Move over big data: Data inventories are the next big thing

Powered By

What are data inventories? And why should government agencies care about them?

Data inventories are effectively a ‘stock take’ of data, outlining how data moves around an organisation and is shared, secured, metadata tagged and so forth. Of key interest in any data inventory is the personal information (PI) held by an organisation.

Data inventories are often confused with data assessments, the latter being the myriad tools deployed to identify and mitigate privacy, security and other risks. There’s good reason for the confusion between the terms because a key value-add in any data inventory is in the identification of ‘at-risk PI,’ followed by an assessment of an organisation’s effectiveness in protecting their PI holdings. In other words, data inventories are the flipside of the data assessment coin.

Why are data inventories and assessments ‘must-do’ activities?

There’s a host of regulatory and policy reasons to complete data inventories and the Office of the National Data Commissioner authored an excellent Guide to Developing a Data Inventory.

The Australian Privacy Principles (APPs) are another key regulatory driver for data inventories. In particular, APP 11 (Security of PI) obliges agencies to take active measures (emphasis added) to ensure the security of PI, as well as protect PI from misuse and unauthorised disclosure.

In effect, agencies cannot secure their PI holdings unless they know why and where PI is held — and until they have a reasonable understanding of their physical and cybersecurity measures.

In addition, s.17 of the Commonwealth Privacy Code (CTH Code) requires Commonwealth agencies to regularly review, update and monitor compliance with privacy practices, procedures and systems. In other words, these protocols are not for ‘setting-and-forgetting.’

Beyond the regulatory and policy drivers, the Office of the Australian Information Commissioner (OAIC) has repeatedly gone on record to emphasise that APP entities should destroy or de-identify PI that they no longer require.

And if they don’t comply? The OAIC has the power to levy sanctions of up to $50 million. This strong messaging came off the back of unprecedented data breaches in 2022, when millions of Australians’ personal data and records were compromised.

Some client records dated back more than a decade and included many ex-clients. After the dust settled on the Optus, Medibank and other major data breaches, a key theme emerged — that poor record-keeping and data destruction protocols can exacerbate the scale and severity of data breaches. To paraphrase the OAIC — destroy it if you don’t need it.

And then, there’s the small matter of the Commonwealth privacy reforms. Proposal 25.1 in the government’s Response to the Privacy Act Review Report contemplates new low-level civil penalties for administrative breaches of the APPs and the Privacy Act. Those fines could apply even if the interference with privacy is not serious, nor repeated. Those powers are meant to complement the OAIC’s increased investigative powers under the reforms.

Considering the government has ‘agreed’ to Proposal 25.1, those civil penalties will likely come into force in the first tranche of expected privacy reforms, expected before the end of calendar 2024. When the reforms are enacted, Commonwealth agencies can be fairly confident that the OAIC will target and likely fine organisations that have not undertaken due diligence processes to identify and destroy old, outdated and unnecessary PI.

From a practical perspective, how can Commonwealth agencies reduce their (unneeded) PI holdings?

Agencies should start from the premise that there are no silver bullets, nor quick fixes. Every data inventory and assessment will take time-and-effort, as well as needing to reflect unique organisational cultures, agency budgets, resourcing and risk profiles. However, the following points can (hopefully) point agencies in the right direction.

Don’t get overwhelmed and stick to a plan. Commonwealth agencies hold vast and ever-growing amounts of data drawn from hundreds of apps, ICT systems and a host of different platforms. As such, ‘starting’ a data inventory can be daunting, with many agencies questioning the utility of the process. This is particularly the case when the results might be outdated before an agency starts the assessment and risk mitigation tasks.

One simple approach is for agencies to think about data inventories-and-assessments as an ongoing process, requiring a long-term approach. And that process requires executive buy-in, with appropriate resourcing, training and cross-agency commitment for plans to help manage and mitigate privacy risks.

Establish a calendar, KPIs and protocols for identifying privacy risks. No plan is complete without a calendar, identified KPIs and deliverables, along with protocols for managing PI risks. Agencies might consider ways to engage key stakeholders and take a whole-of-agency approach.

This could be particularly helpful in identifying obvious sources of PI, such as HR and client records, as well as hidden ‘troves’ of PI that may require bespoke search protocols and tools. Agencies might also consider some ‘helpful hints’ found in another Mandarin article about Privacy-by-Design being a ‘team sport.’

Engage with and support Privacy Champions. Section 11 of the CTH Privacy Code outlines a requirement that all agencies nominate Privacy Champions. If properly engaged and trained, Privacy Champs can be invaluable sources of information about obvious and hidden troves of PI, as well as PI handling practices and risks.

However, most Privacy Champions will be time-poor because they will (likely) have additional 9-to-5 jobs. Plus, many ‘Champs’ may have little experience or understanding of ICT and cybersecurity issues, which are key elements in assessing privacy risks.

In that vein, agencies might consider uplifting their Privacy Champs’ training to include ICT and security awareness. That’s in addition to leaning-into their Champs to help with data inventory planning, stakeholder communications and developing cross-agency collaboration.

Consider the tool mix. To complete a fulsome data inventory, agencies will likely need to invest in specialist apps or customise standard tools to help identify PI. In my experience, no tool can do everything — at least not at a reasonable price or without specialist support. Agencies will obviously need to consider their own budgets, resource constraints and what tools offer the best value for money. They might also consider engaging with ICT specialists, who can provide invaluable support. These ICT gurus may even point out that retaining ‘high-risk PI’ is, in fact, ‘low risk’ because of existing security protocols.

Making it easier to say ‘yes’ to deleting records. Lawyers are notoriously conservative about giving their blessings to any plan to destroy PI or Commonwealth records — myself included. Agencies should consider engaging in-house or external lawyers to develop a Normal Administrative Practice (NAP) or a PI-specific Records Authority under the Archives Act, 1983. These administrative tools can help agencies in their efforts to destroy unneeded PI ‘en masse.’

If agencies cannot immediately destroy a given set of records, they might consider working with their ICT specialists and find ways to put PI ‘beyond reach.’ That might take the form of lifting-and-shifting records (especially high-risk PI) into secure and encrypted platforms or digital deep freeze — at least until a later, agreed date when destruction is possible under a NAP or Records Authority protocol.

While it is uncertain when the privacy reforms will come into force, there is one certainty at play — that data holdings will only continue to grow. The earlier that Commonwealth agencies begin their data inventories and assessments, the better placed they’ll be to manage their data risks.