Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
DATA QUALITY and GDPR Maria Cristina Paoletti [email protected] Simonetta [email protected]
Determination n. 68/2013 for database of national interest
• In order to guarantee the quality of the data present in the critical databases,for the updating methods, the reference administrations follow the indicationsof the ISO/IEC 25012 Data quality model standard
2017-2019 Plan for ICT in Public Administration
• Make available as open-type data those through which a strong impact can beobtained on civil society and companies, ensuring compliance with qualityrequirements as defined by the ISO/IEC 25012 Data quality model standardand encouraging the release of APIs to them associated.
Information Assets Guideline
• The ISO/IEC 25012 Data quality model standard is indicated in theguidelines in order to enhance of information assets
ITALIAN PA REGULATORY FRAMEWORKAGID – AGENCY FOR DIGITAL ITALY
Private Insurance Code (D.lgs. 7/9/2005, n.209)• The information (and data) transmitted to the Institute for the Supervision
of Insurance (IVASS) must be accessible, complete, comparable,consistent over time, relevant, reliable and understandable (art.1901-ter)
Institute for the Supervision of Insurance (IVASS)
• Data quality regulations, for the purpose of calculating tariffs and technicalreserves (n. 16 and n. 21 of 2008) and subsequently in the datacommunication (n. 36 of 28/2/2017, art. 6).
ITALIAN INSURANCE REGULATORY FRAMEWORK
Solvency II Directive 2009/138/CE• gives indications on the role of the actuary with respect to data quality (art. 48) • establishes the need to implement procedures and processes to guarantee the
appropriateness, completeness and accuracy of the data used in thecalculation of technical provisions (art. 82)
• it expresses the requirements for statistical quality and for validation inside the verification processs
General Data Protection Regulation (GDPR UE 2016/679)
• it borns to harmonize data privacy laws in the EU
• it replace the data protection directive 95/46/EC
EUROPEAN REGULATORY FRAMEWORK
GLOBAL REGULATORY FRAMEWORK
Public Administration Private SectorDetermination n. 68/2013 for
DB of national interest
2017-2019 Plan for ICT
Information Assets Guideline
Agr.
Comm.
TELCO
Solvency II Guideline 2009/138/CE
Insurance
Insurance Supervision InstituteRegulation nn. 16/08, 21/08 and 36/17
Private Insurance Law D.lgs. n.209 7/9/2005
EU General Data Protection Regulation UE 2016/679
UNI ISO/IEC 25012Data quality Model
UNI CEI ISO/IEC 25024 Measurement of data quality
GDRP PRINCIPLES Security of Personal Data Artt. 5, 24, 32 ÷ 34• .. appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against accidental loss, destruction or damage («integrityand confidentiality»).
• ... technical and organizational measures ... to guarantee an adequate level of security to the risk, ...
Ø the pseudonymisation and encryption of personal data;Ø the ability to ensure confidentiality, integrity, availability
and resilience on a permanent basis ...Ø the ability to restore promptly ...Ø verify and regularly evaluate the effectiveness of the
measures ...• .. special consideration is given to risks ... from destruction,
loss, modification, unauthorized disclosure or accidental or illegal access to personal data
• Notification of violation to the supervisory authority (Art. 33)
• Notification of violation to the data subject (Art. 34)
Data Protection By Design and By Default Art. 25• «... appropriate technical and organisational measures, such
as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing» for compliance with the law and protection of the rights of the data subject
• «... by default, only personal data which are necessary for each specific purpose of the processing are processed... This obligation applies to the amount of personal data collected, the scope of processing, the storage period and accessibility»
• «.. by default personal data are not made accessible ...to an indefinite number of natural persons...»
Lawfulness and Consent Artt. 5÷8• Personal data are: processed in a lawful, fair and
transparent manner ...; collected for specific, explicit and legitimate purposes ...;
• adequate, relevant and limited to what is necessary ...;• kept in a form that allows the identification of the
interested parties ...;• Lawfulness (Art. 6)• Consent (Art. 7 and 8)
European citizens' rights Artt. 12÷20,77÷79, 82• Transparency• Right to access, rectification and cancellation (right to
«oblivion»)• Right to limitation to processing• Right to data portability• Opposition law and automated decision making• Right to complain and appeal (Art. 77-79)• Right to compensation (Art. 82)
Responsability Artt. 5, 24, 30, 35• The controller shall be responsible for, and be able to
demonstrate compliance with characteristics of par. 1 («accountability»)
• The controller and processor have the obligation to demonstrate compliance with the Principles of the law, and therefore the obligation to trace the processing activities and lawfulness, the collection of information and consents, the management activities, the security measures adopted, accesses, ...
• Obligation to record of processing activities (Art. 30)• Data protection impact assessment (Art. 35)
1. Personal data shall be:
• processed lawfully, fairly and in a transparent manner in relation to the datasubject («lawfulness, fairness and transparency»);
• collected for specified, explicit and legitimate purposes and not furtherprocessed in a manner that is incompatible with those purposes;...(«purpose limitation»);
• adequate, relevant and limited to what is necessary in relation to thepurposes for which they are processed («data minimisation»);
• accurate and, where it is necessary, kept up to date; every reasonablestep must be taken to ensure that personal data that are inaccurate, areerased or rectified immediately («accuracy»);
• kept in a form which permits identification of data subjects for no longerthan is necessary for the purposes for which the personal data areprocessed; ...(«storage limitation»);
• processed in a manner that ensures appropriate security of the personaldata...(«integrity and confidentiality»).
GDPR Art. 5 - PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
Taking into account the state of the art, the costs of implementation and thenature, scope, context and purposes of processing as well as the risk ofvarying likelihood and severity for the rights and freedoms of natural peoples,the controller and the processor shall implement appropriate technical andorganisational measures to ensure a level of security appropriate to the risk,including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity,availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in atimely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating theeffectiveness of technical and organisational measures for ensuringthe security of the processing.
GDPR Art. 32 - SECURITY OF PROCESSING
1.The controller shall be responsible for the respect of data adequacy,accuracy, updating, security, protection, integrity (art. 5 par. 1“accountability”)
2.The controller shall be able to demonstrate that he has put in place allthe measures to garantee data quality on personal data (art. 5, par. 2 e art.24, par. 1).
3.The Regulation assigns specific obligations for the controllers, distinctfrom those identified for the processors, and in particular the adoption oftechnical and organizational measures suitable to guarantee the security ofthe processing (art. 32).
GDPR – PRINCIPLE OF RESPONSIBILITY
• How do you measure the accuracy? For example,is that email accurate?
• How do you measure the credibility? For example, is that taxidentification number credible?
• How do you ensure that a datum is up to date? For example, isthat telephone number up to date?
• How do you ensure data consistency? For example, is the nameof a street consistent with the addresses in that city?
• How do you guarantee the completeness of a datum? Forexample, is that address complete?
• How do you guarantee the confidentiality of data? For example,did any unwanted accesses occur?
GDPR – MEASURES FOR THE PROTECTION OF PRINCIPLES
UNI ISO/IEC 25012Data quality Model
UNI CEI ISO/IEC 25024 Measurement of data quality
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1ACCURATEZZA
ATTUALITÀ
COERENZA
COMPLETEZZA
CREDIBILITÀ
ACCESSIBILITÀ
CONFORMITÀ
RISERVATEZZAEFFICIENZA
PRECISIONE
TRACCIABILITÀ
COMPRENSIBILTÀ
DISPONIBILITÀ
PORTABILITÀ
RIPRISTINABILITÀ
DATABASE1
DATABASE2
DATABASE3
Accuracy
Completeness
Consistency
Credibility
Portability
Availability
Understandability
Traceability
Precision
Efficiency Confidentiality
Compliance
Accessibility
CurrentnessRecoverability
THE GOVERNANCE OF DATA QUALITY - QMEs data summary
THE GOVERNANCE OF DATA QUALITYQME vs Espected values
Espected
AccuracyAccessibility
Traceability
QME
QMEs
Consistency
Completeness Actuality
Precision
Availability
Credibility
A 10
1
THE GOVERNANCE OF DATA QUALITYThe «robustness» of the measurement system: meta-quality
QM coverage compared to the totalper phase
number of QMsper phase
number of algorithms
To assess the quality of measurement system over time, it is possible to define indicators related to the algorithms used to calculate the QME and their depth of analysis. For example, we can detect:• the number of QMs and their distribution in ISO/IEC 25024• The quantity and type of algorithms used,• The quantity and type of physical objects analyzed by the
algorithms• The distribution of measures in the various phases of the
data life cycleC.Escher, “drawing hands”, 1948
DhanyavadSa
lam
atMerciCam
Khopjai kunDhan
yvaa
luW
aad
DawDa
kuje
m
krap
TackGrazzi
raibh
Gra
cias
Nan
dree
Blag
odar
iya
Grazie
Gomapsupnida
EnkosiDankedank
TerimaKun
Fyrir
Euxa
risto
Shuk
riya O
r
ederim
HainDhan
daa
AsanteDhonnobaad
Arigatou
Kruthagnathalu
NgiyabongaShokriya
Mamnoon
Dankie
Gra or
alDha
nyav
aad
XieAči
Fale
min
deritKasih
Hval
a
TakkKop
Dank GamsahapnidaShnorhakalutiun
Diolch KiitosSheun
umesc Teo ek
kür
Dekuju/Dekujeme
Thank you
Toda
h
Dziȩkujȩ
Shok
run Spaas
Mul
the National Institute for Insurance against Accidents at Work, is a public non-profit entity safeguarding workers against physical injuries and occupational diseases.
Inail’s objectives are:• reducing injuries• protecting workers performing dangerous jobs• facilitating the return to work of injured people at work
感謝Kanshaध"यवाद
dhanyavaad
Bibliografy1. A. Simonetta, M.C. Paoletti «GDPR Data Driven Approach» Dossier «La Cybersecurity tra innovazione, mercato e
normazione» allegato alla Rivista U&C dell’UNI n°2 Febbraio 2019
2. A. Simonetta, M.C. Paoletti «Privacy e trasparenza dei dati: un approccio in qualità» – Atti del Seminario - Sfide e cambiamenti per la salute e la sicurezza sul lavoro nell’era digitale - Firenze, 23 - 25 ottobre 2018 https://www.inail.it/cs/internet/comunicazione/news-ed-eventi/eventi/evento-seminario-contarp-csa-cit-firenze-2018.html
3. D. Natale «La qualità dei dati nell’ISO/IEC 25012 e 25024» Quaderno n.3/2017. Ordine degli Ingegneri della Provincia di Roma
4. UNI CEI ISO/IEC 25024:2016 Ingegneria del software e di sistema - Requisiti e valutazione della qualità dei sistemi e del software (SQuaRE) - Misurazione della qualità dei dati
5. http://www.iso25000.it/ © 2015-2018 - Domenico Natale
6. D. Natale «La qualità dei dati: concetti e misure». Rivista UNI, Unificazione&Certificazione, 2016
7. D. Natale «La qualità dei dati e l'anagrafe digitale». Rivista UNI. Unificazione&Certificazione, 2015
8. D. Natale «La qualità dei dati e la loro integrazione». Forum PA. Academy - Formazione, Roma 2015
9. UNI ISO/IEC 25012:2014 Ingegneria del software - Requisiti di qualità e valutazione del prodotto software (SQuaRE) - Modello di qualità dei dati
10.DMM Data management Maturity Model - CMMI Institute 2014
11.Natale D., Paoletti M.C. & Simonetta A «La qualità dei dati e l’informazione statistica».Rivista sugli infortuni e le malattie professionali – IV Serie della rassegna della previdenza sociale anno XCIX, Fascicolo 1/2012 - Pubblicazione quadrimestrale dell’INAIL
12.D. Natale «Complexity and data quality». Conference CHItaly. Alghero 2011
13.D. Natale «Data quality e Open data». Convegno nazionale AICA, Torino 2011
14.Coral Calero, Ma Angeles Moraga, Mario G. Piattini «Calidad del producto y proceso soltware», [Cap. 3. D. Natale «ISO/IEC 25012 Modelo de Calidad de Datos Y Data Governance»], Ra-Ma, Madrid, 2000
15.D. Natale «La qualità dei dati e l’ISO/IEC 25012» Rivista UNI, Unificazione&Certifìcazione, 2009
16.C. Batini. M. Scannapieco "Data quality. Concepts. Methodologies and Techniques». Springer. 2006
17.AA.VV. Gufpi-bma «Metriche del software - Esperienze e ricerche»(Cap. 12. D. Natale «La qualità dei dati e delle Inlormazioni»). FrancoAngeli, 2006