Managing Data Risk: APRA issues draft Practice Guide

20 December 2012

As previously reported the Australian Prudential Regulation Authority (APRA) is continuing to caution banks, life insurers, general insurers and superannuation entities (Regulated Institutions) about the risks inherent in off-shoring and outsourcing.  

On 11 December 2012, APRA released Draft Prudential Practice Guide PPG235 (Guide) on managing data risk for industry consultation and comment.  The draft Guide has been released to highlight the importance of data use, retention, storage and security, and to address identified weaknesses in the data practices of Regulated Institutions.

The draft Guide applies to all Regulated Institutions, and provides guidance on best practice measures to be adopted to manage data risks.  The draft Guide is not intended to replace or endorse any existing industry standards, and Regulated Institutions may implement measures not specified in the Guide that are appropriate for that institution having regarding to the size, nature and complexity of its operations.

APRA states that managing data risk is important for a broad range of outcomes of a Regulated Institution including business objectives, obligations to stakeholders, effective management and governance.  Data risk often results from the failure of internal data management processes or from external events.  Examples of data risk include data theft, business disruptions as a result of data corruption or unavailability and breach of legal or compliance obligations.

High-level principles for data risk management

The draft Guide sets out the following high-level principles to manage data risks:

1. Systematic and formalised approach to managing data

  • Development of a data risk management framework which outlines the Regulated Institution’s approach to managing data risk
  • Allocation of staff roles and responsibilities
  • Ongoing compliance checks, reporting and management reviews
  • Regular evaluation of the data risk management framework
  • Use of data architecture practices to better understand the capture, processing, retention, publication and destruction of data

2. Staff awareness

  • Development of initial and ongoing staff training and awareness programs
  • Regular education of staff regarding their responsibilities in maintaining data quality

3. Data life-cycle management

  • Consideration of data quality at each stage of the data life-cycle (including capture, processing, retention, publication and destruction) to ensure that appropriate controls are implemented

4. Data validation

  • Implementation of data validation controls at various points during the data life-cycle
  • Periodically cleansing data to maintain data quality at the required level

5. Monitoring and managing data quality issues

  • Establishing monitoring processes to identity data quality issues for all stages of a data issue (including detection, identification, containment, investigation, evidence-gathering, resolution and return-to-business)
  • Implementation of clear accountability and communication strategies to limit the impact of data quality issues

6. Data quality assurance

  • Systematic assessment of the data risk environment conducted by internal audit or another independent function
  • Multi-year schedule of testing of data risk management, inspection of data and data governance

Off-shoring or outsourcing data management responsibilities

APRA has also restated its concerns regarding the risks of outsourcing and off-shoring by setting out APRA’s expectations of Regulated Institutions if they intend to outsource or offshore its data management responsibilities. 

In particular, the draft Guide states that APRA expects Regulated Institutions to apply a “cautious and measured approach” in determining whether to retain data offshore, and consider whether the risks involved are within the institution’s “risk appetite”.

Further, the draft Guide states that when outsourcing or off-shoring data management, a Regulated Institution will be expected to demonstrate the following:

  1. ability for the Regulated Institution to maintain business continuity in the event of loss of services;
  2. quality maintenance of critical or sensitive data;
  3. compliance with applicable legislation and prudential requirements; and
  4. no impediments to APRA fulfilling its duties as prudential regulator (including prompt access to data in a useable form, no jurisdictional hurdles to access or no technical controls limiting access).

The draft Guide also set outs APRA’s expectations in relation to the assessment and ongoing management of outsourced/off-shored data management responsibilities, such as conducting detailed risk assessments, developing business cases to justify the risk exposure and periodic evaluation of the risks.

APRA is seeking comments on the draft Guide from industry and stakeholders by 29 March 2013.

The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.

Related Content


Helen Clarke

Partner. Brisbane
+61 7 3228 9818


James North

Partner. Sydney
+61 2 9210 6734


Philip Catania

Partner. Melbourne
+61 3 9672 3333