NACCU Logo

How to Protect Trust and Unlock Value with Information Governance

Date postedJanuary 14, 2026
Posted By: Crystal Bazarnic Positive IDentity Blog,

How to Protect Trust and Unlock Value with Information Governance

If you run a campus card office, you already know: every tap tells a story. Where a student studied. When an employee accessed a lab. Whether a commuter grabbed lunch before class. Those tiny events add up to powerful personal data that comes with powerful responsibility.

At a recent NACCU NetworX Canada meeting, Erin Williams, Manager of Access & Privacy at University of Calgary, laid out a simple truth: privacy lives or dies by how well we govern information. Not just security. Not just compliance. Information Governance, which is the strategic alignment of people, processes, and technology across the whole lifecycle of information. It is the foundation that supports, data, privacy, security and trust.

The Big Picture (in plain English)
  • Information Governance (IG): the big umbrella framework: strategically aligning people + process + tech to make informed decisions about how data and information are created,  collected, classified, stored, used, shared, retained and securely disposed of, often led by legal.
  • Data Governance: a subset of IG focusing on the structure and control of data: standards and controls for data definitions, quality, access, lineage, integrations across systems, often led by IT.
  • Privacy: the protection of people: rules and norms for collecting, using, and disclosing personal information (anything that can identify a person, especially when combined with other data).
  • Security: technical, administrative and physical controls: designed to prevent unauthorized access, changes or destruction of data and information assets. Every privacy breach starts as a security incident, but only incidents touching personal data become privacy breaches.

Key mindset shift: Don’t wait for law to tell you what to do. Legislation lags technology by years. Lead with best practices, then show you meet (and exceed) the law.

The “Data Bakery” You Already Run

Erin’s bakery analogy lands because it’s real:

  • Ingredients (raw data): individual data elements that own their own or without context are meaningless but valuable e.g. photos, first name, last name, ID, account balances, school name.
  • Baking (process): combining data in purposeful ways to create meaningful information (student profile, reports, dashboards, alerts).
  • Decorating & Packaging (content): how you present the information (physical student card, digital card, poster, videos, emails, APIs to partners).
  • Recipes (records): what information holds value and is kept for a specific period of time for business and legal reasons.

Just like a bakery refrigerates milk and butter, you must add extra controls to sensitive data like personal information (faces, gender, ethnicity, etc). This also true of information which combines data and becomes even more sensitive e.g. personal identifiers in connection with other data like their residency, phone number, accommodation and accessibility needs etc.  If you wouldn’t leave cream out overnight, don’t leave PII in a shared email folder forever.

Why Card Programs Are Juicy Targets

Campus card ecosystems are:

  • Decentralized: many departments, varied practices.
  • Integrated: many third-party systems and APIs (where breaches often sneak in).
  • Long-retention: data kept for years “just in case,” enlarging your blast radius.

The University of Winnipeg breach is a cautionary tale: one security failure + lots of old personal data = reputational hit, cost, and years of cleanup. They weren’t uniquely reckless... they were ordinary. That’s the point.

A Practical IG Playbook for Card Offices
1) Know Your Landscape (you can’t govern what you can’t see)

Create a one-page System & Data Map:

  • Systems in scope (card production, door access, dining, rec, library, transit, housing, payments).
  • For each: what personal data, where stored, who owns it, integrations, retention, and who has access (role-based).
  • Add a simple sensitivity tag (Low/Med/High). Photos, biometrics, precise locations, and financial identifiers are High.

Deliverable you can finish in two weeks: a table in your wiki/SharePoint that any stakeholder can read.

2) Tighten the “Front Doors” (procurement + integration)

Most incidents enter through the side door: integrations and vendors.

Standardize two gates:

A. Software Intake Checklist (pre-purchase & renewals)

  • Purpose & minimum data needed (collect only what’s necessary).
  • Hosting model and location; SoC2/ISO27001; encryption at rest/in transit.
  • Data flows (what goes in/out); SSO; audit logs; admin controls; export/deletion features.
  • Incident response SLAs; breach notification terms; subcontractors.
  • Retention defaults & data deletion upon termination.

B. Contract Must-Haves

  • Data Processing Addendum; security annex; audit rights.
  • Clear roles (who’s the controller vs. processor).
  • Termination assistance + certified deletion.

If a vendor “can’t answer” or drags their feet, that’s your red flag. You’re not being difficult. You’re protecting students.

3) Reduce Your Blast Radius (retention & cleanup)

Two quick wins pay off immediately:

  • Email & Drive hygiene: move reports and exports out of inboxes/Teams/ShareDrives into approved systems; auto-delete local copies after immediately after it is no longer useful.
  • Retention defaults: if you don’t need detailed location history after 90 days, aggregate it to counts and purge raw events. Keep what’s legally required; toss the rest.

Rule of thumb: if you can rebuild a report from source systems, you don’t need to hoard the exported CSV.

4) Prepare for “When,” Not “If” (tabletop + backup/restore)

Run a 60-minute tabletop twice a year:

  • Scenario: third-party integration is compromised; attacker queries cardholder directory and door events.
  • Questions: What’s the containment step? Who notifies whom? What logs do you pull? How do you cut off the integration quickly? Do you have clean backups and a failover plan that don’t re-expose personal data?

Make decisions now, not during adrenaline hour.

5) Make Privacy a Habit (not a hurdle)

Adopt 5 everyday behaviors for your team:

  1. Least privilege: access based on role, reviewed quarterly.
  2. Collect-minimize: if a PII field isn’t required, don’t collect it.
  3. Lock screens & clean desks: analog leaks are still leaks.
  4. Approved systems only: no cardholder CSVs in personal folders or ad-hoc tools.
  5. When in doubt, ask: normalize quick questions to privacy/security... no shame, no blame.
A Note on Law & “What’s Next”

It took Alberta 30 years but they finally overhauled the privacy legislation (splitting FOIP into the Protection of Privacy Act and Access to Information Act). This is a signal: governments are raising expectations, mandating privacy management programs, upping fines, and reviewing more often. Even if you’re outside Alberta, the trends are everywhere and it is clear:

  • AI, biometrics, IoT, behavioral analytics = rising risk + rising scrutiny.
  • Waiting for law means you’re likely already behind. Build for best ethical and trusting practices now. 
Your 30-60-90 Day Plan

Next 30 days

  • Publish your System & Data Map.
  • Turn your vendor intake questions into a one-pager; require it for all new tools.
  • Identify the top 3 High-sensitivity data stores; confirm backups, access, and retention.

Days 31–60

  • Run a tabletop with IT, Security, Legal, and a business lead (Housing, Dining, or Facilities).
  • Set auto-purge or archiving for exports in email/Drives for transitory information
  • Document a data minimization policy for card exports.

Days 61–90

  • Pilot a quarterly access review for two systems.
  • Redline your standard contract addenda (DPA/security).
  • Publish a 2-page “Privacy by Habit” guide for staff and student workers.
  • Ensure retention schedules are up to date for Records

None of this requires a massive budget. It requires clarity, cadence, and cross-team ownership.

Five Questions to Bring to Your Next Campus Meeting

  1. What personal data could we stop collecting this semester and still meet our goals?

  2. Which integration worries Security the most, and why?

  3. If Vendor X disappeared tomorrow, how fast can we revoke access and delete our data?

  4. Where do card exports “land,” and how long do they sit there?

  5. Who owns our data map and how often is it updated?

Ask these and you’ll surface 80% of your risk in one conversation.

It is so important you know what you have, why you have it, where you have it and for how long you need it!

Why NACCU?

Because you don’t have to figure this out alone. NACCU gives card programs a peer network and practical tools to:

  • Compare vendor checklists and contract language.

  • Learn what’s working (and what isn’t) at similar campuses.

  • Stay ahead of tech and regulatory change without reinventing the wheel.

If this post helped you think differently about governance and privacy, imagine joining a community of members who’ve already solved your problem.

Join NACCU. Protect trust. Unlock value. And make every tap tell a story you’re proud of.

Want more detail about Information Governance & Data Privacy?

Watch Erin's presentation:

Categories

 

 

Most Recent Posts