In the last set of posts we have looked at protection of personal information, and in the last post, I essentially suggested the need for auditability of data policies as a way of assuring the public consumers that your organization is capable of observing protection policies. So what does that imply from a data management perspective?
Three implementation directives should immediately come to mind:
- The ability to clearly specify data policies;
- The ability to monitor compliance with data policies; and
- Auditability and sharing of reports on compliance with data policies.
These are inextricably connected to a data governance program that must be operationalized at the data element level. For example, the first item is relevant to demonstrating that a directive provided in natural language can be converted into a format that specifically guides a data management activity. For example, if the HIPAA Privacy Rule says that you must deidentify a patient’s telephone number, here are some things you must be able to do:
- Clearly define what is meant by “telephone number”
- Provide structure and format specifications for what telephone numbers can look like
- Identify any data element in any collection of records in any data subsystem in any application that can refer or contain a value that structurally looks like a telephone number
- Provide the level of security and protection for accessing any of those data elements
- Provide a means for deidentification when the data is requested by an individual without the proper authority for access
- Note any time that an individual without proper authority attempts to access the telephone number and show that the request was denied
- Provide a report to an individual detailing how and when their data was accessed, by whom, and under which authority, as well as denied requests
These are all operational aspects of data governance: both defining data policies at the data element concept level and integrating aspects of oversight, compliance, and reporting directly into the application infrastructure. In future posts, I intend to delve down deeper into each of the three implementation directives and especially explore the need for collaboration and alignment across business functions within the enterprise to ensure data policy compliance.
