Data governance assessment checklist
Poor data governance increases the risk of privacy breaches, regulatory enforcement, and reputational harm. This checklist helps organisations assess their data management maturity and identify gaps before they become incidents.
This is a 12-step checklist for assessing data governance practices against the Privacy Act 1988 (Cth), the APPs, and general data management standards. It covers data mapping, classification, access controls, and breach readiness.
The checklist
Map data holdings
Identify all personal information, sensitive information, and business-critical data held, including location and format.
Classify data sensitivity
Apply a classification framework (public, internal, confidential, sensitive) to all data holdings.
Identify data owners
Assign a data owner for each data set who is accountable for quality, access, and lifecycle management.
Review collection practices
Assess whether collection of personal information is limited to what is reasonably necessary under APP 3.
Audit consent mechanisms
Verify that consent is obtained where required, is informed and voluntary, and can be withdrawn.
Evaluate access controls
Confirm role-based access controls limit data access to authorised personnel on a need-to-know basis.
Review third-party data sharing
Identify all third parties receiving data and confirm contractual protections, including APP 8 cross-border disclosure requirements.
Check data quality processes
Assess processes for maintaining accurate, up-to-date, and complete data as required by APP 10.
Review retention and destruction
Confirm data retention schedules exist and that personal information is destroyed or de-identified when no longer needed under APP 11.2.
Assess data breach response readiness
Review the Notifiable Data Breaches scheme response plan and confirm the organisation can assess and notify within the statutory timeframes.
Review privacy impact assessment process
Confirm PIAs are conducted for new projects, systems, or uses of personal information as recommended by the OAIC.
Prepare governance improvement plan
Document findings, assign remediation owners, and set deadlines for closing identified governance gaps.
When this checklist applies
Use when establishing a data governance framework, preparing for Privacy Act reform, or in response to a data incident.
Common pitfalls
- Focusing on IT security without addressing legal compliance obligations
- Not mapping data shared with overseas sub-processors under APP 8
- Retaining personal information indefinitely without a retention policy
- Treating data governance as a one-off project rather than an ongoing program
- Overlooking employee personal information in governance scope
Run this checklist on a real matter
Quillio can map data flows against APPs, identify cross-border disclosure risks, and draft data governance policies. See /practice-areas/privacy-lawyers or start a free trial.
General data governance guidance. The Privacy Act 1988 is under significant reform — monitor OAIC and legislative updates. Obtain specialist privacy advice for complex data practices.
Use this checklist on your matter.
Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no credit card.
Start your free trial