Current Data focused environment

Recent high profile data breaches and cyber events have led a regulator focus on organisation’s data retention, and deletion policies. Whilst there is a focus such, the reality of the value of data and the need to retain (due to contractual, regulatory or value reasons) remains. The realities of business is that deletion is not that simple. Below we provide more context to the current regulatory position and provide guidance on alternatives to simple deletion.

Regulator position

“While we derive enormous benefit from the digital economy, from technology and products and services, the use of personal information can also create privacy harms, fuel misinformation, cause consumer and competition as well as safety and security harms….. Regulatory cooperation and coordination is evident in our current investigations into the largest data breaches experienced by Australians since the Notifiable Data Breaches scheme commenced in 2018 ….. While any reform will be a matter for government and the Parliament, my message today is there is no better time than now to review your organisation’s privacy practices to make sure they have the basics covered.”

The above paraphrased quote from the keynote address by Australian Information Commissioner and Privacy Commissioner Angelene Falk, launching Privacy Awareness Week 2023 on 1 May 2023 summarises the benefits and risks associated with data.

Unpinned by the OAIC regulatory priorities, for 2022–23, the OAIC’s resources are focused on the prevention of privacy harm with one of four focus areas being the security of personal information The OAIC has been clear that it will prioritise regulatory action where there are serious failures to take reasonable steps to protect personal information or comply with reporting requirements of the Notifiable Data Breaches Scheme, particularly where risks and mitigations have previously been publicised by the OAIC. The personal information security practices of the finance and health sectors will continue to be areas of particular focus, as the top two sectors reporting breaches.

But there is value

However, this does not mean organisations need to dismiss, or forego the opportunity in the value of data. Data – especially in the modern day business environment underpins a large number of business objectives or aligns with key pillars in an organisations strategic plan. Below we have outlined preliminary guidance for organisations around data collection and archiving, when deletion is not a viable, or commercially sensible option (i.e., there may be long term value in data).

RedBelts Guidance

The best way to secure data is to not collect it. However, if you are unsure about destroying the data (i.e.. unnecessary now but could be useful later on?), organisations should consider properly archiving data.

Data archiving is a vital practice that ensures efficient use of storage resources and enhances data security. Archiving stores infrequently accessed data in cost-effective repositories, freeing up primary storage and reducing backup costs.

Additionally, by reducing the volume of active data, it minimizes the risk and impact of potential security incidents.

Conclusion

Thus, data archiving offers an optimal balance between cost, compliance, and security.

If you want to have a chat about data archiving, please reach out to us here.