Information Life-Cycles
Provide input to information life-cycle planning to identify, acquire, process, preserve, and/or destroy personal data to meet business, regulatory, and legal requirements, including those identified in privacy impact assessments.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Information Life-Cycles at each level of maturity.
- 1Initial
- Practice
- Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
- Outcome
- Conformance and/or compliance is informal and inconsistent.
- Practice
- Define data classifications and provide guidance for associated protection levels and access control.
- Outcome
- Attributes facilitate the management and understanding of the quality of data for some data.
- Metric
- % personal data fields with appropriate quality attributes or meta data to manage their quality.
- Practice
- Develop and use processes to identify personal data.
- Outcomes
- Some business units proactively monitor and implement data defect remedies.
- Some business units notify third parties when appropriate.
- Organisational learning takes steps to minimise future defects.
- Metrics
- % personal data fields with appropriate quality attributes or meta data to manage their quality.
- # meta data adjustments for personal data management.
- Practice
- Manage personal data within information life-cycles.
- Outcomes
- Organisation proactively monitors and implements data defect remedies.
- The organization notifies third parties when appropriate.
- Organisational learning takes steps to minimise future defects.
- Metrics
- % personal data fields with appropriate quality attributes or meta data to manage their quality.
- # meta data adjustments for personal data management.
- Practice
- Manage the tools, data protection solutions and the staff assigned for data protection purposes.
- Outcome
- Organisation proactively monitors by use of system designs that provide appropriate supports for data defect remedy across the business ecosystem.
- Metric
- % data that is automatically quality controlled
- Practice
- Specify and utilize specific data protection tools/products and resources.
- Outcome
- Data protection processing conformance and/or compliance criteria (if any) are ad hoc.
- 2Basic
- Practice
- Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
- Outcomes
- Function or business unit policies for data protection exist.
- Data protection awareness established where processing occurs.
- Metric
- # business units using defined personal data processes.
- Practice
- Define data classifications and provide guidance for associated protection levels and access control.
- Outcome
- Direct traceability between processing and specific purposes is maintained across some business units.
- Metrics
- # Views exposing personal data fields at each specific purpose life cycle stage.
- % Views exposing personal data in uses other than the specific purpose uses.
- % Architects, data modellers and solutions designers and developers with specific purpose training.
- Practice
- Develop and use processes to identify personal data.
- Outcome
- Direct traceability between processing and specific purposes is maintained across the organization.
- Metrics
- # Views exposing personal data fields at each specific purpose life cycle stage.
- % Views exposing personal data in uses other than the specific purpose uses.
- % Architects, data modellers and solutions designers and developers with specific purpose training.
- Practice
- Manage personal data within information life-cycles.
- Outcome
- Direct traceability between processing and specific purposes is maintained across the business ecosystem.
- Metric
- # Audits on specific purpose usage through out the entire ecosystem.
- Practice
- Manage the tools, data protection solutions and the staff assigned for data protection purposes.
- Outcome
- Access rights managed ad hoc
- Practice
- Specify and utilize specific data protection tools/products and resources.
- Outcome
- Basic personal data risk management.
- Metric
- # data protection threats mitigated or accepted and being monitored.
- 3Intermediate
- Practice
- Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
- Outcome
- Formal authorization process for access rights that are responsibly used.
- Metric
- # data protection threats mitigated or accepted and being monitored.
- Practice
- Define data classifications and provide guidance for associated protection levels and access control.
- Outcome
- Access rights based on specific purpose have implemented enterprise-wide.
- Metrics
- # data protection threats mitigated or accepted and being monitored.
- % Staff accesses to personal data that are monitored.
- Practice
- Develop and use processes to identify personal data.
- Outcome
- Access rights are dynamic and flexible to respond to business, IT, or personnel changes.
- Metrics
- % staff that are continuously monitored on access to personal data.
- # incidents raised that led to retraining of staff on access rights.
- Practice
- Manage personal data within information life-cycles.
- Outcome
- Personal data risks are not defined or are defined ad hoc.
- Practice
- Manage the tools, data protection solutions and the staff assigned for data protection purposes.
- Outcome
- Basic personal data risks are identified and assessed.
- Metric
- ~ data protection threats and vulnerabilities identified.
- Practice
- Specify and utilize specific data protection tools/products and resources.
- Outcome
- Personal data risks are consistently identified, assessed and managed by some business units.
- Metric
- ~ data protection threats and vulnerabilities identified.
- 4Advanced
- Practice
- Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
- Outcome
- Personal data risks are defined , assessed and managed organization-wide.
- Metric
- ~ data protection threats identified.
- Practice
- Define data classifications and provide guidance for associated protection levels and access control.
- Outcome
- Personal data risks are defined , assessed and managed with the business ecosystem; bench-marked and continuously improved.
- Metrics
- ~ internal threats and vulnerabilities automatically identified.
- % third parties continuously monitored for vulnerabilities.
- Practice
- Develop and use processes to identify personal data.
- Outcome
- Personal data security practices not defined or are defined ad hoc.
- Practice
- Manage personal data within information life-cycles.
- Outcome
- Personal data security practices considered but not consistently agreed or implemented.
- Metric
- % Staff trained and made aware of personal data security criteria and associated security practices.
- Practice
- Manage the tools, data protection solutions and the staff assigned for data protection purposes.
- Outcome
- Personal data security practices agreed/implemented by some business units.
- Metric
- % Staff trained and made aware of personal data security criteria and associated security practices.
- Practice
- Specify and utilize specific data protection tools/products and resources.
- Outcome
- Personal data security practices framework developed and implemented organization wide.
- Metric
- % Staff trained and made aware of personal data security criteria and associated security practices.
- 5Optimized
- Practice
- Analyse and evaluate the risks to privacy by conducting privacy impact assessments.
- Outcome
- Personal data security practices framework applied across business ecosystem; benchmarked and continuously improved.
- Metrics
- Frequency at which physical, manual or digital security is reviewed with appropriate improvements implemented.
- # best practice security standards with which the organization is compliant.
- Practice
- Define data classifications and provide guidance for associated protection levels and access control.
- Outcome
- Access rights managed ad hoc.
- Practice
- Develop and use processes to identify personal data.
- Outcome
- Basic access rights management and control is appropriate to the data security classification levels.
- Metrics
- % Account types linked to highest security level data accessible from the account.
- % data views linked to highest level data security classification exposed via the view.
- Practice
- Manage personal data within information life-cycles.
- Outcome
- Formal authorization process for access rights that are responsibly used.
- Metrics
- % Account types linked to highest security level data accessible from the account.
- % data views linked to highest level data security classification exposed via the view.
- Practice
- Manage the tools, data protection solutions and the staff assigned for data protection purposes.
- Outcome
- Access rights based on specific purpose have implemented enterprise-wide.
- Metrics
- % Account types linked to highest security level data accessible from the account.
- % data views linked to highest level data security classification exposed via the view.
- Practice
- Specify and utilize specific data protection tools/products and resources.
- Outcome
- Access rights are dynamic and flexible to respond to business, IT, or personnel changes.
- Metric
- # Access rights that automatically change due to updates to personal data classifications.