Privacy priorities: Why the public sector must establish an effective data inventory

Here, Ray Pathak, VP of data privacy at Exterro advocates for streamlining data privacy programmes and make them more adaptive given regulatory changes.

Posted 17 August 2022 by Christine Horton

The ICO intends to no longer hand out punitive fines to public sector organisations as part of its three-year strategic plan, instead resorting to more warnings, reprimands and enforcement notices. However, these are still likely to be more numerous and we can also expect the ICO to cast its gaze far wider.

In July 2022 the Information Commissioners Office (ICO) released a report highlighting the concerning and widespread use of private email, WhatsApp and text messages by government officials in sharing sensitive information.

In finding that Department of Health and Social Care (DHSC) had used 29 private WhatsApp accounts, 17 private text message accounts, eight private email accounts and one private LinkedIn account for government business, the regulator made a landmark statement, warning that it may be forced to take formal regulatory action should further incidents or complaints arise.

The messages analysed contained personal data such as names, contact information and work placements, while some of the emails included medical information as well as a reference to the political party membership of one individual.

The report has shone a bright spotlight on the need for public sector and government organisations to adhere to data privacy laws and reveals that they are having trouble with doing so, particularly due to the proliferation of platforms and varying data formats.

So how can public sector agencies ensure they have the right processes in place to handle these requirements? Clearly there’s a need to be more agile and adaptable and for that to happen, organisations need to gain a comprehensive understanding of exactly what information they have, where it’s being shared, and how to protect it.

What is a data inventory and why is it useful?

Improving that understanding begins with the development of a holistic data inventory. Also known as a data map, this is a central location containing up-to-date and detailed information on all your organisation’s data that is neatly identified and organised.

When built correctly, a data inventory can provide critical insights into the types of data an organisation collects, where it is held, who has access to it, and how that data is being used.

Indeed, it’s extremely difficult for any entity to be compliant with key data laws if they don’t have an up-to-date and well-maintained data map. They play a vital role in helping to identify data that isn’t being used, is sensitive, or is subject to regulatory or policy controls. Further, they also outline how risky an organisation’s storage practices are.

Data-associated risks can only be assessed when you’re looking at the full data picture. If you don’t know what you’re collecting, how you’re collecting it, or where it’s going, then it’s impossible to protect, manage or process data properly. By not tracking what’s happening with data, you can’t conduct an accurate privacy impact assessment of it, and ultimately you lose control of it.  

It is for this reason that data inventories are imperative in the public sector.

They allow for the development of operational plans designed to minimise any risks pertaining to the data that is being held and allow the disposal of data that isn’t needed. They provide an understanding of the value of data – if it doesn’t have a specific and explicit use and isn’t linked to a lawful purpose, it shouldn’t be processed.

The fact thatorganisations are responsible for what their third-party vendors do with personal data is problematic for many organisations. Again, data mapping can mitigate against the challenges of supply chain management, outlining exactly how partner vendors are using and storing any associated data.

Beyond compliance, there are several operational benefits too. Data inventories are able to help inform roles and responsibilities so the organisation can make intelligent business decisions about how to maximise the value of the data, while also enabling more efficient operations such as improved reporting practices, for example.

Automating your data mapping processes

Of course, data mapping can be complex and challenging in several ways.

Building a holistic data profile can be a major strain on resources, with many organisations failing to complete their development owing to the extreme amount of time it takes. There’s the temptation to take shortcuts, although this then risks omitting important information, rendering the data map far less useful.

For a data map to be effective, it must be comprehensive. In today’s digital world, that means it must account for things like mobile devices and cloud-based applications. Further, it is critical to identify how and by whom these sources are used, and any relevant data that may exist on them.

Data maps also need to be constantly evaluated, updated and assessed for quality. Failing to take this approach usually results in a data map becoming outdated before it provides any real value to the organisation.

Thankfully, there are ways to ease the data mapping burden. Leveraging technology and automation can ensure any data map stays up to date, reducing the resource needed to successfully build and maintain this business-critical asset base.

By knowing where your data is, what it consists of, and how it’s being used, the organisation can undertake vitally important action such as deleting unneeded data to reduce organisational risk while ensuring compliance and operating more efficiently and effectively.

Ray Pathak is VP of data privacy at Exterro.