Managing risks related to data retention in Quebec: the Tomat case study

As part of Montréal in Common, an innovation community led by the City of Montréal and supported by Collectif Récolte, Tomat, a reloadable card-based meal voucher management platform, benefited from personalized coaching to progressively improve their data governance. This was achieved specifically by integrating three essential aspects - legal, ethical and efficiency - within their organization in order to strengthen their capabilities in this area.

The organization then examined the various stages leading to the implementation of effective data governance, and carried out actions both internally and in the form of projects.

Overview of the organization: Tomat

The Tomat platform is a technological solution that enables participants in a meal voucher program to benefit from a reloadable food card, check the available balance on their account, and enable program managers to manage funds, payments and card distribution.

The platform therefore holds personal data on participants receiving cards and users logging on to the platform. For security reasons, the database is regularly backed up.

Introduction

Data retention risk management has become crucial as companies in Quebec face increasing challenges around data protection and regulatory compliance. This effective approach aims to ensure the security, compliance and sustainability of information, while navigating the specificities of Quebec's privacy laws.

Tomat's early challenges

For Tomat, actions related to the management of sensitive and personal data stored within the Tomat platform were very limited. Additionally, Tomat had no formal processes or monitoring tools, such as automated deletion of data entered or imported into the platform, to determine when, by whom and how data should be retained, archived or deleted.

Analysis of risks associated with storage and destruction: a possible solution to the challenges at hand

To address these issues, Tomat has been working on a risk management strategy for the retention and destruction of personal information, with the aim of strengthening security, ensuring compliance of their processes and policies, and mitigating potential damage.

The first step was to identify these risks and develop a risk analysis tool. In the second stage, in order to verify the above premise, Tomat created a risk analysis table that would identify, classify and evaluate these risks, and develop mitigation and monitoring strategies.

Tomat's tactics for solving the initial problems

Tomat devised the tactics below, divided into fundamental and operational tactics, to implement their risk management strategy:

Thanks to the targeted support sessions, Tomat was able to:

• specify appropriate retention periods for each category of data, based on legal and operational obligations;
• produce a data retention schedule;
• set up formal procedures for the anonymization or secure destruction of obsolete or useless data, in compliance with retention rules;
• identify potential threats and vulnerabilities relating to their project;prioritize risks;
• determine proactive measures to mitigate risks, and identify those responsible for implementing them.

In Quebec, risk management associated with data retention is inextricably linked to compliance with provincial legislation and protection against emerging threats. By adopting a strategic approach and keeping abreast of regulatory developments, companies can proactively preserve the confidentiality and integrity of their data.

"The targeted support helped clarify certain elements of data governance, but also gave us much more precise and specific knowledge related to our case. We were able to delve deeper into our data governance framework." - The Tomat team

About the Montréal in Common Data Governance Workstream

As the lead of the Data Governance Workstream within Montréal in Common, Open North proposes a data governance journey to the innovation community in order to progressively operationalize the principles of the City of Montreal's Digital Data Charter. The program explicitly focuses on collecting, sharing and leveraging data to inform collective and individual decision-making. 

Montréal in Common brings together an innovation community led by the City of Montréal, whose partners are experimenting with solutions in food access, mobility and municipal regulations in a desire to rethink the metropolis. Thirteen projects are being implemented as part of Montréal in Common thanks to the $50 million prize awarded to the city by the Government of Canada as part of the Smart Cities Challenge.

Did you like this blog post? Would you like to know more about data governance? Not sure where to start? Find other resources, free training courses and more on our website: https://opennorth.ca/ 

Author: Open North
Research and editorial contributions: Mathilde Ravenel (Tomat) and Judith François-Langevin (Open North)
We extend our thanks to all our partners and clients, whose work continuously expands and evolves our understanding of data governance and its best practices.