Finance regulator issues draft data protection guide

The Australian Prudential Regulation Authority (APRA) has encouraged organisations to adopt a systematic, risk-based approach to protecting their data in a draft guide released this week.

The draft guide (pdf) was more than a year in the making and built on APRA’s March 2007 letter about data management principles.

It urged financial services providers to classify data based on business criticality and sensitivity, so as to assess risks posed by theft, corruption or unavailability, inaccuracy and disclosure.

“The use of data and its application, retention, storage and security have become highly important with increasing automation and the criticality of data to decision-making,” APRA stated.

“It is critical that institutions ensure data is complete, accurate and reliable so they are able to meet their obligations to their beneficiaries, whether it be paying out a depositor’s funds, paying an insurance claim or making payments to a superannuation fund member.”

APRA called for a “principles-based approach” to data risk management that limited access to data, encouraged automation, and ensured data quality by having data validation, correction and cleansing occur as close to the point of capture as possible.

The regulator encouraged the timely detection and reporting of data issues to minimise their impacts, and noted that organisations should assume that staff “do not know what data management policies and procedures are”.

As such, it said organisations should regularly educate users on their data management responsibilities and incorporate it as a component of their performance plans.

Addressing outsourcing, offshoring risks

In recent years, Australian banks and insurers have struggled to balance the efficiency benefits of cloud computing with regulatory requirements.

APRA noted in its draft guide that institutions needed to be “fully aware of the risks involved” highlighted risks posed by outsourcing and offshoring IT services.

It said it would require institutions to demonstrate: their ability to continue operations should their outsourcing provider suffer an outage; maintain the quality of critical or sensitive data; and comply with legal and regulatory requirements.

Outsourcing should not introduce any impediments — from jurisdictional hurdles or technical complications — to APRA being able to fulfil its duties as a prudential regulator, it said.

APRA has invited comments on the draft guide by 29 March 2013. An APRA spokesman expected a formal guide to be introduced in the second quarter of next year.