Does your business really need to keep that data?
Research news
To mark Privacy Awareness Week, Industry Professor Phillip Magness at Deakin's Centre for Cyber Security Research and Innovation argues businesses should carefully consider how much personal information they keep, given the risks of a data breach.
An area of privacy that often receives less attention than others is data retention. In my experience, individuals and organisations continue to hold personal information when they don't really need it anymore; perhaps for fear of deleting something that they may need "one day, for something, maybe" or perhaps because they are uncertain about their retention requirements.
Summarily, the Australian Privacy Principles require an entity that is bound by the Privacy Act to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it was collected.
Seems simple. But for an organisation this requires understanding its regulatory requirements for record keeping, retention requirements that may be specific to an industry or professional body, the need to hold the information for business operations and more.
It is no doubt complex, but this complexity must be balanced against the risk of exposure from a data breach. I think that organisations, in particular, should consider how much personal information a malicious actor may have access to, should a breach of an email account, network drive or database occur.
Perhaps start by asking the questions:
- Do we truly know how much personal information we are holding and where it is?
- Can we tell how old the personal information we are holding is, particularly if we have moved it around?
- Does the benefit in continuing to hold the personal information outweigh the risk of exposure from a data breach?
- How many customers (old or new) would we need to inform if a data breach occurred?
- What would we say to our customers when they ask "Why do you still have this information?"
Privacy Awareness Week is a great time to pay attention to how much data we are holding that is accessible online. This will go a long way to minimising the impact of exposure should a data breach occur.
Phillip Magness is Industry Professor at Deakin’s Centre for Cyber Security and Innovation and Lawyer & National Forensic Technology Manager at Corrs Chambers Westgarth.
The Centre for Cyber Resilience and Trust (CREST)
Based within Deakin’s Faculty of Science, Engineering and Built Environment, the CREST takes a holistic approach to cyber security – addressing technological and human aspects of cyber security, as well as law, regulations and policy. It offers a unique cyber ecosystem that provides the full spectrum of education, research and translation across all relevant disciplines.
The cyber eco-system includes CREST, CyRise – the Southern Hemisphere's only dedicated cyber security accelerator, the Institute for Intelligent Systems Research and Innovation (IISRI), Deakin Energy, the Applied Artificial Intelligence Institute (A2I2) and the Centre for Supply Chain and Logistics.
Deakin's business partners in cyber security include companies like DXC Technology, NTT, Cyber CX, PWC and Deloitte, through to global automotive companies, defence and government agencies.
Learn more:
Share this story
Key Fact
Phillip Magness Industry Professor at Deakin’s Centre for Cyber Security and Innovation and Lawyer & National Forensic Technology Manager at Corrs Chambers Westgarth