Thoughts on Technology and IT

An article on security I read recently reminded me of a truth that often gets overlooked: security and data systems are only as good as the people using them.

At the centre of this problem is the simple fact that all of us are busy and messy beings. We are wired for convenience and efficiency, always looking for the quickest way to get something done with the least amount of effort. What we consider “worth the effort” changes over time, but the underlying truth does not – nobody willingly invests energy into something that doesn’t return knowable value in some form.

That same principle applies to how we handle information. In many cases, data is an artifact of our work rather than the end product itself. In other roles, data is the product. But regardless of whether data is your raw material, your deliverable, or simply a by-product of achieving a goal, the same challenge applies: when we are focused on the task at hand, we don’t usually stop to consider where the data goes, how it’s stored, or whether we’ll ever need it again. That leaves us with a trail of messy, half-considered processes.

There is another dimension often overlooked: not all the data we work with belongs to us. In many environments, we are custodians of information that truly belongs to others: friends, family, coworkers, clients, students, patients, businesses or organizations. If we do not clearly distinguish between what we own and what we only hold in trust, we risk putting others at harm. Losing or mishandling that data isn’t just an internal problem, it can damage lives, break public trust, and create legal exposure.

In the paper-based world, the mess was visible: piles on desks, folders, filing cabinets. Today, our notes and records sit inside digital tools that give the illusion of being local and instantly at hand, and able to be organized with a bit of elbow grease. That illusion tricks the brain into thinking no extra effort is needed. Rarely do we pause to ask if the information is safe, organized, or even retrievable.

The digital shift adds another layer of responsibility. We no longer just build things – we also have to clean up after ourselves in environments that are far more complex. Our “papers” now scatter across shared drives, email, chat logs, SaaS tools, and cloud platforms outside our direct control. This turns the task of organizing into something more demanding: a scavenger hunt.

That scavenger hunt needs to ask basic but essential questions:

• Where is this data?
• Who owns the data?
• How is it stored?
• How is it accessed?
• Is it secure?
• Who else holds the keys?
• Did I leave it somewhere public, like a digital front porch?
• Most importantly: if it disappears or gets stolen, what is the impact on me—or on the people who actually own it?

If we never stop to ask these questions, we risk losing far more than we realize. The only way forward is to set aside the time for this information scavenger hunt. Identify what data has real value, where it sits, and how to protect it.

The treasures of value are already out there in our scattered systems. The difference between resilience and risk is whether we take the effort to go looking for them.

---

Six Steps for Your Own Data Scavenger Hunt

1. Identify data ownership
   Not all data you work with belongs to you or your organization. Some data is entrusted to you by others. Distinguish between what you own and what you only hold in custody. Custodial responsibility means you must protect the data as carefully as if it were your own, because misuse or loss puts others -not just you – at risk.

2. Map your data sources
   List every tool, platform, and storage location you use: cloud drives, email, chat apps, personal devices, shared folders.

3. Identify critical information
   Separate what is mission-critical from what is incidental. Focus your cleanup on data with business, legal, or security impact.

4. Check access and permissions
   Review who has access to each location. Remove old accounts, expired contractors, or unused shares.

5. Evaluate security controls
   Confirm encryption, backup, and retention policies. Ask if they meet your organization’s compliance and risk standards.

6. Document and repeat
   Record where your important data lives, how it is protected, and when you last checked. Repeat this process regularly—quarterly is a good starting point.

---

When You Work in the Public Sector

If you work in a complex environment such as the public sector, especially under laws like FIPPA, the scavenger hunt becomes more complicated. It’s no longer just about good housekeeping, it’s about meeting legal obligations and proving compliance when challenged.

Start with the basics: separate your personal from your work-related items and keep it clean. Don’t get trapped by convenience. Saving work files into personal drives, email accounts, or devices may feel faster in the moment, but it creates serious compliance risks. Under FIPPA, anything work-related is subject to access-to-information requests, and mixing it with personal content is a recipe for exposure and non-compliance.

A few additional factors make this environment tougher:

• Sovereignty requirements: Information may need to remain in Canada. That means understanding which systems keep data in-country and which rely on global cloud infrastructure.
• Retention rules: You may be legally required to hold on to records for specific periods, even if operationally you’d prefer to delete them.
• Access requests: FIPPA guarantees the public the right to request records. If you don’t know where your data is or can’t retrieve it quickly, you risk non-compliance.
• Audit readiness: Regulators and auditors will not just ask if your data is secure, but whether you can demonstrate how it is managed, accessed, and controlled.

In this context, the scavenger hunt isn’t optional. It is a core part of governance and accountability. For public institutions, the question is not “should we do this?” but “how quickly can we show the evidence that it has been done?”

---

Public-Sector Scavenger Hunt Checklist

1. Identify data ownership
   Begin by clarifying what information your organization truly owns versus what is only held in trust. For example, student records, patient charts, or citizen files remain the property of the individuals or the state—not the staff working with them. Misunderstanding this distinction creates compliance and ethical risks.

2. Verify data location and sovereignty
   Confirm all sensitive information is stored within Canadian data centres when required by policy or law. Document exceptions and approvals.

3. Align retention with legal schedules
   Map each data type against the mandated retention period. Automate where possible, but review for accuracy.

4. Prepare for access-to-information requests
   Test how long it takes to locate and release records. Build processes that minimize scramble when formal requests arrive.

5. Audit access logs
   Ensure you can track who viewed or modified sensitive records. Retain these logs for the legally required period.

6. Document compliance evidence
   Keep clear records of where data lives, how sovereignty is enforced, and how retention schedules are applied. This is your proof in an audit or legal review.

---

Next Actions

1. Schedule your scavenger hunt – Block time in the next quarter or half year point to review your data landscape.

2. Start small – Choose one system or repository and run through the steps before scaling up.

3. Build accountability – Make sure every dataset has a named owner with clear responsibility.

4. Integrate with compliance – Tie scavenger hunts to audits, FIPPA reviews, or security assessments to ensure regular attention.

5. Make it repeatable – Document your process so the scavenger hunt becomes a routine, not a scramble.

6. Reserve resources – As an organization, commit budget and staff time to this work. Treat it as ongoing operational overhead, not a one-time project.