After the Optus, Medibank and Latitude hacks many questions were asked about why organisations were holding data in such large quantities, and for so long.
And as we’ve seen, considerable reputational damage occurred from those cyber incidents but there have been privacy breaches where no cyber incident occurred, but which have also resulted in costly outcomes.
After the hacks in 2022 the principle of data minimisation was actually discussed in the mainstream media, and for a while, in our organisations.
However, the idea has significantly faded from view in recent times. So, we thought we’d remind everyone to ask the question, is your data an asset or a liability?
Every time you make a decision to collect data, the question should be asked: are you collecting more than you need to? If data is not being collected in a conscious way, there’s a cost to holding that data, and it’s a considerable cost.
At this point in Australia and with our high risk profile, the strategy of collecting data just because you can, should by now, have been eliminated.
In relation to the data you currently hold, have you:
- have you conducted a data audit – do you know exactly what personal information you hold?
- do you know where your most sensitive data is stored?
- do you know who has access to your data internally and how often those individuals are accessing the data?
- do you know whether your data is up to date and correct?
- have you assessed your third party and other downstream risks?
- do you have a clear and up to date procedure for archiving and/or deleting data which is not required?
And once, again we promote the idea of privacy impact assessments; if you’re not doing PIAs you’re missing out on a low cost tool which delivers very high value to support risk mitigation.
If we can assist you with integrating the principle of data minimisation in your organisation, please contact us on 1300 264 946.