Using Knowledge Organisation to Manage Information Risk

Transcription

1 Using Knowledge Organisation to Manage Information Risk Centre for Information Science David Haynes, City University London ISKO UK Meeting on Information a risky business 24 th October 2013, BDA, London Introduction When I was asked to do this talk I thought that my recent experience of working on information governance in the charities sector would provide a good illustration of some of the reasons why knowledge organisation is relevant. I also teach the Information Management and Policy module to the MSc students in Library and Information Science at City University and many of them are experienced managers who are able to bring their own insights on information risk to the course. A third reason for being interested in this topic is my own research into the role of risk in the regulation of access to personal data on social networks the topic of my PhD studies. I hope to share some of my insights from all three areas of activity and in doing so to stimulate some thought and discussion about ways in which KO contributes to information governance and the management of information risk. Defining risk What is risk? A project manager might say that it is any uncertain event that has an impact (positive or negative) on project outcomes. A common understanding of risk is of an uncertain event that has a negative impact on outcomes in other words a potential threat. A good general definition, which I will use here is: Risk refers to uncertainty about and severity of the events and consequences (or outcomes) of an activity with respect to something that humans value (Aven & Renn, 2009). It is often difficult to be objective in the assessment of risk: Within the philosophy of science, objective typically means something akin to independent of observer. That is, any individual following the same procedure should reach the same conclusion (Fischhoff, Watson, & Hope, 1984). Another researcher concluded that risk is both fact-laden and value-laden and that it contains both objective and subjective components. He suggests that: The real challenge is to identify the various types of factual and valuational components inherent in statements about risk and to understand how they are combined (Hansson, 2010). So we get the idea that risk is not a straightforward entity or phenomenon that we can easily measure. This we will see in some of the examples I describe in this session. Using Knowledge Organisation to Manage Information Risk ISKOUK 24OCT13 1

2 Risks faced by campaigning organisations I recently worked with two charities (WWF-UK and Compassion in World Farming) on information governance issues and I hope that some of their experiences will be relevant elsewhere. As campaigning organisations both charities depend on reliable, up-to-date and authoritative information. As with many charities they operate at a number of levels: influencing policy makers and legislators; via the press and media to educate the public and raise awareness; and at an individual level to get you and me involved in their campaigns fund raising, participating in events, and perhaps most importantly changing our behaviour. If we stop to think when we buy food in the supermarket about where it came from and whether any animal suffering was involved we send a message to the supermarkets. There is evidence that they respond to this. For example, following consumer demand and active lobbying M&S Food introduced free-range only eggs to all its eggbased products several years ago. Another example is the response of retailers and now legislators to the demand for less packaging for retail goods. The basis for these campaigns is information. It has to be good quality, reliable and accurate. If the wrong figures are used it undermines the campaigns and lessens their impact. Compliance issues My earlier work in the regulated sectors such as pharmaceuticals, energy, finance and central government have brought to light a number of themes: The need to hold information for an appropriate length of time. This is a general requirement that affects all organisations that hold personal data (i.e. all employers, any firm or retailer with individual customers). The fifth Data Protection Principle states that Personal information must not be kept for longer than is necessary (Data Protection Act, 1998). So an employer would hold details of job applicants sufficiently long for an appeals process (for unsuccessful candidates) but no longer than, say, 12 months. The same employer might hold pension records to retirement age at least, even if the employee left the organisation 20 or 30 years ago. The need to hold information securely (to protect privacy or to ensure integrity of data i.e. no tampering). The seventh data protection principle is that Personal information must be secure (Data Protection Act, 1998). This means restricting access so that only line managers and selected staff in the HR department have access to personal information about employees. The personal information may itself be disaggregated so that less sensitive information is more widely available e.g. work address, telephone extension, job title and photo might be made available for an internal staff directory. Details of medical conditions, familial status, home address, and salary may be restricted. The key to this is good metadata. The need to be able to rapidly identify and retrieve information (e.g. Freedom of Information). Good metadata (tagging, indexing and categorising information) facilitates rapid, comprehensive and precise retrieval of information. Using Knowledge Organisation to Manage Information Risk ISKOUK 24OCT13 2

3 Social media My own research considers personal data on social networks (Haynes, 2012). The focus has been on personal risk and the effect different modes of regulation have on this. It is difficult to come up with a single approach that will mitigate against all the risks associated with personal data. Making your personal data available to a social networking service provider (Facebook or LinkedIn for instance) allows them to trade your data with advertisers so that ads are targeted at you. How many times have you gone onto a general site to find unrelated ads popping up for that kettle you were thinking of buying from John Lewis? The consequence of passing on your personal data may be mild irritation. However what if your address and birth date are made available to anyone doing a Google search, because your Facebook profile is indexed for all to access? This could be the first step in fraud if those details fall into the hands of organised crime. Responses to risk Risk should be managed as part of an overall framework. If we accept that it is never possible to totally eliminate risk, then we need a more nuanced response. A recent article in the IRMS Bulletin gives an excellent overview of approaches used in records management for information governance and advocates a risk based approach (Staunton, 2013). If we go back to the examples I spoke about earlier we can respond to information risks in one of three main ways: 1. Accept the risk 2. Reduce the probability of the event occurring 3. Reduce the impact of the event should it occur Typically if the consequences of an event are slight or the costs of mitigating the risk are too great, it might be better to accept the risk. This can be systematised in a risk tolerance table. Rigorous checklists and signing off information for publication by a charity would fall into the second category: reducing the probability that inaccurate information is published. The impact could be reduced by making sure that a subject expert is on hand to rapidly update or correct data that is challenged after publication. Knowledge organisation is important in two ways here. Firstly, it is used to categorise documents at different stages in the publication process, and secondly it helps to organise information for effective retrieval. This includes classification, indexing and tagging with appropriate metadata such as last edit date (date updated). This metadata helps a subject expert to make judgements about the quality of the data being used in a publication. The risk of fines for non-compliance can be managed by reducing the probability of non-compliance by making one person responsible for compliance issues. Knowledge organisation plays an important role in categorising documents so that they can be managed in a compliance regimen. This may include access rights associated with the documents as well as retention periods, which may in turn be determined by a document s position in the file plan. If we look at responses to the risks posed by personal data on social networking services we can educate users about the risks associated with exposing personal data. This would reduce the incidence of identity theft for instance (reduce the probability). Another response might be for the Using Knowledge Organisation to Manage Information Risk ISKOUK 24OCT13 3

4 service provider to restrict access to certain categories of data to friends or associates of the user. That would reduce the impact of accidently releasing sensitive personal information. This is essentially a metadata issue. The metadata associated with personal data can be used by an application to control access. Categorising risk On another level knowledge organisation is relevant to information risk. We can use knowledge organisation to categorise risks and this can help us to find appropriate responses. The challenge here is to adopt an approach that allows us to group risks in a way that is relevant to our problem. For instance, a group of US academics have created 18 risk categories from a universe of over 3000 risks that they have identified over many years (Swedlow, Kall, Zhou, Hammitt, & Wiener, 2009): 1 Crime and violence 2 Alcohol, tobacco, and other drugs 3 Medication and medical treatment 4 Transportation 5 Accident risks not elsewhere classified 6 Recreation 7 War, security, and terrorism 8 Toxic substances 9 Food and agriculture 10 Pollution 11 Energy production 12 Political, social, and financial 13 Ecogeological 14 Global 15 Human disease/health 16 Occupational 17 Consumer products 18 Construction The difficulty here is applying these categories to information. Of the above categories, the following might be relevant: 1 Crime and violence: Burglary, Sabotage 6 Recreation 7 War, security, and terrorism 12 Political, social, and financial : Financial risks, Political risks, Social risks 16 Occupational: Service industry risks 17 Consumer products: Information technology risks At the other end of the spectrum, we can look at risks to employers from use of social media at work (Haynes, 2011): Using Knowledge Organisation to Manage Information Risk ISKOUK 24OCT13 4

5 Reputational risk to the organisation if, for instance employees publish defamatory or damaging information on a social networking site Accidental disclosure of information could lead to loss of intellectual property Once disclosed, personal data can be used inappropriately or could be a source of discrimination, bullying or stalking Security breaches by exposing the organisation to malware for instance Non-compliance with the Data Protection Act and other regulations Time wasting during working hours There does not seem to be any middle ground where information risks have been comprehensively identified and categorised and I would suggest that this might be fertile ground for further research. Conclusion We have seen that knowledge organisation techniques can provide effective tools for information handling in a way that mitigates risk. The responses fall into three groups: accepting the risk; reducing the probability of occurrence; and reducing the impact of any outcomes. There is a wider question of categorisation of information risks. In other words, applying knowledge organisation techniques to risk to equip us to respond systematically to information risk. References Aven, T., & Renn, O. (2009). On risk defined as an event where the outcome is uncertain. Journal of Risk Research, 12(1), doi: / Data Protection Act (1998). United Kingdom. Fischhoff, B., Watson, S. R., & Hope, C. (1984). Defining Risk. Policy Sciences, 17(2), Hansson, S. O. (2010). Risk: objective or subjective, facts or values. Journal of Risk Research, 13(2), doi: / Haynes, D. (2011). Social Networks in the workplace - some data protection issues. Free Pint, (1 December 2011). Retrieved from Haynes, D. (2012). Access to Personal Data in Social Networks : measuring the effectiveness of approaches to regulation (Transfer report). City University London. Retrieved from Staunton, R. (2013). How Records Managers and Archivists Can Make Information Governance Happen. Informaition and Records Management Bulletin, (175, September 2013), Swedlow, B., Kall, D., Zhou, Z., Hammitt, J. K., & Wiener, J. B. (2009). Theorizing and Generalizing about Risk Assessment and Regulation through Comparative Nested Analysis of Representative Cases. Law & Policy, 31(2), doi: /j x Using Knowledge Organisation to Manage Information Risk ISKOUK 24OCT13 5