DATA QUALITY and GDPR Maria Cristina Paoletti m.paoletti@inail.itAlessandro Simonetta a.simonetta@inail.it

Determination n. 68/2013 for database of national interest

• In order to guarantee the quality of the data present in the critical databases,for the updating methods, the reference administrations follow the indicationsof the ISO/IEC 25012 Data quality model standard

2017-2019 Plan for ICT in Public Administration

• Make available as open-type data those through which a strong impact can beobtained on civil society and companies, ensuring compliance with qualityrequirements as defined by the ISO/IEC 25012 Data quality model standardand encouraging the release of APIs to them associated.

Information Assets Guideline

• The ISO/IEC 25012 Data quality model standard is indicated in theguidelines in order to enhance of information assets

ITALIAN PA REGULATORY FRAMEWORKAGID – AGENCY FOR DIGITAL ITALY

Private Insurance Code (D.lgs. 7/9/2005, n.209)• The information (and data) transmitted to the Institute for the Supervision

of Insurance (IVASS) must be accessible, complete, comparable,consistent over time, relevant, reliable and understandable (art.1901-ter)

Institute for the Supervision of Insurance (IVASS)

• Data quality regulations, for the purpose of calculating tariffs and technicalreserves (n. 16 and n. 21 of 2008) and subsequently in the datacommunication (n. 36 of 28/2/2017, art. 6).

ITALIAN INSURANCE REGULATORY FRAMEWORK

Solvency II Directive 2009/138/CE• gives indications on the role of the actuary with respect to data quality (art. 48) • establishes the need to implement procedures and processes to guarantee the

appropriateness, completeness and accuracy of the data used in thecalculation of technical provisions (art. 82)

• it expresses the requirements for statistical quality and for validation inside the verification processs

General Data Protection Regulation (GDPR UE 2016/679)

• it borns to harmonize data privacy laws in the EU

• it replace the data protection directive 95/46/EC

EUROPEAN REGULATORY FRAMEWORK

GLOBAL REGULATORY FRAMEWORK

Public Administration Private SectorDetermination n. 68/2013 for

DB of national interest

2017-2019 Plan for ICT

Information Assets Guideline

Agr.

Comm.

TELCO

Solvency II Guideline 2009/138/CE

Insurance

Insurance Supervision InstituteRegulation nn. 16/08, 21/08 and 36/17

Private Insurance Law D.lgs. n.209 7/9/2005

EU General Data Protection Regulation UE 2016/679

UNI ISO/IEC 25012Data quality Model

UNI CEI ISO/IEC 25024 Measurement of data quality

GDRP PRINCIPLES Security of Personal Data Artt. 5, 24, 32 ÷ 34• .. appropriate security of the personal data, including

protection against unauthorised or unlawful processing and against accidental loss, destruction or damage («integrityand confidentiality»).

• ... technical and organizational measures ... to guarantee an adequate level of security to the risk, ...

Ø the pseudonymisation and encryption of personal data;Ø the ability to ensure confidentiality, integrity, availability

and resilience on a permanent basis ...Ø the ability to restore promptly ...Ø verify and regularly evaluate the effectiveness of the

measures ...• .. special consideration is given to risks ... from destruction,

loss, modification, unauthorized disclosure or accidental or illegal access to personal data

• Notification of violation to the supervisory authority (Art. 33)

• Notification of violation to the data subject (Art. 34)

Data Protection By Design and By Default Art. 25• «... appropriate technical and organisational measures, such

as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing» for compliance with the law and protection of the rights of the data subject

• «... by default, only personal data which are necessary for each specific purpose of the processing are processed... This obligation applies to the amount of personal data collected, the scope of processing, the storage period and accessibility»

• «.. by default personal data are not made accessible ...to an indefinite number of natural persons...»

Lawfulness and Consent Artt. 5÷8• Personal data are: processed in a lawful, fair and

transparent manner ...; collected for specific, explicit and legitimate purposes ...;

• adequate, relevant and limited to what is necessary ...;• kept in a form that allows the identification of the

interested parties ...;• Lawfulness (Art. 6)• Consent (Art. 7 and 8)

European citizens' rights Artt. 12÷20,77÷79, 82• Transparency• Right to access, rectification and cancellation (right to

«oblivion»)• Right to limitation to processing• Right to data portability• Opposition law and automated decision making• Right to complain and appeal (Art. 77-79)• Right to compensation (Art. 82)

Responsability Artt. 5, 24, 30, 35• The controller shall be responsible for, and be able to

demonstrate compliance with characteristics of par. 1 («accountability»)

• The controller and processor have the obligation to demonstrate compliance with the Principles of the law, and therefore the obligation to trace the processing activities and lawfulness, the collection of information and consents, the management activities, the security measures adopted, accesses, ...

• Obligation to record of processing activities (Art. 30)• Data protection impact assessment (Art. 35)

1. Personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the datasubject («lawfulness, fairness and transparency»);

• collected for specified, explicit and legitimate purposes and not furtherprocessed in a manner that is incompatible with those purposes;...(«purpose limitation»);

• adequate, relevant and limited to what is necessary in relation to thepurposes for which they are processed («data minimisation»);

• accurate and, where it is necessary, kept up to date; every reasonablestep must be taken to ensure that personal data that are inaccurate, areerased or rectified immediately («accuracy»);

• kept in a form which permits identification of data subjects for no longerthan is necessary for the purposes for which the personal data areprocessed; ...(«storage limitation»);

• processed in a manner that ensures appropriate security of the personaldata...(«integrity and confidentiality»).

GDPR Art. 5 - PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

Taking into account the state of the art, the costs of implementation and thenature, scope, context and purposes of processing as well as the risk ofvarying likelihood and severity for the rights and freedoms of natural peoples,the controller and the processor shall implement appropriate technical andorganisational measures to ensure a level of security appropriate to the risk,including inter alia as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity,availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in atimely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating theeffectiveness of technical and organisational measures for ensuringthe security of the processing.

GDPR Art. 32 - SECURITY OF PROCESSING

1.The controller shall be responsible for the respect of data adequacy,accuracy, updating, security, protection, integrity (art. 5 par. 1“accountability”)

2.The controller shall be able to demonstrate that he has put in place allthe measures to garantee data quality on personal data (art. 5, par. 2 e art.24, par. 1).

3.The Regulation assigns specific obligations for the controllers, distinctfrom those identified for the processors, and in particular the adoption oftechnical and organizational measures suitable to guarantee the security ofthe processing (art. 32).

GDPR – PRINCIPLE OF RESPONSIBILITY

• How do you measure the accuracy? For example,is that email accurate?

• How do you measure the credibility? For example, is that taxidentification number credible?

• How do you ensure that a datum is up to date? For example, isthat telephone number up to date?

• How do you ensure data consistency? For example, is the nameof a street consistent with the addresses in that city?

• How do you guarantee the completeness of a datum? Forexample, is that address complete?

• How do you guarantee the confidentiality of data? For example,did any unwanted accesses occur?

GDPR – MEASURES FOR THE PROTECTION OF PRINCIPLES

UNI ISO/IEC 25012Data quality Model

UNI CEI ISO/IEC 25024 Measurement of data quality

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1ACCURATEZZA

ATTUALITÀ

COERENZA

COMPLETEZZA

CREDIBILITÀ

ACCESSIBILITÀ

CONFORMITÀ

RISERVATEZZAEFFICIENZA

PRECISIONE

TRACCIABILITÀ

COMPRENSIBILTÀ

DISPONIBILITÀ

PORTABILITÀ

RIPRISTINABILITÀ

DATABASE1

DATABASE2

DATABASE3

Accuracy

Completeness

Consistency

Credibility

Portability

Availability

Understandability

Traceability

Precision

Efficiency Confidentiality

Compliance

Accessibility

CurrentnessRecoverability

THE GOVERNANCE OF DATA QUALITY - QMEs data summary

THE GOVERNANCE OF DATA QUALITYQME vs Espected values

Espected

AccuracyAccessibility

Traceability

QME

QMEs

Consistency

Completeness Actuality

Precision

Availability

Credibility

A 10

1

THE GOVERNANCE OF DATA QUALITYThe «robustness» of the measurement system: meta-quality

QM coverage compared to the totalper phase

number of QMsper phase

number of algorithms

To assess the quality of measurement system over time, it is possible to define indicators related to the algorithms used to calculate the QME and their depth of analysis. For example, we can detect:• the number of QMs and their distribution in ISO/IEC 25024• The quantity and type of algorithms used,• The quantity and type of physical objects analyzed by the

algorithms• The distribution of measures in the various phases of the

data life cycleC.Escher, “drawing hands”, 1948

DhanyavadSa

lam

atMerciCam

Khopjai kunDhan

yvaa

luW

aad

DawDa

kuje

m

krap

TackGrazzi

raibh

Gra

cias

Nan

dree

Blag

odar

iya

Grazie

Gomapsupnida

EnkosiDankedank

TerimaKun

Fyrir

Euxa

risto

Shuk

riya O

r

ederim

HainDhan

daa

AsanteDhonnobaad

Arigatou

Kruthagnathalu

NgiyabongaShokriya

Mamnoon

Dankie

Gra or

alDha

nyav

aad

XieAči

Fale

min

deritKasih

Hval

a

TakkKop

Dank GamsahapnidaShnorhakalutiun

Diolch KiitosSheun

umesc Teo ek

kür

Dekuju/Dekujeme

Thank you

Toda

h

Dziȩkujȩ

Shok

run Spaas

Mul

the National Institute for Insurance against Accidents at Work, is a public non-profit entity safeguarding workers against physical injuries and occupational diseases.

Inail’s objectives are:• reducing injuries• protecting workers performing dangerous jobs• facilitating the return to work of injured people at work

感謝Kanshaध"यवाद

dhanyavaad

Bibliografy1. A. Simonetta, M.C. Paoletti «GDPR Data Driven Approach» Dossier «La Cybersecurity tra innovazione, mercato e

normazione» allegato alla Rivista U&C dell’UNI n°2 Febbraio 2019

2. A. Simonetta, M.C. Paoletti «Privacy e trasparenza dei dati: un approccio in qualità» – Atti del Seminario - Sfide e cambiamenti per la salute e la sicurezza sul lavoro nell’era digitale - Firenze, 23 - 25 ottobre 2018 https://www.inail.it/cs/internet/comunicazione/news-ed-eventi/eventi/evento-seminario-contarp-csa-cit-firenze-2018.html

3. D. Natale «La qualità dei dati nell’ISO/IEC 25012 e 25024» Quaderno n.3/2017. Ordine degli Ingegneri della Provincia di Roma

4. UNI CEI ISO/IEC 25024:2016 Ingegneria del software e di sistema - Requisiti e valutazione della qualità dei sistemi e del software (SQuaRE) - Misurazione della qualità dei dati

5. http://www.iso25000.it/ © 2015-2018 - Domenico Natale

6. D. Natale «La qualità dei dati: concetti e misure». Rivista UNI, Unificazione&Certificazione, 2016

7. D. Natale «La qualità dei dati e l'anagrafe digitale». Rivista UNI. Unificazione&Certificazione, 2015

8. D. Natale «La qualità dei dati e la loro integrazione». Forum PA. Academy - Formazione, Roma 2015

9. UNI ISO/IEC 25012:2014 Ingegneria del software - Requisiti di qualità e valutazione del prodotto software (SQuaRE) - Modello di qualità dei dati

10.DMM Data management Maturity Model - CMMI Institute 2014

11.Natale D., Paoletti M.C. & Simonetta A «La qualità dei dati e l’informazione statistica».Rivista sugli infortuni e le malattie professionali – IV Serie della rassegna della previdenza sociale anno XCIX, Fascicolo 1/2012 - Pubblicazione quadrimestrale dell’INAIL

12.D. Natale «Complexity and data quality». Conference CHItaly. Alghero 2011

13.D. Natale «Data quality e Open data». Convegno nazionale AICA, Torino 2011

14.Coral Calero, Ma Angeles Moraga, Mario G. Piattini «Calidad del producto y proceso soltware», [Cap. 3. D. Natale «ISO/IEC 25012 Modelo de Calidad de Datos Y Data Governance»], Ra-Ma, Madrid, 2000

15.D. Natale «La qualità dei dati e l’ISO/IEC 25012» Rivista UNI, Unificazione&Certifìcazione, 2009

16.C. Batini. M. Scannapieco "Data quality. Concepts. Methodologies and Techniques». Springer. 2006

17.AA.VV. Gufpi-bma «Metriche del software - Esperienze e ricerche»(Cap. 12. D. Natale «La qualità dei dati e delle Inlormazioni»). FrancoAngeli, 2006