Skip to main content

Golden copies, data stewards, and sensitivity

The University stores and manages quite a lot of data - nothing like the scale of Google or similar behemoths, but not insignificant either.  Some of this data is quite sensitive.  It can include personal information (including the "protected characteristics" such as race or sexuality); medical information (for staff & students, or for NHS patients on research projects), commercially sensitive information, and information vital to the teaching process such as exam questions.  We are responsible for looking after this data and keeping it secure, a set of procedures that goes by the dry name of "data governance".

One of the key concepts in our approach to data governance is the "golden copy"; the one true source for a particular kind of information.  For example, the student record is the golden copy for data about students.  I have made this one of our Enterprise Architecture principles:
Principle D1: All data held in enterprise systems have a golden copy that holds the definitive value of that data.
We have had this principle in practice for many years. But if you want to know which system is the golden copy for a particular type of data, or who looks after that system, or how you access the data for yourself, you have had to know who to ask.  So I am creating a golden copy data catalogue that publicises this information.  I'm also working with the data governance group to come up with a default process for requesting access.

This throws a spotlight on the people who look after our data.  The usual name for this role in EA circles is the data steward.  As the name implies, someone who has this role is responsible for looking after the data, ensuring it is up-to-date and good quality.  Their responsibilities also include assessing requests for access, and making the data available to people who need it.  So we are working to define this role and work with people across the university so that our data is stewarded consistently.

I am also working with our Chief Information Security Officer (CISO) and our Data Protection Office (DPO) to agree a classification for information sensitivity.  The goal is to provide consistent advice for which data can be made public, which needs "normal" levels of security, and which needs more stringent controls.

So far, the response to this work has been very positive.  Much remains to be done, not least wider consultation with the people who do the crucial role of looking after our data.



Comments

Popular posts from this blog

Changing Principles

In EA, architecture principles set a framework for making architectural decisions.  They help to establish a common understanding across different groups of stakeholders, and provide guidance for portfolios and projects.  Michael Durso of the LSE gave a good introduction to the idea in a webinar last week for the UCISA EA community.

Many organisations take the TOGAF architecture principles as a starting point.  These are based on the four architectural domains of TOGAF: business, information/data, applications, technology/infrastructure.  These principles tend to describe what should be done, e.g. re-use applications, buy in software rather than build it, keep data secure.  See for example the principles adopted at Plymouth University and the University of Birmingham.

Recently though, I encountered a different way of looking at principles.  The user experience design community tend to focus more on how we should do things.  E.g. we should start with user needs, use iterative developm…

Why the UCISA Capability Model is useful

What do Universities do?

This may seem a strange question to ask and the answer may seem obvious.  Universities educate students and undertake research.  And perhaps they work with industrial partners and create spin-off companies of their worn.  And they may work with local communities, and affiliation bodies for certain degress, and they definitely report on their activities to government bodies such as HEFCE.  They provide student services and support.  The longeryou think about it, the more things you can think of that a University does.

In business, the things that an organisation does are called "capabilities", which is a slightly strange term.  I think it is linked to the HR idea of a combination of the CAPacity and ABILITY to do a task.  Whatever the name, it is a useful concept.  A capability is more basic than a process: a University may change the way it educates students but as long as it remains a University it will educate them one way or another.

A capability …

"No more us & them"

WonkHE recently posted an interesting opinion piece with the title Academics and Administrators: No more ‘us and them’. In that post, Paul Greatrix rebutted criticisms of professional services (administrative) staff in Universites from some academics. To illustrate his point, he quoted recent articles in which administrators were portrayed as a useless overhead on the key tasks at hand (teaching and research).

This flows both ways, as Greatrix himself points out. As Enterprise Architect, I work with Professional Services colleagues and I have heard some of them express opinions that clearly fail to understand the nature of academic work. Academics cannot be treated as if they were factory workers, churning out lectures on a treadmill.

I think these comments reveal a fundamental clash of ideas about how a University should work. Some people who come into management positions for other sectors tend to frame the University as a business, with students and research funders as customers t…