9 August 2023

Data processing inventories: Part 1 — Why are you collecting it in the first place?

Laura McVey
Manager

In the first of this five-part blog series about data processing inventories, elevenM’s Laura McVey asks organisations to think about data minimisation principles and reassess what they actually need to collect about individuals.

A data processing inventory (DPI) enables organisations to understand and articulate exactly what personal information they collect, for what purpose, and how it is used and disclosed. It supports mapping of information flows, risk management, and access and correction requirements.

In this five-part series, we look at the questions to ask when thinking about implementing a data processing inventory, how to go about developing your DPI, tools to assist with assembling and maintaining your DPI, and the importance of keeping your DPI up to date.

You can jump to the other posts when they have been published using the links at the bottom of this post.

Do you know what you’re collecting?

It is a clearly stated requirement of Australian Privacy Principle 3 that organisations should only collect personal information when it is required for their business. In light of the steady increase in the number of data breaches being reported, and with new privacy legislation changes looming, now is a great time to stop and review what personal information your organisation is collecting. It is important to ask:

  • “Do we know what personal information we are collecting about individuals?”
  • “Do we notify individuals that we collect this personal information in the proper way?”

If you said “no” (or even “I don’t know”) to either of the above questions, then it’s time to start thinking about the information that you collect.

Organisations that are subject to the Privacy Act should be able to clearly articulate what data they are collecting and be able to easily access this information. If your organisation can’t do this, then you risk not complying with the APPs.

And that’s not to mention the additional risks to your organisation’s customers and reputation. As we have noted previously, “the more information an organisations holds, the more data it has to manage, store and secure” and “the greater the likely risk and breadth of harm in the case of a data breach.” Knowing what you are collecting and why is the first step in addressing this risk.

Being able to answer the above questions enables your organisation to:

  1. put risk mitigation strategies in place for medium to high-risk data collections
  2. be more prepared if/ when a data breach occurs  
  3. be proactive in planning for privacy law reform changes or any regulatory change.

When collecting personal information, organisations must also take whatever steps are reasonable in the circumstances to notify individuals of the collection in a timely way (this is sometimes called a “collection notice” “collection statement” or “privacy notice”). These notices should clearly articulate:

  • who the organisation is
  • the way that personal information will be collected
  • the reason that the information is being collected
  • if the collection is required or authorised by law
  • the consequences if the organisation doesn’t collect the personal information
  • if there are any disclosures involving the personal information including overseas
  • where individuals can obtain more information about an organisation’s privacy policy.

Providing this information helps to build trust with individuals and ensure that individuals are making informed decisions when sharing their data with organisations. If you don’t know what information you are collecting, or what you’re collecting it for, you won’t be able to accurately provide this collection notice.

Not sure where to start?

Knowing the data collections in your business is a good place to start. A data processing inventory can assist with this. Clearly articulating what is being collected, by who, when and for what reason can provide huge insights to organisations. It will also highlight where personal information is being collected inappropriately or without a clear purpose in the notification of collection or privacy policy.  It is also a great tool for identifying where an organisation can make small tweaks in what is being collected. For example:

  • Does an individual’s DOB need to be collected or is the month/year enough to send birthday vouchers?
  • Does an individual’s address need to be collected or is suburb sufficient?
  • Does an email and mobile number need to be mandatory or can an individual choose which one to provide?

Data processing inventories also provide further insights to organisations by highlighting how the information is used and shared. Utilising the various components of a data processing inventory, a risk rating can be applied to highlight where low, medium, or high-risk processes occur so the correct controls can be put in place to manage these risks.

In the next blog of this series, we will look at taking a process-based approach.

Read all the blogs in this series:

Contact us

If you’re interested in learning more about how to implement data controls, contact us at hello@elevenM.com.au or on 1300 003 922.