Digging deep on ECEC data collection – how much is too much, Deakin expert asks
While making sure that adequate data is kept on children and their families is a core aspect of complying with the National Laws and Regulations, there is a need for businesses of all kinds, including those operating in early childhood education and care (ECEC) settings to carefully consider how much personal information they keep, given the risks of a data breach.
To mark Privacy Awareness Week, which was acknowledged earlier this month, Industry Professor Phillip Magness from Deakin’s Centre for Cyber Security Research and Innovation has issued some guidance and reflection for businesses around data retention.
“In my experience, individuals and organisations continue to hold personal information when they don’t really need it anymore; perhaps for fear of deleting something that they may need “one day, for something, maybe” or perhaps because they are uncertain about their retention requirements,” he explained.
In summary, the Professor continued, the Australian Privacy Principles require an entity that is bound by the Privacy Act to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it was collected.
Seems simple enough…but for an organisation this requires understanding its regulatory requirements for record keeping, retention requirements that may be specific to an industry or professional body, the need to hold the information for business operations and more.
In an ECEC context, where records of injuries, incidents, complaints and other issues must be kept for mandated time periods, this becomes more complex.
While there is complexity, “this must be balanced against the risk of exposure from a data breach,” Professor Magness warned.
“I think that organisations, in particular, should consider how much personal information a malicious actor may have access to, should a breach of an email account, network drive or database occur.”
He offered the questions as points of reflection:
- Do we truly know how much personal information we are holding and where it is?
- Can we tell how old the personal information we are holding is, particularly if we have moved it around?
- Does the benefit in continuing to hold the personal information outweigh the risk of exposure from a data breach?
- How many customers (old or new) would we need to inform if a data breach occurred?
- What would we say to our customers when they ask “Why do you still have this information?”
Privacy Awareness Week, he continued, is “a great time to pay attention to how much data we are holding that is accessible online.”
This, he said, will go a long way to minimising the impact of exposure should a data breach occur.
For more information about safe record keeping in early childhood education and care (ECEC) settings, please see here.