Information Officer’s Role in System Design
The information officer has two important roles regarding system design. The first is to give advice and guide responsible parties about compliance with the conditions for the lawful processing of personal information. The second is to confirm compliance with the conditions for the lawful processing of personal information.
To be effective, information officers need to be involved from the very beginning of any system design and will require access to information about the business requirements, system design, system management, service delivery, information security and the related privacy concerns.
Information officers will need an appropriate level of detailed knowledge and understanding of the data processing as well as access to the facilities, system components and information about the design and operation.
For each individual module (or project milestone) in a development programme, the information officer should confirm with the project team that the agreed-upon implementation of the module complies with the conditions for the lawful processing of personal information.
Typical tasks that involve the information officer are:
- Documenting personal data-relevant business processes
- Defining the master data
- Determining the reporting system
- Examining the information flow of personal data, application interfaces and data flows to other systems
- Establishing personal information processing criteria
- Evaluating the user authorisation concept
- Evaluating test plans
- Defining migration and legacy data transfer.
Reliability of Information Officers
Information officers have a long term responsibility to the responsible parties, data subjects and the regulator for ensuring that the design of systems results in the lawful processing of personal information. The advice information officers give to system designers needs to be reliable so that the choices they have are correctly evaluated and appropriate decisions are made regarding the processing of personal information.
Often system designers and service providers focus only on getting systems to work well at solving a particular problem or delivering a specific service. They forget that an important property of processing personal information is to do so lawfully and therefore protect individual rights, enable intervention and inspection the data processing system, have it changed, and if necessary, shut off the system completely.