How Data Accumulation Became Institutional Risk

A Critical Analysis of Data Retention, Governance, and Fragmentation in Australian Organisations

“Your personal information may have been compromised.” In 2022, millions of Australians received such notifications from Optus, and soon after, another data breach at Medibank. The breaches’ size was alarming: nearly half the Australian population was affected. Each breach escalated in severity, from identity information like driver’s license and passport numbers to highly personal health records. This exposed not only the scale of data collection but also the consequences of its retention.

A recent notification from the University of Sydney demonstrated textbook crisis management. Steps included detection, containment, and collaboration with authorities. However, this event highlights a bigger issue. Universities collect large volumes of data across fragmented systems. They often lack clear governance regarding retention, ownership, and risk.

The core issue is not that universities collect large volumes of data. This is often necessary for administrative and academic purposes. The main concerns are excessive data retention and inconsistent management across multiple systems. These practices exist due to operational demand. In reality, they are becoming a long-term vulnerability. Recent industry breaches highlight that as data volume and fragmentation increase, so does risk. Universities must reexamine their data collection processes, retention periods, storage solutions, and clarify accountability for data protection.

The widespread collection of data raises serious questions about power, privacy, and control.

boyd and Crawford (2012)

The Expansion of Data Collection

Data collection within universities has expanded significantly over the past decade. This growth is largely driven by the digitisation of administrative processes and the global pandemic. As a staff member at Student Administration Services at the University, we rely on a network of integrated systems. These include student management systems, learning management systems, and timetabling tools. Together, these capture a detailed record of a student’s life cycle. This includes enrolment data, academic records, personal identification details, and communication histories from prospective, past, and current students.

From an operational perspective, universities require accurate and accessible records to manage enrolment, verify qualifications, and comply with government regulations. They also support student services. For example, a transcript order or graduation verification service requires access to records dating back decades. This is especially true for alumni seeking employment or further study. In this sense, data retention is not problematic; it enables service continuity and delivery.

However, the issue arises when data accumulation does not align with our governing frameworks. As systems proliferate, data becomes distributed across multiple platforms. Each has its own retention policies, access controls, and security safeguards. That fragmentation makes it difficult to manage data holistically and introduces inconsistencies in its protection.

Fragmentation and System Complexity

Consider the student experience at the University of Sydney: we use Sydney Student to enrol in units of study, then access the timetable via the integrated Sydney Timetable. Then we use Canvas, an online learning platform integrated with multiple systems, to access our reading lists, complete modules, and submit assignments. If we have questions, we use the ServiceNow service portal to submit enquiries, and when we graduate, we receive our digital transcript through My eQuals. Unlike a single, centralised database, universities operate through multiple, often legacy, systems.

These interlinked systems may include newer platforms and older databases. The older ones are retained for historical or operational reasons. Over time, this creates a layered digital infrastructure. Here, data is duplicated, migrated, or archived without a unified strategy.

The risks associated with each instance of fragmentation are significant. First, as the number of systems increases, so too does the number of possible entry points for cyberattacks. Each system represents a potential vulnerability, particularly if it is outdated or lacks security updates, underscoring the importance of comprehensive risk assessment.

Second, it complicates incident response. I had a fantastic secondment opportunity to work in the Timetabling team for 14 months. One of the first challenges I faced was figuring out why 12 or so students could not access their Timetables. It took the Timetabling team, the Timetable software vendor, and the University’s ICT team two weeks to identify the problem. These students’ MFA (multi-factor authentication) integration was not set up properly. When someone tries to log in to University systems, MFA is triggered, designed to protect our data and privacy. These 12 students returned their UniKeys without a Student ID number. Most other integrations were fine. However, the Timetabling software uses the student ID as the record identifier.

In a breach, identifying which data was compromised can be challenging. This problem worsens when information is scattered across systems with varying documentation and oversight. Fragmentation also obscures accountability. When data is spread across platforms, it is often unclear which department or unit is responsible for governance. This lack of ownership leads to security gaps. No single entity has full oversight or authority over the data lifecycle.

Data Retention: When Efficiency Becomes Risk

A key issue in recent breaches is not just the existence of data but its longevity. Organisations commonly retain information beyond any immediate use. They assume it may be needed later. While convenient, this strategy significantly increases risk.

Data minimisation frameworks recommend keeping information only for a defined purpose and for a limited time. Enforcing this in universities is hard. Balancing compliance, service needs, and historical records often results in decades of retention. The consequences appeared in the Optus and Medibank breaches. In these cases, volume and sensitivity of data magnified the impact. Similarly, at universities, long-term retention increases breach severity because older records may still contain sensitive information.

Universities increasingly treat student data as a long-term resource. As Kitchin (2014) suggests, information is now something to be stored and analysed, rather than discarded, reinforcing a culture of retention.

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

GDPR principles

Governance Gaps and Institutional Responsibility

Data governance needs clear guidelines, defined responsibilities, and consistency in all systems. This includes decisions on what data is collected and how it is stored. It also covers who can access data and when it should be deleted.

Many universities’ governance frameworks do not keep up with technology and organisational changes. One big challenge is the decentralised nature of university operations. Faculties, various administrative teams, and external partners may each manage their own systems and datasets. This leads to variations in governance. Without central oversight, these differences cause uneven levels of security and compliance.

Another problem is that retention policies are usually opaque. Students, alumni, and staff are often unaware of how long their data is kept or why. Such opacity weakens trust and limits individuals’ ability to make informed choices. Legacy systems may not support automated data deletion or modern security features. Manual interventions are required. These are resource-heavy and prone to error. As a result, data may persist indefinitely, even when it should be removed.

When data is everywhere, responsibility becomes risk

Balancing Operational Efficiency and Risk Management

It is important to recognise that universities cannot simply eliminate data retention without undermining their core functions. Academic records, for example, must be preserved to verify qualifications and support services.

Similarly, following government regulations may require retaining certain datasets. The challenge, therefore, is not to reduce data collection indiscriminately, but to adopt a more strategic, risk-informed strategy to data management. This requires distinguishing between essential and non-essential data and establishing distinct criteria for retention and deletion.

One possible solution is adopting tiered retention policies, assigning specific retention periods to different categories of data based on their purpose and sensitivity. For instance, critical academic records may be retained indefinitely, whilst administrative or transactional data is deleted after a defined period.

In addition, universities must invest in system integration and modernisation to reduce fragmentation and improve oversight. Centralised data management platforms can strengthen visibility and enable more consistent governance practices across the institution.

Lessons from Recent Breaches

The data breaches at Optus and Medibank offer valuable lessons for higher education. Both incidents emphasise the risks of large-scale data retention and highlight the need for robust, comprehensive security protocols. Learning from these examples provides guidance for strengthening university practices.

They also show the reputational and financial consequences of failing to protect confidential information. For universities, these cases underline a key point. Data is not only an asset, but also a liability. While data enables operational efficiency and strategic decision-making, it carries risks that must be managed. More importantly, these breaches have shifted public expectations around data protection. People are increasingly aware of the value of their personal information and want organisations to handle it responsibly. Universities must uphold high standards of data governance to maintain public trust.

Towards a Stronger Data Governance Framework

Given these challenges, universities should consider the following strategies:

1. Establish clear data ownership. Assign responsibility for each dataset to a specific role or unit. This ensures accountability for its management and protection.
2. Implement data minimisation principles. Regularly review the volume of stored data. Reduce data and retain only what is necessary for defined purposes.
3. Standardise retention policies. Develop institution-wide guidelines for data retention and deletion. Use automated processes where possible to support these guidelines.
4. Enhance system integration: Reduce fragmentation by consolidating data into centralised platforms with consistent security protocols.
5. Increase transparency: Clearly communicate data practices to staff, students and alumni, including retention periods and security measures.
6. Invest in cybersecurity: Continuously update and strengthen security systems to protect against changing threats.

Conclusion

Recent data breaches in telecom, insurance bank and universities all point to the same problem: collecting lots of data without strict rules for managing it. While collecting data is important, storing and handling it safely is equally crucial to reduce risks.

For universities, the challenge is to balance efficiency with data security. This means seeing data not just as a resource, but also as something that can bring risks. By setting better rules and managing data more carefully, universities can reduce their risks and maintain their communities’ trust.

Ultimately, the question is not whether institutions should collect data, but how much they should keep and for how long. In an era of increasing cyberattacks, the answer to this question may determine not only operational success but also institutional resilience.

Reference

• ABC News. (2024, June 22). How Medibank allegedly ignored the warning signs in one of Australia’s worst cybersecurity breaches https://www.abc.net.au/news/2024-06-22/medibank-alerts-australia-cybersecurity-breach/104003576
• boyd, d., & Crawford, K. (2012). Critical questions for big data. Information, Communication & Society, 15(5), 662–679.
• Kitchin, R. (2014). The data revolution: Big data, open data, data infrastructures and their consequences. SAGE.
• Sydney Morning Herald. (2025, August 8). Privacy watchdog sues Optus over mass data breach. https://www.smh.com.au/technology/privacy-watchdog-sues-optus-over-mass-data-breach-20250808-p5mlh1.html
• University of Sydney. (2025, December 18). Notification of cyber and data breach. https://www.sydney.edu.au/news-opinion/news/2025/12/18/notification-of-cyber-and-data-breach.html