When high-profile data breaches make headlines, the focus is often on cybersecurity. But the recent cyber incident involving Qantas highlights something just as important: how organisations manage the information they hold.
In this case, it was not just a compromised system. The breach has prompted questions about how personal information is collected, stored and protected, and how organisations prepare for and respond to incidents that affect customer data.
These are not cybersecurity issues alone. They are information governance issues. And they matter.
Information Governance and Privacy Go Hand in Hand
Information governance is about understanding what information your organisation holds, why it is collected, how long it should be kept, and who has access to it. It provides the foundation for managing information responsibly, protecting privacy and meeting regulatory obligations.
When these foundations are not in place, even strong cybersecurity controls may fall short. A poorly governed dataset that is accessed inappropriately can be just as damaging as one that is hacked.
Key Lessons from the Qantas Incident
The Qantas case highlights several governance challenges that are common across many organisations:
1. Over-retention of personal information
Reports indicate that personal data belonging to millions of Qantas customers was affected, including names, birth dates, contact details and frequent flyer numbers. While no financial data was compromised, the scale of the breach highlights the risks of retaining large volumes of personal information that may no longer be needed. Data minimisation and regular retention reviews are key to reducing this risk.
2. Transparency and accountability
Although there were no specific public complaints from customers about data retention, the incident has led to broader public discussion about how much personal information Qantas held and why. This reinforces the importance of having clear and accessible privacy notices, transparent data practices, and sound governance policies. These steps are not just about compliance. They are essential for maintaining trust.
3. Governance of third-party systems
The breach occurred through a third-party platform used by a Qantas contact centre, highlighting the risks involved when personal information is shared across vendor systems. Organisations need clear governance arrangements when working with third parties, including defined responsibilities, appropriate contractual safeguards and a clear understanding of how and where information is stored.
A Wake-Up Call for Better Information Practice
This incident serves as a reminder that information governance must be embedded across the organisation. It is not just a job for IT, legal or compliance. It is a shared responsibility.
Good governance supports privacy, reduces risk and helps organisations respond effectively when things go wrong. It also supports clear information flows, reduces duplication and prevents unmanaged data sprawl.
How RKI Supports Resilient Governance
At Recordkeeping Innovation, we help organisations build strong information governance foundations through:
- Practical training to build internal capability
Whether you are planning a system rollout, reviewing retention practices or responding to emerging risks, we can help you put information governance at the centre of your approach.
Final Thought
Cybersecurity is essential, but it is only part of the picture. The Qantas incident shows the importance of clear, consistent governance for personal and operational information.
If your organisation is looking to improve its approach to privacy, data handling and information management, we are here to help. Contact the team today.
