Our client for this engagement was a large Australian Government enterprise.
Background
Our client came to us seeking a way to better understand their personal information handling practices. Their goals included:
- understanding whether they had any high-risk personal information collection practices requiring additional controls
- identifying relevant classes from their existing retention and disposal schedule for specific data handling processes and systems
- preparing for reforms to the Privacy Act 1988.
Our role
Following our proven approach to the mapping of business processes using a business-centric approach, we worked with the client to schedule interviews and workshops with a wide range of teams and personnel to understand why and how data was being collected, used and disclosed. Our custom tooling enabled us to apply risk ratings to processes using agreed attributes such as information sensitivity.
What we did
The data processing inventory (DPI) that we delivered for this client comprised almost 400 collection, use or disclosure processes, risk rated and each with a range of attributes detailing context such as business purpose, systems used and volumes. We mapped each process to the applicable retention rule. We also provided the client with a report detailing the insights that were derived from the DPI, including:
- collection processes with unclear business purpose, or in need of additional controls to manage privacy risk
- targeted areas for uplift to align with the upcoming privacy law reforms.