Dealing with the ‘uranium’ that is data

April 2025
M	T	W	T	F	S	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30
« Mar		May »

Published on the 27/03/2025 | Written by Heather Wright

Three IT leaders talk data protection in a new era…

“While you need to keep data secure, having data secure in a way that leads to poor patient outcomes, well, no one will thank you for it.”

Christopher Neal, CISO at Ramsay Health Care – an Australian multinational healthcare provider and hospital network – is talking about the fine line security and IT teams tread with data retention and safeguarding data in the evolving AI landscape.

“If you walk in with the attitude that you can’t shoehorn everyone into using GenAI , that’s a good starting point.”

Neal, who fronted a panel on data protection at the Gartner Security and Risk Management Summit in Sydney, says Ramsay Health Care has done extensive work reining in permissions that were, in his own words, ‘out of control’.

That process, he says, wasn’t too painful. More challenging however, was providing data owners in the business the ability to self-serve, so that if permissions were wrong, and someone needed access, someone at the frontline could quickly fix it without having to call IT.

Neal, who dubs data ‘not the new oil, but the new uranium – really useful, but you don’t want to leave it lying around’ – says a key process for Ramsay was getting ‘really crisp’ on what data needed to be kept for medical records versus the data clinicians might want to keep, but which isn’t part of the formal clinical records.

It’s taken more than nine years – the whole of Neal’s tenure at Ramsay so far – to finalise a data retention and deletion policy that was floating around in draft format when he first joined. It was finalised in November 2024.

“That’s the length of time it has taken to get the organisation to agree and be comfortable that we are going to start deleting data.”

Across at property development and funds management company Charter Hall, data retention and deletion is also front of mind for head of group technology Christopher Johnson.

The organisation is currently consolidating circa 30 million files and determining what can be deleted.

Johnson says one thing the organisation quickly discovered was that it wasn’t well versed in jurisdictional obligations around the types of data that needed to be held onto.

“There’s this magic seven year number which revolves around the statue of limitation… which is a sensible thing to do, but which actually isn’t necessarily the law.”

The solution for Charter Hall came through a Dutch offering, FilersKeepers, which allows users to define the types of information within the organisation and then the system will, down to state level in Australia, tell you the legal requirements for the data.

The company uses it in combination with Microsoft Purview which can enforce what FindersKeepers outlines.

“That gave us a bit more confidence in implementing a retention strategy. We had had that piece of paper for a long time, but weren’t sure where to start putting in into play.

Law firm Allens is also grappling with how best to cull old data.

When Bill Tanner, Allens CIO, started in the role, it was a case of keeping everything.

“As the landscape has changed and we see more and more breaches, people realise the risk is increasing by keeping all the data. So we’re being more deliberate now around what it is and how it is that you extract value out of the data and connect it to key business problems,” Tanner says.

“How do we meet in the middle… that is a big focus for us.

Of course, you can’t talk data without the topic of AI rearing its head – in this case the risks involved with turning AI loose on your data.

It’s a risk Johnson thinks still isn’t being considered enough at CIO level.

“The biggest risk is people don’t think there is a risk.

“I don’t necessarily think businesses are going to blow up, but there can be some very embarrassing conversations that need to be had when you haven’t got permissions right.”

Charter Hall uses Microsoft Copilot. Johnson says while it has some built in smarts to instantly stop certain more overt types of questions – how much does someone in the organisation earn – there are subtleties that can easily catch companies out.

“For us, we have virtual walls if you like, and funds can’t necessarily see hedging rates between other funds. It was more protecting that types of data that was commercial in confidence, as opposed to the obvious things around payroll data or Covid certificate information.

“It was hard. And you really have to stop and think about what could get you unstuck as an organisation, and have you got your access permissions over-exposed.”

He recounts the story of another organisation which did a pilot for a Copilot-style tool. After a period they said staff could have $50 a month for lunch or have $50 a month for the tool.

“About 60 percent said please don’t ever take this tool away from me. The other 40 percent said they really loved Turkish food!

“If you walk in with the attitude that you can’t shoehorn everyone into using GenAI , that’s a good starting point.”

He urges companies to get style guides and voice usage right ‘relatively early’ when using GenAI, noting that the tone of an organisation, both internally and externally, is important.

“And you have to know how your people are using it and how they are using it scientifically.”

Both Charter Hall and Allens are using prompt monitoring using machine learning to ensure staff are using GenAI wisely.

“We allow any model to be used but we have controls behind the scenes at a technical level as to what prompts can and can’t be pasted in at a browser level. It’s relatively sophisticated tech and if it is something that is potentially sensitive, you just don’t get a result sent back form the model, and then we can have conversations with people,” Johnson says.

All three agree data retention is a key challenge for CIOs and CISOs in the coming year.

“PII data management remains big,” says Tanner.

The changes in the Privacy Act are ‘significant’ and for those in the legal sector tranche two of the anti-money laundering reforms which will hit in July bring with them the need to collect even more PII data.

“I need to make sure absolutely every system is set up for automatic detection, deletion, securing so it just doesn’t become a problem. We want to mitigate that before it hits us, over and above what hold today.”

Neal adds that data discoverability is another challenge many organisations will find themselves staring into in the coming year or two.

“People need to be able to delete data if customers, patients, whoever, asks for it.

“In healthcare, many of these systems are not built on modern architecture. They’re not designed for it, but legislation is not going to care. Staring into that is going to be a challenge for the next couple of years.”

MORE NEWS:

Taking industrial digital twins to the masses

The Waikato Uni project decarbonising industry through tech…

April 1, 2025

AppWrap: StaplesVR's $7m raise, Kiwi authors hit by AI scraping, NZ data bill passes
AppWrap March 2025 30.03 Ditching your mobile phone won’t stop you being distracted according to a UK study which found it’s [...]
March 31, 2025