Increase compliance with data redaction

To comply with Australian privacy legislation

Increased focus on privacy and the security of personal data in our digital world is a risk for every organisation – both commercial and government. Under privacy regimes such as Australia’s Privacy Act, the new Consumer Data Right (CDR), and the EU’s general data protection regulation (GDPR) reporting of data breaches is now mandatory. In addition to loss of reputation and trust, transgressors – including responsible executives and directors – can be hit by significant fines.

Australia’s privacy watchdog, the Office of the Australian Information Commissioner (OAIC), recorded 518 breaches in the first half of 2020 alone. While the total number of breaches declined by 3% compared to the last half of 2019, the number caused by human error now accounts for around one third – as opposed to malicious or criminal attacks (61%) and system faults (5%). Significantly, the human error factor was up 7% to represent 176 incidents.

How do human error breaches occur?

Of the 176 incidents reported to OAIC, there were 49 cases of personal information sent to the wrong email address, 40 where it was unintentionally disclosed, ten incidents where information was wrongly shared because it was not redacted, and four incidents where data was disposed of in an insecure way.

While the majority of these cases would have been accidental, preventing them has become a significant task. In one example, government agency Services Australia recently admitted that mishandling of personal information had formed a significant part of the 988 ‘substantiated’ privacy incidents it experienced during fiscal 2017-18.

Obviously, user education is essential in the battle to protect data from escaping your organisation inappropriately. Processes can be instituted – and staff trained – to filter and redact personal and sensitive information manually before data is shared. However, human error being what it is, even this is no guarantee against breaches – and once your customers’ data is ‘in the wild’, it can be there forever. How easy is it for someone to add email recipients to the CC instead of BCC field, for example, with the result that email contact addresses are sent far and wide? There are some technical fixes you can deploy to prevent this – and continuous data redaction is perhaps the most effective weapon in your armoury.

What is data redaction?

To help our customers with data privacy compliance, we have introduced integrated automatic data filtering and redaction capabilities into our 2020B release. For users of our Enterprise SaaS ERP platform, this ensures that sensitive personal data can be identified and automatically protected across all applications.

Automatic redaction uses templates to identify personal data that can be used to uniquely identify an individual, like tax file numbers, credit card details, personal contact and identity details, and so on. Such data is automatically detected and redacted whenever information is read, processed or sent – providing built-in protection of personal information and related metadata without any involvement by the users in question.

The reason that automatic data redaction is so highly effective is that it ensures that data subjects cannot be identified from the wide range of enterprise data you hold across multiple systems. Redaction is not deletion; the original data is preserved but access to it can be controlled with role-based policies that prevent employees from accessing and sharing data they shouldn’t be able to access.

In addition to protecting your customers’ data, redaction can also prevent your employees from accidentally printing, emailing or otherwise sharing data that could compromise the privacy of your employees, customers and business partners.

Why must this become an everyday exercise?

The EU’s GDPR legislation has become the ‘gold standard’ of personal data protection. While your organisation may not need to comply with it if you do not hold data about EU citizens or conduct business there, following its guidelines does set best practice.

GDPR Article 5 states that data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. The implication of this standard is that data redaction must take place on a highly regular basis. Once a month is unacceptable – because holding unredacted (and therefore vulnerable) data for longer than a few hours is typically ‘longer than necessary’.

A huge advantage of automatic data reduction is that it is a repeatable, reliable way of iteratively protecting personal data based on pre-defined business rules. This saves you effort and costs in remaining compliant with the relevant privacy regimes.

How do we make it easy to comply?

Being able to automatically identify personal data is becoming even more important with the implementation of Australia’s Consumer Data Right (CDR) legislation, which requires companies in certain industries to provide data to consumers – or their appointed representatives – when they request it.

CDR supports Australia’s new open banking regime, but its lessons are relevant whether your organisation is directly affected by CDR or not. Its provisions for data access, for example, echo the freedom of information (FOI) provisions that have long provided for the controlled release of government data. FOI releases are typically screened and sensitive data redacted; for you to provide the same level of protection for CDR data, it is equally important to be able to identify and filter sensitive data in the same way.

Automatic data reduction removes a major part of the sheer effort of compliance with CDR and other privacy regimes – as well as helping protect your brand reputation and the trust of your customers and business partners.

How transitioning to SaaS helps

With the release of our 2020B software update, all of our global SaaS  customers have the ability to automate data redaction across all their TechnologyOne applications. This gives them control over access to the data they hold throughout its lifecycle – from collection, through to retention for auditing purposes and final destruction.

Importantly, it gives them the ability to demonstrate this capability to customers, business partners or authorities at any point – confirming that they are only using data for the reason they said they would, and are only retaining it as long as is absolutely necessary to complete that business use.

Publish date

02 Dec 2020

Explore our industry hubs for content, resources and advice tailored to you.

Ready to learn more?

If you would like to implement redaction to secure the personal or sensitive data you hold, talk to your TechnologyOne Account Manager today.