Compatibility, Adequacy, and Accuracy
Ensure that personal data is used and disclosed only for the purposes for which it was acquired. Monitor the quality of personal data held, and remedy any quality issues. (The quality standard for personal data is essentially set by the data subject — that is, the data owner. The custodian sets standards and guidelines to help meet the data subject's standards.)
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Compatibility, Adequacy, and Accuracy at each level of maturity.
- 1Initial
- Practice
- Implement remedies for defects.
- Outcome
- Fair processing measures (if any) are ad hoc.
- Practice
- Keep data accurate, up-to-date, and relevant.
- Outcome
- Specific purposes are defined and data subjects are advised in all new acquisition methods.
- Metrics
- % personal data acquisition methods utilizing the concept of fair notice.
- % records with consent recorded
- % Staff provided with training on the concept of specific purpose uses of personal data.
- Practice
- Limit processing to what is required to support the specific purposes.
- Outcome
- Specific purposes are defined, communicated and permissions sought if appropriate in all acquisition methods.
- Metric
- % Staff provided with training on the concept of specific purpose uses of personal data.
- Practice
- Maintain data quality attributes.
- Outcome
- Fair processing policies and procedures are regularly improved and executed across the organization.
- Metric
- % Staff provided with training on the concept of specific purpose uses of personal data.
- Practice
- Processes the data, and/or discloses the data only in such ways as are compatible with the specific purposes for which it has been gathered/processed.
- Outcome
- Fair processing policies and procedures are regularly improved, optimized and executed across the business ecosystem.
- Metric
- Frequency of reviews and improvements.
- 2Basic
- Practice
- Implement remedies for defects.
- Outcome
- The personal data acquisition policy (if any) is ad hoc.
- Practice
- Keep data accurate, up-to-date, and relevant.
- Outcome
- A personal data acquisition policy is drafted and guidelines are in use.
- Metrics
- % personal data acquisition methods utilizing the concept of fair notice.
- % records with consent recorded
- % Staff provided with training on the concepts of fair notice and consent.
- Practice
- Limit processing to what is required to support the specific purposes.
- Outcome
- Consent, fair notice and acquisition processes are documented and implemented.
- Metrics
- % personal data acquisition methods utilizing the concept of fair notice.
- % records with consent recorded
- % Staff provided with training on the concepts of fair notice and consent.
- Practice
- Maintain data quality attributes.
- Outcome
- Policy compliant personal data acquisition processes are harmonized and used across the organization and are regularly reviewed and improved.
- Metrics
- % personal data acquisition methods utilizing the concept of fair notice.
- % records with consent recorded.
- % Staff provided with training on the concepts of fair notice and consent.
- Practice
- Processes the data, and/or discloses the data only in such ways as are compatible with the specific purposes for which it has been gathered/processed.
- Outcome
- Policy compliant personal data acquisition processes are harmonized and used across the business ecosystem and are regularly reviewed and optimized.
- Metrics
- Frequency of reviews and improvements.
- Reach or penetration of use of harmonized processes.
- 3Intermediate
- Practice
- Implement remedies for defects.
- Outcome
- Conformance and/or compliance is informal and inconsistent.
- Practice
- Keep data accurate, up-to-date, and relevant.
- Outcome
- Policies for correcting errors and inaccuracies are defined.
- Metrics
- # data errors detected.
- # effort to correct data errors and any associated rework.
- Practice
- Limit processing to what is required to support the specific purposes.
- Outcomes
- Organisation proactively monitors and implements data defect remedies.
- The organization notifies third parties when appropriate.
- Organisational learning takes steps to minimise future defects.
- Metrics
- # data errors detected.
- # effort to correct data errors and any associated rework.
- Practice
- Maintain data quality attributes.
- Outcomes
- Organisation proactively monitors and implements data defect remedies.
- The organization notifies third parties when appropriate.
- Organisational learning takes steps to minimise future defects.
- Metrics
- # data errors detected.
- # effort to correct data errors and any associated rework.
- Practice
- Processes the data, and/or discloses the data only in such ways as are compatible with the specific purposes for which it has been gathered/processed.
- Outcome
- Organisation proactively monitors by use of system designs that provide appropriate supports for data defect remedy.
- Metric
- # Systems that automatically update personal data once an error is identified.
- 4Advanced
- Practice
- Implement remedies for defects.
- Outcome
- Conformance and/or compliance is informal and inconsistent.
- Practice
- Keep data accurate, up-to-date, and relevant.
- Outcome
- Objectives are defined for data accuracy.
- Metrics
- % Staff made aware of data quality standards and criteria as applied to their roles.
- # data errors detected.
- Practice
- Limit processing to what is required to support the specific purposes.
- Outcomes
- Organisation proactively monitors and implements data defect remedies.
- The organization notifies third parties when appropriate.
- Organisational learning takes steps to minimise future defects.
- Metric
- # projects and initiatives on personal data quality
- Practice
- Maintain data quality attributes.
- Outcomes
- Organisation proactively monitors and implements data defect remedies.
- The organization notifies third parties when appropriate.
- Organisational learning takes steps to minimise future defects.
- Metric
- % Staff made aware of data quality standards and criteria as applied to their roles.
- Practice
- Processes the data, and/or discloses the data only in such ways as are compatible with the specific purposes for which it has been gathered/processed.
- Outcome
- Organisation proactively monitors by use of system designs that provide appropriate supports for data defect remedy.
- Metrics
- Frequency that personal data is kept accurate and up to date.
- % personal data that are reviewed regularly for relevance to specific purpose.
- # systems that automatically propagate changes once they occur with the entire eco system
- 5Optimized
- Practice
- Implement remedies for defects.
- Outcome
- Data protection processing conformance and/or compliance criteria (if any) are ad hoc.
- Practice
- Keep data accurate, up-to-date, and relevant.
- Outcomes
- Function or business unit policies for data protection exist.
- Data protection awareness established where processing occurs.
- Metrics
- # Views exposing personal data fields.
- % Views exposing personal data in uses other than the specific purpose uses.
- Practice
- Limit processing to what is required to support the specific purposes.
- Outcome
- Direct traceability between processing and specific purposes is maintained across some business units.
- Metric
- % Architects, data modellers and solutions designers and developers with specific purpose training.
- Practice
- Maintain data quality attributes.
- Outcome
- Direct traceability between processing and specific purposes is maintained across the organization.
- Metric
- % Architects, data modellers and solutions designers and developers with specific purpose training.
- Practice
- Processes the data, and/or discloses the data only in such ways as are compatible with the specific purposes for which it has been gathered/processed.
- Outcome
- Direct traceability between processing and specific purposes is maintained across the business ecosystem.
- Metric
- # Audits on specific purpose usage though out the entire ecosystem.