The Manila Times - Data misManagement

24 June 2020

By Nelson Celis | The Manila Times

WHATEVER Dr. Tony Leachon said about the ineffectiveness of the Department of Health (DoH) in managing the coronavirus data vis the apology of the DoH is not new to the writers of this column, “Let’s face it” vis the Commission on Election’s (Comelec) handling of registered voters data and in the counting and canvassing of votes. Leachon’s perspective that the Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF-EID) could decide firmly based on the real-time and granular data generated by the DoH daily is our point of interest here.

Leachon’s concept of having effective data management may be traced back to when a French mining engineer, Henri Fayol, developed the general theory of business administration that was published in Administration Industrielle et Générale in 1916. Fayol’s theory (Fayolism) refers to the five elements of organizational management: planning (P), organizing (O), commanding (leading or L), coordinating (Cg) and controlling (C). Other theorists simplified Fayolism by combining L and Cg to come up only with P, O, L and C (POLC).

Experienced and competitive leaders, managers, entrepreneurs and strategists, knowingly or unknowingly (i.e., with no formal schooling or training), follow this basic POLC pattern. Missing one of these elements could only mean mismanagement.

In this article, I coined the term “misManagement” as the mismanagement of management information system (MIS), computerized or combined automated and manual processes.

Experienced chief information officers or information technology (IT) managers, and especially our colleagues from the Department of Information and Communications Technology (DICT) and the Department of Science and Technology (DoST), know what misManagement is — it is all about mishandling of organizational data and information by not employing best practices or international standards in its internal business operations to provide, at least, satisfactory services to customers or constituents.

Let me be clear about the term “best practices” by citing a specific law enacted in 2012 — Republic Act (RA) 10173 or the “Data Privacy Act.” Its Section 7 stipulates the functions of the National Privacy Commission (NPC), which is “to administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the National Privacy Commission x x x.” As we all know, the NPC is an attached agency of DICT.

Four years later, the NPC was finally organized in 2016, after a long wait by all advocates of data protection and privacy, IT managers and, most of all, top officers of very concerned organizations. What the AES Watch of the Center for People Empowerment in Governance (CenPEG) loved most with the NPC was their promulgation of the Implementing Rules and Regulations (IRR) of RA 10173 a few months after its formal creation. Unlike the IRR of RA 9369, or the “Automated Election System (AES) Law of 1997,” it has not been promulgated by the Comelec since then. Yes, 23 long years and still counting! And I think Sen. Maria Imelda Josefa Marcos will finally end this impasse being chairman of the Senate Committee on Electoral Reforms and People’s Participation as this was touched on in one of her meetings.

Going back to NPC, aside from the IRR of RA 10173, it released a series of circular orders “to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected (Section 2).” To reinforce the said law and its IRR, the term “best practices” is highlighted in NPC’s Circular Order 16-01, dated Oct. 10, 2016 regarding “security of personal data in government.” These are:

– Section 6… “The Commission (i.e., the NPC) recommends the use of the ISO/IEC 27002 control set as the minimum standard to assess any gaps in the agency’s control framework.”

– Section 12… “The Commission recommends ISO/IEC 27018 as the most appropriate certification for the service or function provided by a service provider under this rule.”

The adoption of international standards as supported by NPC, particularly the ISO 27001 family of Information Security Management System with some cited above, will ensure proper data management. It has comprehensive organizational controls to suitably manage any business processes, including system monitoring and audits.

Hence misManagement cannot thrive in an MIS environment or in handling data for that matter as all possible risks are mitigated before it could happen. Even former Comelec chairman Andy Bautista said they were implementing ISO 27001 in time for the 2019 elections; unfortunately, it did not materialize. Now, a question may arise if the Health department is following any standard framework in managing their data. DICT, in this regard, may help the DoH if there is none to prevent misManagement. And to further strengthen support of DICT, the NPC may possibly guide them too on how to adopt ISMS.

Further, included in the best practices is the intervention of an independent third party for checks and balances. This has been proven to be effective like an advisory council (e.g., the DICT heading the Comelec Advisory Council), independent experts (e.g., independent directors of publicly listed companies for corporate good governance) and independent auditing group (e.g., private firm, the Commission on Audit, or combination of both).

Notwithstanding the scandal in a United States energy company, Enron Corp., that folded up due to its connivance with its auditing firm, Arthur Andersen — a case of hiding pertinent information from the public that was later discovered. Another question may arise is if the DoH had tapped the DICT or DoST as adviser or advisers. Did they?

Interestingly, I had a chance to interview the Comelec’s former IT head, Mr. Ernie del Rosario, and asked him about his views on Leachon’s criticism of the DoH. Del Rosario said: “Since the infection occurs in real time and immediately starts to push the victim over a gestation period of two weeks, what is essential therefore is to collect each patient’s data as soon as the infection is detected. Then of course the data accuracy, security and transmission speed from where the patient is, including the application of the cure process, should also be of critical importance. It is obvious that the present obsolete, slow and error-prone data management system being used is totally out of sync with what should be in place. What is urgently needed is to replace the poor data management system and immediately.”

Del Rosario’s recommendations are: “1) create and immediately operationalize a central widely networked (preferably down to the barangay and even test stations levels) health care center to collect very high-quality and standardized data and near-real-time responsiveness monitoring and reporting information system; 2) come up with a system capable of reporting same-day collected critical information system shortly after the day ends. Eliminate the slow practice of data validation between the central DoH system and the LGU (local government unit) levels for this will be unnecessary with the new system and only causes data errors like duplication etc.; and 3) modernize case data capturing at the generation level (or where the smallest case granularity data emanates) by using automated capturing devices such as those OMR scanning technology used in our last four automated elections for which we already have more than 200,000 units now lying idle in the warehouse and getting obsolete.”

OMRs? Why not! Those were used only once, some twice, in all elections we had since 2010. Remember that these will not be used in the 2022 elections as President Rodrigo Duterte made the pronouncement last year in Tokyo, “I would like to advise Comelec now, I won’t delay this: Dispose of that Smartmatic and look for a new one that is free of fraud.” Del Rosario made sense when he suggested that these machines be made usable not only once or twice, but every day! Those machines cost us billions of pesos of people’s money and are just being kept useless in the warehouse. Else, we can tap more minds of IT experts in the DICT for other options. Besides, DICT is a member of the IATF-EID.

So, what’s misManagement? Leachon explained it in his own words as read and viewed in other media. It is only elaborated herein from the business process and IT standpoints. He, through Sen. Christopher Lawrence “Bong” Go, simply accepted his mission without hesitation based on his sincere request for real-time and granular data.