Data governance

Data governance includes the processes and procedures a business implements to collect, manage, use, and protect data. Strong data governance assists with mitigating cyber risks and complying with legal obligations under the Privacy Act 1988 (Cth) (the Privacy Act). Maintaining effective data governance better equips businesses to comply with the Australian Privacy Principles (APPs), and better protects data from potential breaches.

The following steps should be considered when implementing a data governance framework:

1. Define goals and desired benefits.
2. Analyze the current state of data governance in the business.
3. Develop a roadmap.
4. Convince stakeholders and ensure a sufficient budget for the project.
5. Develop and plan the data governance program.
6. Implement the data governance program.
7. Monitor and control the data governance program.

If your business is starting to develop its data governance framework, ensure you adopt the following best practices:

Identify critical elements and use data as a strategic source

Understand what data you collect and why. This will help your business identify what data is required and when data is no longer required, and to develop data retention protocols for essential data. By reducing the amount of data your business retains, you mitigate the impact of cyberattacks on business stakeholders.

Implement and maintain policies and procedures for the entire data lifecycle

Data has an extensive lifecycle involving collection updating, storage, analysis, back-up, and deletion. Your business should understand the progression of each stage in the lifecycle and ensure the data remains secure throughout the entirety of its life in the business. For example, as the end of the data lifecycle approaches, APP 11 requires APP entities to take reasonable steps to destroy or de-identify personal information they hold if it is no longer needed for the purpose for which it was collected or used.

Involve employees in the data governance

Involving staff in your data governance framework ensures all parties in the business are informed and capable of complying with your organization's policies and procedures. This heightened awareness will improve employees' ability to address cyber threats as well as foster cybersecurity cooperation between departments.

Data minimization

Data minimization is where a business only collects and retains the personal information reasonably necessary to achieve specific business purposes. It is a simple and easy strategy to adopt and mitigate the risks associated with cyberattacks. In Australia, the APPs promote data minimization. Specifically, APP 3 and APP 11 provide require organizations to limit the collection and retention of data. The more information your organization holds, the more it has to lose, and the more susceptible it is to a cyberattack. Therefore, minimizing your data assets will mitigate the risk and impact of a cyberattack on your business, employees, and customers. A data minimization strategy can greatly benefit your organization and save it extensive hurt in the future.

Tips to effectively implement data minimization in your business:

Collect only essential data

Your business should only collect necessary personal information for purposes specifically relating to the function and activities of your organization. Some key questions to ask when assessing your data include:

• What data is being collected?
• What is the data being collected for?
• Does the data subject know it is being collected, and for what purpose?
• Did the data subject need to consent to the collection, use, and storage of their data?
• Where is data being stored?
• For how long is data being stored?

Internal training and policies

Your business should implement employee training on data minimization processes to ensure each employee understands which information should be collected and retained, and how this process should be managed. Maintaining a transparent privacy policy outlining your organization's purpose for the collection and disclosure of personal information is important to ensure clarity for both customers and employees.

Delete data following use

Once data has served its purpose, you should have a process to securely delete or de-identify that data. It is important for your organization to develop a data retention and destruction policy to manage information held by your business and assist in decisions of whether data should be retained or destroyed. This will safeguard data, reduce the impact of data breaches on your business, and ensure compliance with Australian privacy laws.

Conduct regular data audits

Conducting regular data audits will allow your business to assess the data you have on file, its method of storage, and its use to the business. This will assist in decisions concerning the retention, de-identification, and deletion of data.

Data de-identification

'De-identification' is the process of removing or altering data so that individuals can no longer be 'reasonably identified.' This often involves removing, obscuring, or altering personal identifiers in the data set to ensure no personal information can be identified. It is a privacy-enhancing tool for Australian businesses, which, when implemented correctly, assists in your businesses' compliance obligations under the Privacy Act and APPs, and helps mitigate the impact of a cyberattack.

Data de-identification can be achieved through a number of methods, most commonly the safe harbor method and pseudonymization:

Safe harbor method

This involves removing identifiers from data, such as names, dates, phone numbers, email addresses, account numbers, IP addresses, and biometric identifiers. This method is simple and low cost, however, can be restrictive and significantly reduce the utility of the data set.

Pseudonymization

Pseudonymization involves replacing personal identifiers with temporary IDs to mask any personal information. Prior to using pseudonymization, you must ensure consent has been obtained from individuals and that any risks of re-identification are appropriately managed.

If data is properly de-identified and an organization suffers a data breach, it may not be required to report the breach to the Office of the Australian Information Commissioner (OAIC) as the data should not contain personal information. Therefore, de-identification can significantly limit the risk of exposure, protecting the organization, its employees, and customers.

Next steps

Looking forward, it is essential that Australian businesses implement strong data management practices. This will not only ensure they comply with obligations under Australian privacy laws, but also help mitigate the growing risk of cyberattacks and minimize the impact of any attacks.

Your business should only collect and retain information necessary to provide your goods and services. You should adopt data de-identification practices to enhance security protections and mitigate harm.

Your business should regularly review its data governance approach and incorporate intentional data governance into your day-to-day operations. A combination of these strategies will better equip your business to combat the increasing risk and harm of data breaches in the tumultuous cyber landscape.

Katherine Sainty Director
[email protected]
Sarah Macken Paralegal
[email protected]
Sainty Law, Sydney