The privacy commissioner and ISO16175

I'm putting words into the privacy commissioner's mouth here, but I'm going say that I don't think the privacy commissioner is going to care one iota whether the records system holding PII in your organisation is ISO16175 compliant.

They're going to care about whether privacy is being adequately managed.

If you've taken an expansive view of records and are managing all of the information being recorded in your organisation - regardless of system - privacy is probably going to be a valuable strategic issue for you to work on.

If on the other hand, you've made the mistake in your organisation of saying that there is one records system - and dogmatically stuck to the idea that as a result, business systems aren't records systems - privacy is probably going to pass you by as an issue.

If there's one track record that records has, it's of using new issues as ways to say to the organisations we serve that "see, that's why you've got to do it our way."

Organisations have routinely ignored it - because records management standards aren't important to them. They are much more worried about fulfilling their primary purpose, and when people put any roadblock in front of that without justifying how the roadblock makes fulfilling their primary purpose better, faster and cheaper - they just go around it.

Somehow, the belief persists for many in records that if we keep putting up the same roadblock up every time a new issue comes along, we'll eventually be successful with it.

The reality is that every time we put the roadblock up and it gets ignored, it just gets easier to ignore it next time, because inevitably someone else steps in to solve whatever problems are actually stopping the organisation executing.

And we stop getting asked to be at the table - all we do is say "no you can't" when the organisation routinely proves that "yes it can."

It's for this reason that I think privacy is going to make or break records management.

Privacy will "make" pragmatic records managers who look at all the data the organisation collects, and figures out how to manage it proactively.

Privacy will break a records manager who uses privacy to dogmatically say that "this is the records system, if it's not in here it's not compliant."

Because the privacy commissioner won't give a damn.

The privacy commissioner will care that it's being adequately managed.

Organisations know this.

If we don't manage those records.

They'll find someone who will.