note Note générale

Challenges and best practices: towards improved data retention. The Tomat case study

As part of Montréal in Common, an innovation community led by the City of Montréal and supported by Collectif Récolte, Tomat, a reloadable card-based meal voucher management platform, benefited from personalized coaching to improve the management of their sensitive data and, in the process, develop data retention policies and procedures within their organization.

Through an iterative process divided into several sessions, the organization subsequently implemented basic tactics around the above topics, derived from the Montréal in Common Data Governance Framework. This process involved identifying bottlenecks, formulating hypotheses and reviewing progress, before finally drawing out the lessons learned.

Overview of the organization: Tomat

The Tomat platform is a technological solution that enables participants in a meal voucher program to benefit from a reloadable food card, check the available balance on their account, and enable program managers to manage funds, payments and card distribution.

The platform therefore holds personal data on participants receiving cards and users logging on to the platform. For security reasons, the database is regularly backed up.

Introduction

Data storage is a crucial element in today's information-intensive world. Whether in a professional, personal or academic context, appropriate data management is of paramount importance. In this piece, we will explore the challenges Tomat encountered regarding data retention in relation to their initial problem statement, which concerned the limited management of sensitive and personal data stored within the Tomat platform. Let's take a look at Tomat's journey and their lessons learned about data retention through their targeted support sessions.

The importance of data retention

The first question that arises is, why is it so essential to store data properly? Data is often a valuable asset for organizations, researchers, businesses and even individuals. Effective data management not only preserves the informational legacy, but also enables processes to be optimized, informed decisions to be made, and traceability to be ensured.

Tomat's early challenges

For Tomat, actions related to the management of sensitive and personal data stored within the Tomat platform were very limited. Additionally, Tomat had no formal processes or monitoring tools, such as automated deletion of data entered or imported into the platform, to determine when, by whom and how data should be retained, archived or deleted.

The challenges of data conservation

Data retention is not without its challenges. One of the main issues concerns data security. Threats such as cyber-attacks, computer viruses, or even human error can compromise data integrity. Robust security measures, such as regular backups and the use of firewalls and antivirus software, are essential to guarantee protection.

The risks and issues surrounding the retention of personal information in the database are therefore manifold. Tomat's initial assumption was that establishing a comprehensive internal data retention policy and procedures adapted to their needs would enable them to comply, in particular, with Bill 25.

Tomat's tactics for solving their initial problem statement

These tactics, identified during the targeted support sessions, were able to respond in a cross-functional way to the risks and challenges currently faced by the organization, and helped implement measures aimed at tackling their issues.

Concrete results!

This initial hypothesis and these tactics have led to concrete results, such as the establishment of specific business rules under which the personal information of Tomat platform users and meal voucher program participants is kept in raw format as follows:

  • Users (who log in) have their data stored for 5 years after their last connection to the platform;

  • Participants (those who do not log in, but who possess cards or for whom data was collected) have their data stored according to their subscription type, i.e.

    • Subscription: 5 years after last subscription expiry date;

    • No subscription and no gift amount: 5 years after the date of entry into the platform;

    • No subscription BUT a gift amount (no expiry date): 5 years after last use of card by the cardholder.

The importance of internal policies and procedures, and the art of asking the right questions about data retention

This aspect is essential in order to cover the entire life cycle of personal information held by an organization. These policies and procedures had to be written in plain language. The creation of a detailed data retention schedule was also essential.

Below are a few points from a checklist that will be useful to any type of organization in developing data retention policies and procedures:

  • Is the information held subject to periodic review to determine whether the purpose for which it was collected has been met? If so, how often? 

  • Is there an inventory of personal information held, for what purposes and for how long?

  • Does the organization already have a specific minimum retention period? Is it required by law? 

  •  When should the organization destroy personal information? 

  • What measures should be taken to ensure that equipment or devices used to store personal information are properly destroyed or disposed of? 

  • Who is responsible for establishing a data retention and destruction policy? 

  • Is there a designated secure area for document destruction?

"The targeted support enabled us to clarify certain aspects of data retention, but also gain a better understanding of the elements surrounding this subject, both from a legal and security perspective, in a way that was tailored to our situation. We were able to delve deeper into our data retention strategy." - The Tomat team

About the Montréal in Common Data Governance Workstream

As the lead of the Data Governance Workstream within Montréal in Common, Open North proposes a data governance journey to the innovation community in order to progressively operationalize the principles of the City of Montreal's Digital Data Charter. The program explicitly focuses on collecting, sharing and leveraging data to inform collective and individual decision-making.

Montréal in Common brings together an innovation community led by the City of Montréal, whose partners are experimenting with solutions in food access, mobility and municipal regulations in a desire to rethink the metropolis. Thirteen projects are being implemented as part of Montréal in Common thanks to the $50 million prize awarded to the city by the Government of Canada as part of the Smart Cities Challenge.

Did you like this blog post? Would you like to know more about data governance? Not sure where to start? Find other resources, free training courses and more on our website: https://opennorth.ca/ 

Author: Open North
Research and editorial contributions: Mathilde Ravenel (Tomat) and Judith François-Langevin (Open North)
We extend our thanks to all our partners and clients, whose work continuously expands and evolves our understanding of data governance and its best practices.

share Copier le lien

padding Carnet(s) relié(s)

file_copy 25 notes
Le Chantier de la gouvernance des données de Montréal en commun
file_copy 25 notes
person
Intégré par Nord Ouvert, le 7 mai 2024 16:31

Auteur·trice(s) de note

Mathilde Ravenel
Nord Ouvert
forumContacter les auteur·trice(s)

Communauté liée

Montréal en commun

Profil En commun

Communauté Passerelles

Carnets Praxis

forumDiscuter de la note

Publication

7 mai 2024

Modification

7 mai 2024 17:18

Historique des modifications

Visibilité

lock_open public