Our client for this engagement was an Australian airline with a large customer base and loyalty program.
Background
As a business that handles large volumes of personal and sensitive information, our client was undertaking a program of work to minimise its data risk. It sought a vendor who could help them to avoid the over-retention of personal information across the enterprise. They understood the regulatory recordkeeping obligations affecting their industry but needed a way to ensure that these were reconciled with obligations under the Privacy Act to only retain personal information for as long as it was needed. In addition, they wanted to ensure that any extant personal information was being routinely deleted or de-identified, where appropriate.
Our role
elevenM’s information and data governance specialists worked with our client to develop a retention and disposal policy and a comprehensive set of retention and disposal rules. This involved interviewing teams, mapping business processes, and documenting business and legal requirements to identify minimum retention requirements for information in all formats, including data in business systems. We identified and prioritised systems with higher privacy risk for implementation of the rules to ensure deletion or de-identification of eligible PI.
What we did
elevenM delivered a suite of retention and disposal documents which:
- established policy covering the roles, responsibilities and key obligations for the retention and disposal of data across the business
- described classes of data and their minimum retention requirements, mapped to the source/s for those requirements
- detailed a set of governance arrangements and prioritised plan for the implementation of the retention and disposal rules in current systems and other environments, such as SharePoint and network drives.