Data Tangle Interview 6: Rebecca Messenger-Clark

This is interview # 6 of 12 for our Data Tangle research project.

Interviewee: Rebecca Messenger-Clark

Institution: Leeds University

Role: Data Protection Officer (DPO) and Head of Information Governance Team

Abstract: Managing data compliance and risk in a complex university.

Interview summary

" We’re Giving People the Fish, Not the Net”

As most of what you’ve read in our first five interviews are primarily quality focussed, we thought it would be interesting to view data though a different lens as part of the Data Tangle project.

We’ve been working with Rebecca and many other colleagues at Leeds developing the Information Governance Framework (IGF) - initially focussed on data risk and compliance. Quality and other ‘elements’ are on the roadmap, but institutional priorities are guiding our work.

We asked Rebecca about what it’s really like trying to manage data protection in a huge, complicated institution. The answer is it’s complicated being a mix of establishing what the risks are, how they should be managed, priorities, and – honestly - a lot of chasing people who don’t see managing data as a priority.

Rebecca leads a small team of four. Together, they handle legislation and compliance around data including; data protection advice, risk escalation, data subject access requests, and Freedom of Information (FOI) requests. It’s a lot of responsibility for a small group, and most of the time they’re dealing with tiny slices of data without the bigger picture. As Rebecca puts it, “I work with uncontextualised snapshots of data.” People come to her with one task, wanting a yes/no answer when most of the time that answer must start with “well it depends”

One of the biggest barriers she faces is this lack of context. Staff often don’t understand the wider processes their data sits in, and they don’t always share the background and scope of their request. Sometimes they share only the bits they think will get them the answer they want. Other times they just hand things off because “your job title has data in it”. This is not a university wide picture and staff are not trying to do a bad job/make Rebecca’s role difficult- it is more a snapshot of the current level of maturity around data, and the lack of a joined up framework to manage it. Hence the need for the IGF!

This lack of a framework to manage the work leads to further frustrations on what happens after the initial discussions. Often, Rebecca’s team gives advice, but they rarely know whether anyone took that advice or did something else entirely. Without this feedback loop, there’s no way to check if the guidance landed, and no way to stop the same questions coming back again from different people in different parts of the university. “We’re giving them the fish, not the net,” she says.

A lot of this comes down to how the DPO role has been understood historically. At Leeds, it wasn’t well defined or promoted, especially during the 2018 GDPR introduction. Instead of being seen as a helpful partner, the DPO became a hurdle — something you must “get past” to do what you want. Rebecca would like to be able to spend more time in advocacy to help staff navigate the sometimes complex route through statutory regulation.

But as with many universities, being seen as a ‘gatekeeper’ rather than an ‘enabler’ is a tough change to make stick.FOI requests are a whole other challenge. Some areas of the university think they “own” the data and get to decide what’s released. Rebecca’s team has done a lot of outreach, but there’s still resistance.

Even a simple publication scheme, putting common information online so FOIs don’t need a response, has been surprisingly hard to get off the ground. Some concerns are valid, but a lot of it is just “it’s the way we’ve always done it” which doesn’t, in our view, constitute a valid reason to continue to do so!

Training is another sticking point. Everyone does the same mandatory information governance module, whether they’re a researcher handling human tissue or someone working in catering. Rebecca would love modular training tailored to roles, but writing it takes time they don’t currently have.

And then there’s the issue of simply knowing where data lives. Right now, the team relies on a “painfully cobbled together spreadsheet” curated by helpful staff. These are not systemised or even always recorded as coherent data sets because much of the knowledge lives in peoples heads.  So if someone leaves, the knowledge goes with them. A proper university‑wide data catalogue would make a huge difference.

Despite all this, Rebecca sees some progress especially as the IGF becomes something real rather than theoretical. The response to a joined up framework to manage data has been extremely encouraging.  Everyone knows there are problems, and now the IGF is seen as at least part of the solution. This, in itself, brings challenges but that’s a post for another day! Right now the goal is “to make the right thing, the easy thing” which is an incremental approach doing those things with staff and not to them.

It’s not going to be a short journey, but it’s definitely heading in the right direction.  Reflecting on this interview we see similarities with many other Data Tangle interviewees. Our assessment is regardless of the data role held, the issues appear to be consistent and pervasive. On the flip side, we see more of those staff who really ‘get data’ acting as advocates and unofficial data champions.  To scale this to a university wide capability, initiatives like the IGF are the only way we can see to provide embedded data assurance and compliance that is both supportive and risk managed.