IVI Framework Viewer

Information Life-Cycles

C4

Provide input to information life-cycle planning to identify, acquire, process, preserve, and/or destroy personal data to meet business, regulatory, and legal requirements, including those identified in privacy impact assessments.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Information Life-Cycles at each level of maturity.

1Initial
  • Practice
    Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
    Outcome
    Conformance and/or compliance is informal and inconsistent.
  • Practice
    Define data classifications and provide guidance for associated protection levels and access control.
    Outcome
    Attributes facilitate the management and understanding of the quality of data for some data.
    Metric
    % personal data fields with appropriate quality attributes or meta data to manage their quality.
  • Practice
    Develop and use processes to identify personal data.
    Outcomes
    • Some business units proactively monitor and implement data defect remedies.
    • Some business units notify third parties when appropriate.
    • Organisational learning takes steps to minimise future defects.
    Metrics
    • % personal data fields with appropriate quality attributes or meta data to manage their quality.
    • # meta data adjustments for personal data management.
  • Practice
    Manage personal data within information life-cycles.
    Outcomes
    • Organisation proactively monitors and implements data defect remedies.
    • The organization notifies third parties when appropriate.
    • Organisational learning takes steps to minimise future defects.
    Metrics
    • % personal data fields with appropriate quality attributes or meta data to manage their quality.
    • # meta data adjustments for personal data management.
  • Practice
    Manage the tools, data protection solutions and the staff assigned for data protection purposes.
    Outcome
    Organisation proactively monitors by use of system designs that provide appropriate supports for data defect remedy across the business ecosystem.
    Metric
    % data that is automatically quality controlled
  • Practice
    Specify and utilize specific data protection tools/products and resources.
    Outcome
    Data protection processing conformance and/or compliance criteria (if any) are ad hoc.
2Basic
  • Practice
    Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
    Outcomes
    • Function or business unit policies for data protection exist.
    • Data protection awareness established where processing occurs.
    Metric
    # business units using defined personal data processes.
  • Practice
    Define data classifications and provide guidance for associated protection levels and access control.
    Outcome
    Direct traceability between processing and specific purposes is maintained across some business units.
    Metrics
    • # Views exposing personal data fields at each specific purpose life cycle stage.
    • % Views exposing personal data in uses other than the specific purpose uses.
    • % Architects, data modellers and solutions designers and developers with specific purpose training.
  • Practice
    Develop and use processes to identify personal data.
    Outcome
    Direct traceability between processing and specific purposes is maintained across the organization.
    Metrics
    • # Views exposing personal data fields at each specific purpose life cycle stage.
    • % Views exposing personal data in uses other than the specific purpose uses.
    • % Architects, data modellers and solutions designers and developers with specific purpose training.
  • Practice
    Manage personal data within information life-cycles.
    Outcome
    Direct traceability between processing and specific purposes is maintained across the business ecosystem.
    Metric
    # Audits on specific purpose usage through out the entire ecosystem.
  • Practice
    Manage the tools, data protection solutions and the staff assigned for data protection purposes.
    Outcome
    Access rights managed ad hoc
  • Practice
    Specify and utilize specific data protection tools/products and resources.
    Outcome
    Basic personal data risk management.
    Metric
    # data protection threats mitigated or accepted and being monitored.
3Intermediate
  • Practice
    Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
    Outcome
    Formal authorization process for access rights that are responsibly used.
    Metric
    # data protection threats mitigated or accepted and being monitored.
  • Practice
    Define data classifications and provide guidance for associated protection levels and access control.
    Outcome
    Access rights based on specific purpose have implemented enterprise-wide.
    Metrics
    • # data protection threats mitigated or accepted and being monitored.
    • % Staff accesses to personal data that are monitored.
  • Practice
    Develop and use processes to identify personal data.
    Outcome
    Access rights are dynamic and flexible to respond to business, IT, or personnel changes.
    Metrics
    • % staff that are continuously monitored on access to personal data.
    • # incidents raised that led to retraining of staff on access rights.
  • Practice
    Manage personal data within information life-cycles.
    Outcome
    Personal data risks are not defined or are defined ad hoc.
  • Practice
    Manage the tools, data protection solutions and the staff assigned for data protection purposes.
    Outcome
    Basic personal data risks are identified and assessed.
    Metric
    ~ data protection threats and vulnerabilities identified.
  • Practice
    Specify and utilize specific data protection tools/products and resources.
    Outcome
    Personal data risks are consistently identified, assessed and managed by some business units.
    Metric
    ~ data protection threats and vulnerabilities identified.
4Advanced
  • Practice
    Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
    Outcome
    Personal data risks are defined , assessed and managed organization-wide.
    Metric
    ~ data protection threats identified.
  • Practice
    Define data classifications and provide guidance for associated protection levels and access control.
    Outcome
    Personal data risks are defined , assessed and managed with the business ecosystem; bench-marked and continuously improved.
    Metrics
    • ~ internal threats and vulnerabilities automatically identified.
    • % third parties continuously monitored for vulnerabilities.
  • Practice
    Develop and use processes to identify personal data.
    Outcome
    Personal data security practices not defined or are defined ad hoc.
  • Practice
    Manage personal data within information life-cycles.
    Outcome
    Personal data security practices considered but not consistently agreed or implemented.
    Metric
    % Staff trained and made aware of personal data security criteria and associated security practices.
  • Practice
    Manage the tools, data protection solutions and the staff assigned for data protection purposes.
    Outcome
    Personal data security practices agreed/implemented by some business units.
    Metric
    % Staff trained and made aware of personal data security criteria and associated security practices.
  • Practice
    Specify and utilize specific data protection tools/products and resources.
    Outcome
    Personal data security practices framework developed and implemented organization wide.
    Metric
    % Staff trained and made aware of personal data security criteria and associated security practices.
5Optimized
  • Practice
    Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
    Outcome
    Personal data security practices framework applied across business ecosystem; benchmarked and continuously improved.
    Metrics
    • Frequency at which physical, manual or digital security is reviewed with appropriate improvements implemented.
    • # best practice security standards with which the organization is compliant.
  • Practice
    Define data classifications and provide guidance for associated protection levels and access control.
    Outcome
    Access rights managed ad hoc.
  • Practice
    Develop and use processes to identify personal data.
    Outcome
    Basic access rights management and control is appropriate to the data security classification levels.
    Metrics
    • % Account types linked to highest security level data accessible from the account.
    • % data views linked to highest level data security classification exposed via the view.
  • Practice
    Manage personal data within information life-cycles.
    Outcome
    Formal authorization process for access rights that are responsibly used.
    Metrics
    • % Account types linked to highest security level data accessible from the account.
    • % data views linked to highest level data security classification exposed via the view.
  • Practice
    Manage the tools, data protection solutions and the staff assigned for data protection purposes.
    Outcome
    Access rights based on specific purpose have implemented enterprise-wide.
    Metrics
    • % Account types linked to highest security level data accessible from the account.
    • % data views linked to highest level data security classification exposed via the view.
  • Practice
    Specify and utilize specific data protection tools/products and resources.
    Outcome
    Access rights are dynamic and flexible to respond to business, IT, or personnel changes.
    Metric
    # Access rights that automatically change due to updates to personal data classifications.