Insights

Data Governance - Balancing Regulation Against Operational Practice

Written by Mel Gillies | Mar 10, 2021 2:35:03 AM

How confident is your organisation with safeguarding important information from corruption, compromise, or loss? 

As organisations generate and store ever-increasing volumes of data, the security and governance of that data has never been more important. Having solid data governance structures is essential to digital security, which relies on organisations knowing where data flows, with whom it is shared, where it lives at rest, and for how long it is retained. Left unchecked, this increases the likelihood of cyber incidents taking place due to increased risk and/or potential exposure of data.  

The Victorian Information Commissioner (OVIC) is one of the first privacy regulators to provide a data governance framework (VPDSF) that is freely available and can be used by any organisation to mitigate against cyber vulnerabilities. This blog explains how important it is to have a data governance structure in place to ensure safeguarding and protection of your organisation’s data assets. A case study has been included that shares the approach taken by an organisation to benchmark against the VPDSF, resulting in the scope of a two-year information security roadmap based on its gap analysis from the framework.  

So, what does a solid data governance structure look like? 

Many organisations are in reactive mode when it comes to data governance, tightening up their security after a cyber incident or data breach happens, and/or updating their processes and policies after new legislation is passed. This approach is not only more costly than building in proper processes from the start; it also creates some significant operational, financial, and reputational risk for organisations.  

The approach towards, and structure of, data governance can become convoluted as organisations face the complexity of what seems like forever-changing data privacy regulations. Poor data visibility can make safeguarding data and complying with privacy laws and information security frameworks infinitely more difficult. In fact, poor data visibility can lead to an organisation unwittingly exposing data or making it noncompliant with these regulations. Regardless of an organisation’s understanding of, and value towards privacy and cyber security, the growing advancement of technology and digitalisation brings with it a general perception of data being threatened. 

Data Governance Regulation in Victoria 

For Victorian public sector organisations, OVIC introduced the VPDSF in June 2016. Established under Part 4 of the Privacy and Data Protection Act 2014, the VPDSF provides direction to Victorian public sector agencies or bodies on their data security obligations. A significant step in data governance for any organisation, not just Victorian public sector agencies, the VPDSF offers a framework that not only raises data visibility, but offers a structure that:

  1. identifies the organisation’s risk posture, and
  2. mitigates against those risks to ensure safety and security of its data assets.  

Whilst Victorian public sector agencies are mandated against Victoria’s privacy regulation, and required to submit a Protective Data Security Plan every two years to OVIC, all organisations can benefit from benchmarking itself against the VPDSF. This is of particular significance if your current approach towards, and implementation of a Privacy Program is considered in its infancy. In comparison to more globally recognised information security frameworks, such as the ISO27001: Information Security Management System, the VPDSF is the ideal “first pass” to get baseline structures, processes and security controls in place for any organisation, regardless of size or sector.

Alpine Shire Council: Benchmarking Against the VPDSF 

In August 2020, Alpine Shire Council completed its benchmark against the VPDSF, including the scope and submission of its 2020 – 2022 Protective Data Security Plan. “We had ad hoc structures and processes in place,” said the Council’s Manager of Customer and Digital Projects, relying on the Council “completing the forms and attestations to the best of our ability a few days before they were due.” Alpine Shire Council acknowledged having an immature ICT and data security framework that gave limited insight into the Council’s compliance against OVIC regulation and standards. As such, they engaged the services of RTG’s Risk Consultancy team to complete a thorough risk assessment of its IT infrastructure and data ecosystem, benchmarking against the 12 standards from the VPDSF.  

A key outcome of this engagement resulted in the scoping of an IT data protection and governance structure that not only allowed the Council to submit its mandated security plan, but also identify a set of information security initiatives to strengthen the Council’s reduction of risk to data assets in a timely, proactive, and measured response. 

Click here to download the Alpine Shire Council case study

Alpine Shire Council has used findings from RTG’s IT Data Protection and Governance project to: 

  • submit the Council’s Protective Data Security Plan as per OVIC regulation.  
  • identify benchmarks in the existence of, and adherence to, information security-related best practice and OVIC data privacy regulations.  
  • ascertain the Council’s preparedness to respond to a digital incident, including the design of customised treatment plans against identified cyber risks. These treatment plans formed the scope and digitisation of the Council’s Risk Register.  
  • design a Statement of Applicability Tool created especially for the Council to ensure the implementation and effectiveness of its IT governance framework remains ongoing and sustainable. 

When done right, data governance raises data visibility, whilst decreasing risk vulnerability, and requires the development of a robust risk assessment to ensure an organisation knows what data they have, how it should be handled and how it can be used to benefit everyday business operations, objectives, and stakeholder practice.  Because there are so many ways data could potentially be lost or compromised, organisations must take a multifaceted approach to ensuring the wellbeing of its data ecosystems and IT infrastructure. 

Do you know the type of data you collect and how it’s shared, processed, and stored? 

If you don’t know, it is difficult to know if you are meeting the privacy requirements and regulatory expectations that impact your business. In order to protect your information of value – you must know about it. You must know not just that you have it, but where you have it, and where you allow it to go. This is because, if you don’t know what your information of value is, or where you allow it to flow – you have no chance to ensure that you apply the right security to it.  

Regardless of where you are on your data security and risk management journey, RTG can assist your organisation in meeting its privacy and legislative requirements. By working with a number of teams in building Privacy and Security Programs that are fit-for-purpose to the needs and nuances of each organisation, we are keen to connect and share insights on some ‘quick wins’ and ultimate ‘game changers’ with information security initiatives. By completing a short, 10-minute survey, we can provide you with advisory on your organisation’s current risk profile and offer next-steps in securing and protecting your entire data ecosystem.

Connect with us to learn more about completing our Risk Management Profile Survey.

(e) mgillies@rtg.com.au

(p) 1300 362 456