure.

Our online services make a vital and valued contribution to the work of our students and staff. I argue that with better integration, more consistent user interfaces, and shared data, this contribution could be significantly enhanced.

This practice is called “Enterprise Architecture”. I’ll describe how it consults multiple organisational units and defines a framework …

Service Excellence, Digital Transformation and Enterprise Architecture

Our University Secretary has sponsored a major review of the University’s administrative processes, coining the banner “Service Excellence”.  The aim is to look at the services we provide to staff and students with a fresh eye, making them more effective, more efficient, and focussed on the user rather than administrative convenience.

Our CIO is sponsoring a similar programme called “Digital Transformation”. This will replace old paper-based processes, starting with the question of what would processes look like if we designed them afresh for the modern connected world.  The aim is to make processes that are more focussed on the user and hence more effective and efficient.

Both of these ambitious programmes will need an effective enterprise architecture, if they are to succeed.  Digital Transformation is intrinsically about using opportunities provided by new technology to improve services and, as such, it requires effective technology services to make data available when needed, to pro…

Not so simple...

A common approach to explaining the benefits of Enterprise Architecture is to draw two diagrams: one that shows a complicated mess of interconnections, and one that shows a nicely layered set of blocks. Something like this one, which came from some consultants:


I've never felt entirely happy with this approach.  Yes, we do want to remove as much of the needless complexity and ad-hoc design that litters the existing architecture.  Yes, we do want to simplify the architecture and make it more consistent and intelligible.  But the simplicity of the block diagram shown here is unobtainable in the vast majority of real enterprises.  We have a mixture of in-house development and different third-party systems, some hosted in-house, some on cloud infrastructure and some accessed as software-as-a-service.  For all the talk of standards, vendors use different authentication systems, different integration systems, and different user interfaces.

So the simple block diagram is, basically, a l…