Chapter 4 • The Data Resource 113
Data Privacy and Protection
Privacy guidelines are becoming a necessity in organizations today. With laws being enacted in the
European Union and the United States, companies that collect data in a global environment via the
Internet must attend to the privacy of that data. Many of these laws are a result of the fast-growing
crime of identify theft, where confidential information is often obtained by hacking corporate databases.
Additionally, large-scale data center breaches have prompted some new laws.
Data privacy guidelines typically require that the data must be accurate, secure, and used for limited
purposes. Legislation enacted in California in July 2003 takes this a step further. California Senate Bill 1386
requires organizations that experience a security breach to notify Californians if there is a chance that con-
fidential information was accessed inappropriately. Although this law currently applies only in California, it
is expected to spread to other states and potentially the United Kingdom. Any global organization that has
California customers must comply with this law. Because data privacy laws have only recently come into
effect, many organizations do not have policies regarding data privacy and are thus vulnerable to lawsuits.
In order for companies to properly manage data privacy, they need to know who is allowed to
have access to the data. In the Internet environment, identifying authorized users can be a daunting
task. Companies also need to have the ability to track access to the data by monitoring who is looking
at the data and to deny access to those who should not be able to see it. Software is only beginning to
be developed to address this critical concern.
But, data breaches occur. Personnel, health insurance claims, student academic and loan, and cus-
tomer data records have been reported stolen from lost laptops and by hacking into computer systems.
From January through August of 2006, over 160 serious data thefts were disclosed by U.S. companies
and government agencies. In these cases, it may be necessary for the organization that had data stolen
to purchase identity and credit tracking services for the affected parties, at potentially considerable cost.
[Based on Bloor, 2003; Vijayan, 2006]
Summary
This chapter has presented the technical and managerial issues
associated with designing, developing, and managing the data
resource. Treating the data resource as an asset is essential in
modern organizations. The value of the data must first be rec-
ognized, and steps to organize and structure the data must be
taken in order to reap benefits from this vital asset.
The data model was introduced as a means of
unambiguously describing organizational data. The data
model is a tool that facilitates communication between the
business manager and the database designer. Personal,
departmental, and organizational data can all be described
using this type of graphical model. Business managers
should ensure that such a model exists for their organiza-
tion. In addition, thorough metadata need to be kept to
describe enterprise data and the rules that govern data.
An important distinction has been made among three
types of data management systems: those that capture,
transfer, or present data. This separation of data manage-
ment functions leads to greater flexibility, longer life for
some systems and the ability to easily dispose of others,
and the benefits of greater sharing of data.
Finally, data governance processes are used to develop
policies regarding the data resource. Issues regarding data
quality, security, privacy, backup and recovery, and access
are particularly important. These policies must balance the
needs of business managers to use the data with the security
and privacy requirements for the data. Careful attention to
these policies is needed in order to protect the data resource
while maximizing the potential benefits to be reaped from it.
The data resource in an organization is an essential
asset that must be explicitly and professionally managed.
This management requires a combination of efforts and
cooperation by IS professionals and business managers. In
the next three chapters, you will learn more about the role
of data in the various types of information systems used in
organizations.
This marks the end of the three-chapter technolo-
gy component of this book. We have tried to cover only
the technology that you, as a manager, need to know.
Whatever your personal managerial career involves,
you are likely to be working both directly and indi-
rectly with hardware, software, telecommunications,
and data. Knowledge of all four information technology
components is essential for understanding the present
and potential impact of IT on your organization and
your job.