Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

Architecturally Bounded Governance: A Case Study of HR Data Access and Information Security in a Public Sector BI System

Åberg, Kelli LU and Malmström, Eric LU (2026) SYSK16 20261
Department of Informatics
Abstract (Swedish)
This study examines how data governance is enacted in practice for HR data access and use in Business Intelligence (BI) systems within a public sector organization. Using data governance theory, access control models, the CIA triad, and socio-technical systems theory, the study explores the gap between formal governance structures and everyday organizational practice. A qualitative, interpretive single-case study was conducted at a large Swedish municipality, based on semi-structured interviews with seven respondents across four departments and system walkthroughs. The findings show that governance operates through two qualitatively different modes within the same organization. Inside the BI platform, governance is embedded and effective.... (More)
This study examines how data governance is enacted in practice for HR data access and use in Business Intelligence (BI) systems within a public sector organization. Using data governance theory, access control models, the CIA triad, and socio-technical systems theory, the study explores the gap between formal governance structures and everyday organizational practice. A qualitative, interpretive single-case study was conducted at a large Swedish municipality, based on semi-structured interviews with seven respondents across four departments and system walkthroughs. The findings show that governance operates through two qualitatively different modes within the same organization. Inside the BI platform, governance is embedded and effective. Anonymization, role-based access controls, and structured provisioning make compliance the default for most users. Outside the platform, once data moves into spreadsheets, manual extracts, or legacy files, these technical controls are no longer enforced. Traceability is lost, GDPR protections do not travel with the data, and compliance depends on informal norms. The study proposes the concept of architecturally bounded governance, arguing that governance effectiveness is conditioned less by formal policy quality than by whether it is embedded in systems people use. The findings contribute to data governance research, access control theory, and socio-technical tradition in Information Systems. (Less)
Please use this url to cite or link to this publication:
author
Åberg, Kelli LU and Malmström, Eric LU
supervisor
organization
course
SYSK16 20261
year
type
M2 - Bachelor Degree
subject
keywords
Data Governance, Information Security, Business Intelligence, HR Data, Public Sector, GDPR, Role-Based Access Control, Socio-Technical Systems, Architecturally Bounded Governance
language
English
id
9228758
date added to LUP
2026-06-16 10:33:40
date last changed
2026-06-16 10:33:40
@misc{9228758,
  abstract     = {{This study examines how data governance is enacted in practice for HR data access and use in Business Intelligence (BI) systems within a public sector organization. Using data governance theory, access control models, the CIA triad, and socio-technical systems theory, the study explores the gap between formal governance structures and everyday organizational practice. A qualitative, interpretive single-case study was conducted at a large Swedish municipality, based on semi-structured interviews with seven respondents across four departments and system walkthroughs. The findings show that governance operates through two qualitatively different modes within the same organization. Inside the BI platform, governance is embedded and effective. Anonymization, role-based access controls, and structured provisioning make compliance the default for most users. Outside the platform, once data moves into spreadsheets, manual extracts, or legacy files, these technical controls are no longer enforced. Traceability is lost, GDPR protections do not travel with the data, and compliance depends on informal norms. The study proposes the concept of architecturally bounded governance, arguing that governance effectiveness is conditioned less by formal policy quality than by whether it is embedded in systems people use. The findings contribute to data governance research, access control theory, and socio-technical tradition in Information Systems.}},
  author       = {{Åberg, Kelli and Malmström, Eric}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{Architecturally Bounded Governance: A Case Study of HR Data Access and Information Security in a Public Sector BI System}},
  year         = {{2026}},
}