Architecturally Bounded Governance: A Case Study of HR Data Access and Information Security in a Public Sector BI System
(2026) SYSK16 20261Department of Informatics
- Abstract (Swedish)
- This study examines how data governance is enacted in practice for HR data access and use in Business Intelligence (BI) systems within a public sector organization. Using data governance theory, access control models, the CIA triad, and socio-technical systems theory, the study explores the gap between formal governance structures and everyday organizational practice. A qualitative, interpretive single-case study was conducted at a large Swedish municipality, based on semi-structured interviews with seven respondents across four departments and system walkthroughs. The findings show that governance operates through two qualitatively different modes within the same organization. Inside the BI platform, governance is embedded and effective.... (More)
- This study examines how data governance is enacted in practice for HR data access and use in Business Intelligence (BI) systems within a public sector organization. Using data governance theory, access control models, the CIA triad, and socio-technical systems theory, the study explores the gap between formal governance structures and everyday organizational practice. A qualitative, interpretive single-case study was conducted at a large Swedish municipality, based on semi-structured interviews with seven respondents across four departments and system walkthroughs. The findings show that governance operates through two qualitatively different modes within the same organization. Inside the BI platform, governance is embedded and effective. Anonymization, role-based access controls, and structured provisioning make compliance the default for most users. Outside the platform, once data moves into spreadsheets, manual extracts, or legacy files, these technical controls are no longer enforced. Traceability is lost, GDPR protections do not travel with the data, and compliance depends on informal norms. The study proposes the concept of architecturally bounded governance, arguing that governance effectiveness is conditioned less by formal policy quality than by whether it is embedded in systems people use. The findings contribute to data governance research, access control theory, and socio-technical tradition in Information Systems. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/student-papers/record/9228758
- author
- Åberg, Kelli LU and Malmström, Eric LU
- supervisor
- organization
- course
- SYSK16 20261
- year
- 2026
- type
- M2 - Bachelor Degree
- subject
- keywords
- Data Governance, Information Security, Business Intelligence, HR Data, Public Sector, GDPR, Role-Based Access Control, Socio-Technical Systems, Architecturally Bounded Governance
- language
- English
- id
- 9228758
- date added to LUP
- 2026-06-16 10:33:40
- date last changed
- 2026-06-16 10:33:40
@misc{9228758,
abstract = {{This study examines how data governance is enacted in practice for HR data access and use in Business Intelligence (BI) systems within a public sector organization. Using data governance theory, access control models, the CIA triad, and socio-technical systems theory, the study explores the gap between formal governance structures and everyday organizational practice. A qualitative, interpretive single-case study was conducted at a large Swedish municipality, based on semi-structured interviews with seven respondents across four departments and system walkthroughs. The findings show that governance operates through two qualitatively different modes within the same organization. Inside the BI platform, governance is embedded and effective. Anonymization, role-based access controls, and structured provisioning make compliance the default for most users. Outside the platform, once data moves into spreadsheets, manual extracts, or legacy files, these technical controls are no longer enforced. Traceability is lost, GDPR protections do not travel with the data, and compliance depends on informal norms. The study proposes the concept of architecturally bounded governance, arguing that governance effectiveness is conditioned less by formal policy quality than by whether it is embedded in systems people use. The findings contribute to data governance research, access control theory, and socio-technical tradition in Information Systems.}},
author = {{Åberg, Kelli and Malmström, Eric}},
language = {{eng}},
note = {{Student Paper}},
title = {{Architecturally Bounded Governance: A Case Study of HR Data Access and Information Security in a Public Sector BI System}},
year = {{2026}},
}