For many of Government's systems, compliance with this section will be challenging. However, with the improvement of integration capability and the GDPR, it is now possible and in some cases required, that Government matures how data is created, collected, stored, analysed and deleted.
There are over 450 Government Applications containing a huge amount of duplicated personal data, hundreds of thousands of duplicated documents, Government also replicates hundreds of virtual machines that share the same Operating System image and there are countless other scenarios where data is duplicated. Progressing towards a "Store it Once" approach and minimising data collection will protect the integrity of data, improve effectiveness of use and storage of that data and deliver better value for money from technology.
Other benefits of "Store it Once" include:
-
Saving time, resource and budget reusing IOMG data that is already available
-
Reduction in infrastructure and services provisioned as storing it once will promote a mantra of one copy of consistent information
-
Enhance customer perceptions by giving users a more consistent experience when using services building trust and reliability
-
Significantly reduce unnecessary new demands for data storage
The types of data that these principles cover are:
-
Personal – datasets containing personal data as defined by the GDPR
-
Business – transactional data or other datasets that contain service context data
-
Technical – virtual machines, operating systems, emails containing documents of any type, Storage Area Network etc
-
Documents – any documents stored by Government
To comply with this section of the Technology Code of Practice, technical solutions and service plans must show that minimising data collection and duplication wherever practical and possible was considered.
Principles for minimising data collection and duplication
The Design Authority principles for the creation, collection and storage of all types of data are as follows:
-
Data should only be stored once – in many cases, particularly for technical infrastructure implementations and document management, Government has the capability to minimise or remove duplication. Wherever possible, this approach will be taken. For personal and business data, detailed consideration must be given to identify the existence of required data already held by an authoritative source in Government and the viability (technically and legally) for reusing this data.
-
Only collect data that is actually needed and for specific purposes – collecting and storing personal data "just in case" is not permitted by the GDPR do this for other data types is not endorsed by the Design Authority.
-
Use common standards for solution development, technical implementations and service delivery - where integration is required to reuse data or develop against APIs that access data, it is recommended that Open Standards and Intergation standards are followed.
-
Ensure appropriate metadata wherever possible – particularly for electronic documents and records management. This will make retrieving documents, version control, analysis and retention much more effective.
-
Periodically review data requirements and enforce retention periods – in addition to the GDPR requirements for data retention (see Data Protection and Privacy), from a purely technical perspective, enforcing data retention periods is a vital part of effective capacity management. When data is no longer required ensure it is either archived or deleted, depending on the requirements of that data.
Make better use of data
When using data obligations include:
-
Make use of Open Standards and Intergation Standards wherever the classification of the data allows
-
When publishing data, map to the Open Standards and Intergation Standards wherever possible
-
Ensure that users of Departmental and Statutory Board services have appropriate access to the data held about them – any service collecting or using data should clearly communicate to the user how data will be used
-
Review Data Protection and Privacy section of the TCOP to ensure that all key criteria is met
-
Ensure that the anonymising of personal data meets the criteria published by the Information Commissioners Office.
