Search results

This paper aims to explore a paradoxical situation, asking whether it is possible to reconcile the immutable ledger known as blockchain with the requirements of the General Data Protection Regulations (GDPR), and more broadly privacy and data protection.

This paper combines doctrinal legal research examining the GDPR’s application and scope with case studies examining blockchain solutions from an archival theoretic perspective to answer several questions, including: What risks are blockchain solutions said to impose (or mitigate) for organizations dealing with data that is subject to the GDPR? What are the relationships between the GDPR principles and the principles of archival theory? How can these two sets of principles be aligned within a particular blockchain solution? How can archival principles be applied to blockchain solutions so that they support GDPR compliance?

This work will offer an initial exploration of the strengths and weaknesses of blockchain solutions for GDPR compliant information governance. It will present the disjunctures between GDPR requirements and some current blockchain solution designs and implementations, as well as discussing how solutions may be designed and implemented to support compliance. Immutability of information recorded on a blockchain is a differentiating positive feature of blockchain technology from the perspective of trusted exchanges of value (e.g. cryptocurrencies) but potentially places organizations at risk of non-compliance with GDPR if personally identifiable information cannot be removed. This work will aid understanding of how blockchain solutions should be designed to ensure compliance with GDPR, which could have significant practical implications for organizations looking to leverage the strengths of blockchain technology to meet their needs and strategic goals.

Some aspects of the social layer of blockchain solutions, such as law and business procedures, are also well understood. Much less well understood is the data layer, and how it serves as an interface between the social and the technical in a sociotechnical system like blockchain. In addition to a need for more research about the data/records layer of blockchains and compliance, there is a need for more information governance professionals who can provide input on this layer, both to their organizations and other stakeholders.

Managing personal data will continue to be one of the most challenging, fraught issues for information governance moving forward; given the fairly broad scope of the GDPR, many organizations, including those outside of the EU, will have to manage personal data in compliance with the GDPR. Blockchain technology could play an important role in ensuring organizations have easily auditable, tamper-resistant, tamper-evident records to meet broader organizational needs and to comply with the GDPR.

Because the GDPR professes to be technology-neutral, understanding its application to novel technologies such as blockchain provides an important window into the broader context of compliance in evolving information governance spaces.

The specific question of how GDPR will apply to blockchain information governance solutions is almost entirely novel. It has significance to the design and implementation of blockchain solutions for recordkeeping. It also provides insight into how well “technology-neutral” laws and regulations actually work when confronted with novel technologies and applications. This research will build upon significant bodies of work in both law and archival science to further understand information governance and compliance as we are shifting into the new GDPR world.

The purpose of this paper is to develop a formal set of information technology (IT) governance practices based on sufficiency economy philosophy (SEP) to support the generic context for Thai universities.

The research methodology in this study is divided into two main phases that are conceptualization and operationalization. In the phase of conceptualization, the authors reviewed literature related to the implementation of IT governance in universities and the principles of SEP in order to conceptualize an initial idea of IT governance on the basis of SEP. In the phase of operationalization, the authors performed in-depth interviews with the CIOs of 20 universities, five IT experts, and five SEP experts in order to verify the proposed concept.

This study provides two key findings: the IT governance practices based on SEP for Thai universities and the mapping of IT governance practices based on SEP with ISO/IEC 38500.

The total of 65 practices presented in this study can be used as a guideline for handling of IT governance issues in Thai universities.

This study provides university IT governance practices based on the principles of SEP that is widely accepted and highly appreciated in Thailand.

Open government data and access to public sector information is commonplace, yet little attention has focussed on the essential roles and responsibilities in practice of the information and records management professionals, who enable public authorities to deliver open data to citizens. This paper aims to consider the perspectives of open government and information practitioners in England on the procedural and policy implications of open data across local public authorities.

Using four case studies from different parts of the public sector in England (local government, higher education, National Health Service and hospital trust), the research involved master’s level students in the data collection and analysis, alongside academics, thus enhancing the learning experience of students.

There was little consistency in the location of responsibility for open government data policy, the range of job roles involved or the organisational structures, policy and guidance in place to deliver this function. While this may reflect the organisational differences and professional concerns, it makes it difficult to share best practice. Central government policy encourages public bodies to make their data available for re-use. However, local practice is very variable and perhaps understandably responds more to local organisational strategic and resource priorities. The research found a lack of common metadata standards for open data, different choices about which data to open, problems of data redundancy, inconsistency and data integrity and a wide variety of views on the corporate and public benefits of open data.

The research is limited to England and to non-national public bodies and only draws data from a small number of case studies.

The research contributes to the debate about emerging issues around the complexities of open government data and its public benefits, contributing to the discussions around technology-enabled approaches to citizen engagement and governance. It offers new insights into the interaction between open data and public policy objectives, drawing on the experience of local public sectors in England.

The purpose of this paper is designed to explore the relationship between information and clinical governance in the English NHS.

The paper is a personal reflection based upon the interim report of the National Information Governance Committee (NIGC) of the Care Quality Commission.

The contribution of the NIGC to clinical governance in England has been significant for a number of reasons. Most notably, it has been embedded at the heart of an organisation concerned with the whole spectrum of health and social care, with a role where information is seen predominately as a means to deliver better care rather than an end in itself. The recommendation to establish a specific and mandatory information governance (IG) element of the inspection regime reflects the fact that without validation of the evidence base, the whole inspection regime may be seen as resting on insecure foundations, and provides re-assurance in the integrity of the whole inspection process, well beyond the scope of IG.

The paper provides an insight into policy making at the heart of clinical governance, and its relationship with IG. It highlights the fact that the work of the NIGC has placed validation of information at the heart of the new CQC inspection regime, providing increased confidence in the information on which the rest of the inspection process is based.

The purpose of this study is to address the generalised lack of guidance on ethical treatment of corporate (e.g. non-research) data in higher education institutions, by focusing on the case of the University of Queensland (Brisbane, Australia). No actionable framework is currently available in the country to govern the ethical usage of corporate data. As such, this research takes a stakeholder-centred approach to data ethics; the lived experience of the stakeholders involved coupled with a theory-based ethical framework allowed the authors build to build a framework to guide ethical data practice.

Adopting a revised canonical action research approach focused on intervention on the context, the authors conducted a review of the literature on ethical usage of data in higher education institutions; administered one survey to university students (n = 168); and facilitated three workshops with professional staff (two) and students (one).

Collected data highlighted how, among other themes, the role and ethical importance of transparency was the dominant claim among all stakeholder groups. Findings helped the authors develop an Enhanced Enterprise Data Ethics Framework (EEDEF) emphasising transparency and stakeholder-centricity.

Legislation is the driver to regulate the use of corporate data in higher education; however, this can be problematic because legislation is retrospective, lacks normativity and offers scarce directions for cases that do not exactly follow within the legislative mandate. In light of these regulatory limitations, the authors’ EEDEF offers operators guidance on how to ethically manage corporate data in the higher education environment.

This study fills gaps in praxis and theory; that is the lack of literature and guiding ethical frameworks to inform data practice in higher education. This research fosters a more ethical data management by virtue of genuine and authentic engagement with stakeholders and emphasises the importance of strategic decision-making and maturity of data culture in the higher education sector.

This paper aims to explore the problems of managing superprojects and identifies how a different approach to controlling them can reduce the incidence of cost and time overruns and benefit shortfalls.

Literature review accompanied by conceptual analysis.

Project cost and timing overruns and benefit shortfalls are very frequent in superprojects. These problems can be ascribed partly to the way in which they are planned is not taken into account in designing and implementing control systems, particularly the governance processes and the information they have available.

This paper has serious implications for those designing control processes, governance and information management for superprojects. It suggests that if a new approach is taken, fewer superprojects will suffer from cost overruns and benefit shortfalls because remedial actions will be taken earlier for projects, which are experiencing problems, while learning will be fed back to those planning new projects.

There will be saving of public money and reduced deferment of benefits that normally result from failed or delayed projects and reduced allocation of large incremental budgets dedicated to resolving problems.

The taxonomy of different types of superprojects is original, as is the idea of ambidextrous control, and the diagnosis of failure reasons lying in the nature of control and governance processes, and the lack of relevant information available during the control process.

Two rival approaches to email have emerged from information governance thought: the defensible deletion approach, in which emails are routinely deleted from email accounts after a set period of time; and the Capstone approach, in which the email accounts of important government officials are selected for permanent preservation. This paper aims to assess the extent to which the defensible deletion approach, when used in conjunction with efforts to move important emails into corporate records systems, will meet the needs of originating government departments and of wider society.

The paper forms the first stage of a realist evaluation of policy towards UK government email.

The explanation advanced in this paper predicts that the routine deletion of email from email accounts will work for government departments even where business email is inconsistently or haphazardly captured into records systems, provided officials have access to their own emails for a long enough period to satisfy their individual operational requirements. However the routine deletion of email from email accounts will work for wider society only if and when business email is consistently captured into other systems.

The paper looks at the policy of The National Archives (TNA) towards UK government email and maps it against the approaches present in records management and information governance thought. It argues that TNA’s policy is best characterised as a defensible deletion approach. The paper proposes a realist explanation as to how defensible deletion policies towards email work in a government context.

The purpose of this paper is to propose a framework for clinical governance, in particular, the compliance of data privacy in a healthcare organisation.

The approach of the research was to highlight problem areas in compliance and governance risk management (governance, risk and compliance (GRC)) in general, and then identify knowledge in other domains that could be combined and applied to improve GRC management, and ultimately improve governance outcomes.

There is a gap in the literature is respect of systems and frameworks to assist organisations in managing the complex minutiae associated with compliance. This paper addresses this gap by proposing a “compliance action framework” which builds on work existing in other domains in relation to education, process control and governance.

The present research provides a starting point for an implementation of the framework within a number of organisations, and opens questions for further research in the field.

The GRC framework proposed in this paper contributes to the state of the art, by proposing processes for improving the governance capability and compliance outcomes within an organisation for governance of data privacy risk and data protection.

Many organizations are challenged by different and, perhaps, opposite, registration and protection obligations of information regarding their employees. The purpose of this paper is to explore how organizations balance the registration obligations of the Icelandic equal pay standard (EPS) and the protection requirements of the general data protection regulation (GDPR). It aims to raise awareness of how information professionals can ensure that documentation on the education and skills of employees is authentic, traceable and secure.

The analytical framework covered multiple-cases and semi-structured interviews with various professionals and comprehensive documentary analysis.

The findings indicate that the organizations were not properly prepared for the implementation of the EPS and were hesitant regarding further registration of personal information due to GDPR. Documentary analysis also revealed critical attitudes towards the legal endorsement of the standard and its potential success.

There is a lack of studies explaining the juxtaposition of information and records management and the legal and regulatory environment. This paper provides a unique description of how information and recordkeeping practices function with the requirements of the EPS whilst complying with GDPR. The results could bring valuable opportunities for the information profession regarding the development, implementation, administration and maintenance of documentary evidence regarding the requirements of international and national standards and legislations and advance their collaboration with other professionals in the management of information.