The Data Management Association states that data management is the process of developing data architectures, practices and procedures dealing with data and then executing these aspects on a regular basis. So which bit failed when the personal details of more than 2,300 crime victims were lost in the post or discs containing personal information on almost 18,000 NHS staff have gone missing. The stories make it appear obvious, that discs containing personal data were sent in the post and went missing. But hang on just one second, that's a lot of discs going missing in a short period of time!
The Royal Mail says that there are 14.4 million items of 'lost post', which we can compare to 21 billion items that are delivered every year (2004 figures, see also the Consumer Focus website). I make that about 2 losses per 3,000 items. Yes, that's a lot, and I wouldn't trust sending personal data through this particular medium - that's one part of the story. But statistically thinking, does this mean that in the time period of the above two stories, there were about 3,000 items of post carried by the Royal Mail containing discs holding personal data? I don't claim to know whether envelopes containing discs are lost more or less often, or whether some other quirk of their nature means that they are badly addressed, but it is highly probable that a lot of personal data is getting sent this way.
Why?
I don't just mean why does someone stick the disc of data in an envelope, stick on a stamp and post it in the red post box. In both of the above cases, someone lost their job for doing just that. I have no knowledge of whether these persons truly made a gross error of conduct, but they were just cogs in the process of getting personal data from A to B. What I want to know is why was this data, valuable, personal data, being moved from A to B? This process failed, but why was this process instituted in the first place? What was the true fundamental, economic, business reason for getting this data from A to B?
If we knew the answer to that question, we could validate it. Is it an institutionalised process? Does it need to be updated? Does it need to happen at all? In my experience it is often found that it doesn't need to happen at all, so before sending data, go back to square one, and ask why?
