elevenM’s Valerie Ng explains the important role played by data minimisation in preventing privacy and security breaches, and outlines five practical steps to build a data retention and disposal program.
“Five data breaches in six months hit millions of Australians.”
That was the Sydney Morning Herald’s headline after the OAIC’s release of the Notifiable data breaches report in March. The report covered July to December 2022, which included the much-publicised data breaches of Optus, Medibank and Woolworths, each of which impacted 2 million, 9.7 million and 2.2 million Australians respectively. (Outside of Australia, Microsoft, WhatsApp, Twitter and LastPass were hit in the same period.)
Two weeks after the OAIC’s report, Latitude Financial reported a data breach that is now thought to have impacted 14 million people, 7.9 million of them Australians. It’s currently the largest data breach of a financial institution in Australia.
Latitude, in particular, has been criticised for its retention of old data. Ninety-four per cent of the breached data was provided to Latitude prior to 2013, with data going back to “at least 2005”. The Latitude breach prompted New Zealand’s Deputy Privacy Commissioner, Liz MacPherson to remark that “data retention is the sleeping giant of data security”.
The recent breaches illustrate the critical importance of data minimisation. The problem with retaining old data is that the more information an organisations holds, the more data it has to manage, store and secure. Additionally, with more data retained, the greater the likely risk and breadth of harm in the case of a data breach — both to the organisation and the individuals whose information has been stolen.
Aside from the growing understanding of its role in relation to data breaches, data minimisation has also come into even sharper focus due to reforms being proposed to the Privacy Act. In Australia, the over-retention of personal information is currently addressed in the Privacy Act under Australian Privacy Principle 11, which states that APP entities must “take such steps as are reasonable to destroy the information or to ensure that the information is de-identified”.
Under proposed reforms to the Act, data minimisation obligations are set to increase. APP entities would have to “establish their own maximum and minimum retention periods” (Proposal 21.7), and specify those periods in their privacy policies (Proposal 21.8).
Data minimisation — easier said than done
Data minimisation is an attempt to reduce an organisation’s data holdings to what it actually needs.
Though it is required by the Australian Privacy Principle 11 (as described above), data minimisation remains a tricky area for many organisations.
For one thing, with so much information being created on a daily basis, there’s usually no obvious incentive to get a handle on it. Data minimisation is also often a challenge for organisations to operationalise.
After the last IAPP ANZ Summit, privacy professional David Mesman wrote that “to me, the key takeaway from the summit was clear — Aussie organisations are on notice to ‘clean up’ their data holdings … Many businesses toss these issues into the ‘too hard’ basket.”
Why? David cites the plethora of systems, apps and platforms that hold data (legacy and active), underfunded records management teams, and the trouble of deciphering “interlocking regulatory requirements” to retain certain data for a specified period. It’s just easier to save everything and “kick the problem down the road”. Of course, the severity of recent data breaches demonstrate that saving everything is not necessarily the safest or best option.
With that in mind, we’ve provided five practical tips to help you build a robust data minimisation program:
Five tips for building a data minimisation program
1. Establish formal retention and disposal policies
Retention and disposal policies provide guidelines for how long information should be retained, and how to calculate when that information should be destroyed. These policies are tailored to your business. They should:
- break your business down into its functions and activities,
- detail the kinds of information produced by those activities, and then
- link those information types to retention periods and disposal actions, noting that the action could be destruction or, yes, de-identification, depending on the format or type of information.
Far from being cookie cutter, your retention and disposal policy must be based on all relevant legal and regulatory obligations, as well as business requirements and expectations.
2. Understand where your personal information is with an Information Asset Register
Information Asset Registers capture information about your organisation’s information. Unlike a retention and disposal policy, which may remain fairly static, an Information Asset Register should be a living document. They help you keep track of where information is stored and identify assets that pose significant risk — such as information which contains significant and/or sensitive personal information — and help you prioritise your disposal activities accordingly.
3. Assign responsibilities
Ideally, every data asset should have a clear owner who can speak to the business’ data requirements. Depending on your business, Data Owners can support a range of data quality, security and other compliance activities but, at a minimum, an Owner who can approve a disposal action and confirm that the information you are looking to dispose of is of no further value to the business is helpful. And, of course, someone must be responsible for ensuring that disposal is happening on a regular basis, and according to your policies.
4. Automate where you can with metadata
Having some way to identify the data which may be due for disposal is a lot easier if you have the relevant metadata to, at the very least, produce a report. Products also exist to automatically flag information which may be due for disposal.
5. Understand how to dispose of data securely
Personal information may be retained in a variety of formats and require a range of disposal strategies. For example, personal information contained in documents and emails may be easier to dispose of than personal information retained in databases, logs or audit trails. Once destroyed, the information should be ‘beyond use’; or otherwise ‘irretrievable’. What you don’t want is to ‘dispose’ of your information, only to find that the information is floating down the street or being sold on to other parties.
If you’re interested in learning more about data minimisation, or building a robust retention and disposal program, or about data governance more broadly, contact us at hello@elevenM.com.au or on 1300 003 922.