Dealing with Privacy in Legacy Information Management Systems

Claiming to be in compliance with privacy laws is simple, but staying in compliance is a whole other matter. Dealing with privacy concerns in antiquated IT systems, which is a widespread issue in Australia, presents specific difficulties. The problem with legacy systems is that they are subject to privacy rules like the Australian Privacy Act, so businesses must make sure they are not gathering, utilising, or keeping personal data in ways that are against these laws. The implications of not abiding by privacy regulations are high since Australian privacy regulators are renowned for levying steep fines and penalties for privacy violations. Organisations must prioritise privacy given the growing volume of personal data being held in IT systems. 

Rarely are legacy systems organised  

The assumption that personal information (PI) is in distinct, manageable silos, that the silos can be managed on the basis of both legal requirement and data type, and even that data relating to a specific individual can be identified, segregated, and managed uniquely are just a few of the many things that privacy compliance presupposes.  Of course, if you have a large enough collection of really small data clusters, you may apply some very specific rules to them.  Even under ideal conditions, all of that is a lot to ask, but with outdated systems, it’s sometimes an impossible request. 

The systems were never intended to achieve this level of compliance, and almost always, data input and structuring practises did not account for this kind of compliance scenario. As a result, the data is hopelessly mixed up, inadequately identified, and otherwise poorly organised for privacy management. And the situation becomes even more problematic when you’re dealing with a large-scale IT environment that may contain hundreds of thousands of legacy systems; there may not even be sound institutional knowledge of what data is in which systems, much less in-depth knowledge of how the data is structured and segregated, what metadata it may have, or other characteristics.  As a result, the organisation frequently lacks any genuine strategies for becoming compliant in its legacy IT infrastructure and is not even close to becoming privacy compliant. 

Fortunately, there is a way to at least partially correct this situation.  Partial is far preferable than none, and regulators base the level of fines and other penalties in part on their assessment of the organization’s seriousness regarding the issue and the efforts it has taken to address it, so any constructive action you take will be beneficial.  So how do you start? 

Evaluate the data silos 

You should first make an inventory of your IT assets to determine which systems and repositories store personal information as well as the precise categories of personal information that are present in each system and repository.  That may be more difficult to obtain than you might imagine because larger, more decentralised organisations frequently lack institutional knowledge of the precise workings of their own IT system.  You need a list of the main suspects and what would be of interest in them, at the absolute least. 

Setting priorities is the next stage.  Some systems and repositories will contain a lot of PI, while others won’t.  Personal information (PI) is not all created equal, and certain types of PI offer a far bigger risk to the organisation than others in the case of a data breach, excessive retention, or other noncompliance. Examples of this include personal financial information and personal medical information.  Since money and other resources are always limited, you should wisely allocate them where they will have the biggest impact on actual compliance as well as convincing regulators that you mean business in the event that you find yourself the subject of a privacy audit.   Also keep in mind that not all systems are created equal.  You don’t want to pass up the chance to win by finding some low-hanging fruit there in the shape of a system that can be remedied swiftly and affordably. 

IT Collaboration for Correction 

You must now take meaningful corrective action.  The going gets a little rougher at that point.  You start with a compliance model that is the platonic ideal, complete with a retention schedule, policies for access limitation, and all the other privacy management functions that, in a perfect world, an IT system would do.  Then, for each system, you must decide how close you can get to that platonic ideal based on the system’s features and the data it contains, budgetary and other resource constraints, business needs, and any other relevant factors.  You’re asking a lot of work from some IT professionals who already have a lot on their plates, but you need them to bring you as near to complete compliance as is practical in the real world, so you need to push back if they say it’s impossible. 

However, you must also keep in mind that a legacy system can rarely be brought exactly into compliance with your platonic ideal, so “as close as possible” is the operant phrase.  Having, documenting, and carrying out a “best achievable” plan and result for any system or repository is the ultimate objective.  When the privacy regulator knocks on your door, you may say, “It’s not perfect, but it’s the best real-world outcome realistically available.”  By doing so, fines will be at least lessened and may even be eliminated. 

You’re done after carrying out the procedure described above a few dozen, a few hundred, or even a few thousand times.  However, if it’s only a few hundred or thousand, that won’t happen for some time, making prioritisation even more crucial. High risk situations should demand your immediate attention and not be put off for years. 

Starting is the Most Important Step 

Because of the size of the issue, it is simple to get stuck. Your most crucial action is starting and creating a plan. First of all, it indicates that your company is trying to solve the issue. Even by itself, this lowers your risk. More importantly, if you approach the problem methodically and take on the elephant one bite at a time, you can eventually produce some notable results.  These bites will eventually pile up, and with each one you take, your risk decreases at least slightly and maybe significantly.