Having spent a number of years working in the pharmaceutical industry, I have often needed to work out the data privacy impact on the solution we were building. If you work in the finance or e-commerce domains I am sure you have done the same.
But have you ever thought whether you should apply these same principles to your own work? Most projects view BA artefacts as ‘just another project document’, but is that correct?
Why should you consider data privacy in your role?
As a Business Analyst, you can, and should, develop open and honest relationships with your stakeholders.
When I say stakeholder I mean it in the widest sense of the word. Both the people who are driving the change and those who are impacted such as end users, customers and support teams. Basically, anybody you may talk to in your role as project Business Analyst.
To understand what the best solution is for your stakeholders you need to get the best information possible from them. For them to give you the best information they can, they need to trust you. They have to be able to honestly share bad things with you, as well as good things. When they share this information they may have a reasonable expectation of confidentiality or anonymity.
Not every organisation welcomes honest feedback and in some environments, people use a Business Analyst to surface issues that they are nervous of raising themselves.
If they don’t trust you then you will only hear half of the story
What does Data Privacy mean?
In the UK the law that controls how personal information is used by organisations is the Data Protection Act. Other countries have their own regulations and if you are working globally you need to understand laws that apply when sharing data between countries – I’m not going to go into that here though.
According to the Gov.UK site everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure personal information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive<
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
The Information Commissioner’s Office has more details on definitions for those of you who are interested.
How does this affect me as a BA?
As a BA your key role is to elicit information from stakeholders, analyse and summarise it and then report it back to the steering group and project team members in a way that means they can agree on the next steps.
If, as part of this, you store information that relates to an identifiable, living person on a computer then the Data Protection Act can apply to you.
What data would I have that relates to an identifiable, living person?
Obvious ones are:
- Contact Details
- Voice recordings of interviews
- Transcripts or write-ups of interviews
- Completed questionnaires
Less obvious ones include:
- Stakeholder Analyses
- Influence maps
These contain your team’s assessment of stakeholders, for example, your understanding of who the key influencers are. If this does not match the accepted organisation hierarchy this may be sensitive information, especially in a highly political organisational culture.
How can I manage my records well?
Don’t store names if you don’t have to
- If you are gathering answers from a group of people and you know you will not need to ask follow-up questions then refer to them as ‘Person 1, ‘Person 2’, etc.
Let your stakeholders know what will happen to the information they give you
- This can range from a brief verbal overview for in-house stakeholders to a formal statement of your data policy for external stakeholders.
- Unless stated otherwise, your stakeholders will probably have an expectation of some confidentiality.
- As a general rule, don’t share interview write-ups outside the project team. However interesting the content is!
Store files securely
- Stakeholder interviews and analyses are not ‘just another project document’. Don’t dump them on an open file share, limit access to those people that need to know.
- Consider restricting the interview files to just the BA team and any Stakeholder analyses to a core team.
- Make sure everyone on the team understands these files contain personal information and cannot be shared willy-nilly.
- Context is everything. Someone who doesn’t know the background for a discussion may misinterpret the content of a stakeholder interview.
Delete records when they are no longer necessary
- Some people record interviews with people so they can focus on listening to them rather than scribbling notes. (Note: Always ask permission to record an interview) Once you have transcribed the interview delete the voice files. They are no longer needed.
- Delete transcripts after you have analysed them and summarised and reported those analyses. For example, after a requirements document has been signed off or the relevant user stories have been created, estimated and prioritised.
Managing your BA records properly is important to comply with legal requirements but also to show courtesy and respect for your stakeholders.
- Be aware that data privacy may apply to you and store documents accordingly
- Make sure your whole team understands what they can, and can’t do with certain documents
- Delete records once they have fulfilled their purpose
- Don’t store stakeholder interviews and analyses in open file shares
- Be transparent with your stakeholders