_edited.png)
If you work within Government or a regulated business, you'll have likely come across the ‘need to know principle’. The principle is that you limit access to sensitive and classified information to just those who have a genuine need to know - as per their job requirements or specific task they are performing. This is intended to limit the risk of unauthorised disclosure.
However, if incorrectly applied it can also limit the usefulness of the data. It is quite simple really - data only has value when it is used. If data cannot be accessed, or worse if it can't even be found - then its value just disappears. It is practically worthless.
Obviously, data in the wrong hands could do some serious damage. But we may as well not collect or store the data if it can never actually be used by people who need it.
So how do you apply the ‘need to know principle’ to limit the risk of unauthorised use, but also maximise the value of your data asset? The answer is right there in the definition - limiting access to those who need to know. It is as 'simple' as listing out everyone who has a need to know your information and making sure that the information is accessible to them (i.e. via publishing or via a data search engine).
However, is it achievable for the creator of a data set to list out every person or system that may possibly gain a positive benefit from access to the information? Unless the list is just ‘anyone in the world’, it is practically impossible for a human to come up with this list, let alone maintain it. Think about how many people change roles within your organisation, or join / leave - in a given week, month or year. Or can you predict future use cases, like a university researcher using a brand-new data science technique looking to leverage your dataset to literally save lives (if they find a new cure for disease); or at the very least save money (by finding a better way for your organisation to process or use the data).
So, this presents a few options:
create a version of the data without any sensitive information and publish that to ‘anyone in the world’.
publish just the bare bones information about the existence of the dataset, then fund an efficient data request process to broker any requests for the data.
provide an automated tool to assist in classifying the data - and maintaining the list of those with a ‘need to know’. This should be based on both the applicable legislation that applies to your organisation and the data set (see our previous post on "Automating Legislative Compliance").
Another very important part of applying the ‘need to know principle’ is effective auditing and monitoring on the datasets available - including who has actually used the data. This is both from detecting and preventing unauthorised access, but also to measure the value of your data sets. If a data set has not been used - then it cannot have generated any value for your organisation. Measuring effectiveness is key to achieving improvements in many fields, this is true for data as well. Even the most basic 'Data Telemetry' can provide valuable indicators of the true value of a data asset.
How do you deal with “Who Needs to Know” within your organisation? Do you measure who gets value from your data?
Common on the article on LinkedIn - Who Needs to Know?
댓글