Fireside Chat with Mark Roberts from North Metropolitan TAFE
The Challenge
North Metropolitan TAFE, Western Australia's largest TAFE institution with nine campuses and 1,600 staff, faced a significant challenge in managing its vast and intricate data landscape. The institution contended with a "legacy of data and a lot of privacy data in all sorts of different repositories," including numerous older student, HR, finance, and blackboard systems, which made data discovery a formidable task.
The shift to remote working during the COVID-19 pandemic exacerbated these issues, leading to a "massive proliferation of files and subfolders" across platforms such as Microsoft Teams and individual OneDrive accounts. Lecturers, in particular, preferred keeping information in their personal drives, resulting in a scattered and siloed environment likened to an "octopus's meeting in teams" or a "grandmother's garage" overflowing with old, unneeded data.
A critical concern was the abundance of sensitive personal information (SPI), including credit card numbers, driver's licence numbers, and passport numbers, often found in scanned credit card authorisation forms complete with CVCs and expiry dates. These sensitive details were scattered across SharePoint, Outlook, and individual desktops. Approximately 35 out of 54 fillable student and staff forms were identified as capable of capturing health, medical, or disability information, posing a substantial risk.
Compounding the problem were significant data retention issues. An initial scan of their 4-terabyte SharePoint repository alarmingly revealed that 70% of the data resided in the preservation hold library, which was defaulted to a seven-year retention period across the entire sector.
Furthermore, NMT needed to prepare for the impending Western Australian Privacy Act (Priss), which underscores responsible information sharing with stakeholders, students, and third-party employment agencies. Despite possessing a capable cybersecurity team, the institution had experienced a data breach where unauthorised access led to 85 documents and 60 emails being compromised. This incident served as a stark "wakeup call" to avoid becoming another high-profile breach statistic, akin to Optus or Latitude. Internally, the quality assurance team also struggled to locate essential teaching-related documents due to the sheer disorganisation. The lack of executive awareness regarding the tangible risks posed by this unmanaged data further hampered progress.
The Solution
North Metropolitan TAFE strategically partnered with WyldLynx, an expert in information management and data governance, specialising in products such as Content Manager, and Core Data Discovery & Risk Insights (formerly OpenText Voltage Fusion). WyldLynx empowered NMT with this sophisticated solution, offering intelligent file discovery and classification capabilities.
A pivotal aspect of NMT's strategy was to "localise" the product by affectionately nicknaming it "Cedric," an acronym for Core Data Discovery and Risk Insights. Mark Roberts, Information Governance Manager at NMT, utilised AI (Copilot) to generate this name and a corresponding visual character: a small robot figure with a tool belt and scissors, symbolising Cedric's role in "cruising around all the systems fixing up the issues" and "cutting out" the stuff you don't need. This internal branding initiative significantly boosted information governance awareness within the organisation, with NMT creating an introductory SharePoint article announcing, "Cedric is coming."
NMT adopted a phased, "bite-sized chunks" approach, prioritising "proof of value" (POV) projects rather than attempting to "swallow everything in one bite." Their initial journey involved establishing robust data governance policies and a framework, alongside gaining a comprehensive understanding of existing systems and data storage locations. They also secured approval to bring Content Manager in-house, enabling better integration with Cedric and other systems.
The Core Data Discovery & Risk Insights solution enabled NMT to conduct initial scans, which immediately identified high-risk areas, such as the alarming volume of credit card authorisation forms. A substantial scan of their SharePoint repository also highlighted the pervasive issue of the 7-year default retention in the preservation hold library. The solution's ability to uncover "what we actually have" proved invaluable. WyldLynx's expertise was iinstrumental in interpreting these discoveries and providing actionable insights.
To tackle the overwhelming volume of data, NMT focused on "turning the tap off at the top of the hill" by reducing retention periods for new forms and shredding physical copies once their purpose was served. They also prioritised "low-hanging fruit," utilising scan results to eliminate thousands of duplicate files that were over 10 years old. The solution provided the crucial insights needed to make informed decisions about data cleanup and policy enforcement.
A critical step involved engaging executive leadership. The tangible findings from the data scans, such as the sheer volume of sensitive personal information, created an "oh shit moment" that successfully secured vital corporate backing, funding, and support—a response Mark Roberts found "really refreshing."
The Results
The implementation of Core Data Discovery & Risk Insights, robustly supported by WyldLynx, has delivered significant and transformative successes for North Metropolitan TAFE:
- Enhanced Risk Mitigation: The solution has been crucial in identifying and substantially reducing high-risk privacy issues, particularly concerning sensitive personal information. It has empowered NMT to exert better control over its systems and securely lock down highly sensitive data, thereby preventing future data breaches and avoiding the fate of other high-profile breach statistics.
- Improved Data Governance and Compliance: NMT is now significantly better positioned to comply with the forthcoming WA Privacy Act (Priss). The solution has enabled them to uncover and accurately classify their actual data assets (e.g., official, sensitive, personal, commercial, legal)—a feat that was simply not possible five years prior. This simplifies policy enforcement and facilitates the establishment of automated file management practices, effectively reducing the risk of data breaches and ensuring robust compliance.
- Strategic Data Cleanup and Efficiency: The capability to accurately identify duplicates and obsolete files has allowed NMT to streamline their data cleanup processes, reclaim valuable storage space, and enhance system performance. The initial focus on "low-hanging fruit," such as duplicates over 10 years old, led to the swift elimination of thousands of unnecessary files.
- Strong Executive Buy-in and Funding: The "tangible" evidence generated by the data discovery process successfully cultivated executive awareness, securing the necessary corporate backing and funding for the project's continued progression. This high-level support has proven indispensable for their ongoing journey in comprehensive information management.
- Increased Organisational Awareness: The internal branding of the product as "Cedric," complete with its distinctive robot mascot, has played a key role in elevating information governance awareness across the TAFE. This initiative fosters a culture where staff are more "professionally aware" of data's value, often influenced by personal experiences with data breaches.
- Reputational Protection and Cost Savings: By proactively identifying and managing data risks, the solution helps to prevent potential financial loss and reputational damage stemming from data exposures. This significantly contributes to North Metropolitan TAFE's standing as the premier TAFE organisation in WA. While difficult to quantify precisely, the system is expected to generate considerable savings by preventing costly security incidents.
- Technological Advancement: Mark Roberts highlighted the considerable advancements in the product, noting its current cloud-based nature, enhanced accessibility, and significantly quicker performance compared to older tools like Control Point.
North Metropolitan TAFE's journey exemplifies how a focused, phased approach, underpinned by powerful data discovery tools and a strong strategic partnership, can successfully transform a complex data environment into one that is markedly more secure and compliant.
