The United Church of Canada uses RecordPoint to ensure its internal data remains private

The problem

Sensitive internal information was inadvertently shared more widely than intended

In a world of increasing privacy regulation and the ever-present threat of data breaches, organizations need to prioritize data privacy, not just for their customers, but also for staff.

To make good privacy decisions, organizations need to understand the data they are responsible for governing: what the data contains, where it is located, who has access, and the risk it poses if it is exposed.

This can be a challenge when organizations adopt more data sources to enable remote or hybrid working styles, each with its own set of security settings such as access controls, which must be managed.

When a SharePoint Online configuration change inadvertently shared sensitive internal data to a wider internal audience than intended, United Church of Canada was able to use RecordPoint to rapidly ensure the data had not been accessed.

General Council Archives Manager Nichole Vonk says a Microsoft update to SharePoint Online mistakenly added site owners to a site administrators' group. In practice, this meant a wide group of team members were given access to sensitive information concerning their colleagues.

The RecordPoint solution

An audit of access patterns quickly put minds at ease

While the issue was discovered and resolved quickly, the next task was to establish who had accessed the data while it was available.

Vonk says this kind of data would normally be provided by the organization’s IT team, who may be balancing multiple critical requests and who would need to run a report on access patterns.

RecordPoint made this task much easier, she says, allowing her to review data about who had accessed the relevant files.

“I was able to go into RecordPoint and show within five minutes that the documents in there had not been viewed by anyone with unauthorized access, and that they were secure. That put people's minds at ease.”

The results

Increased trust in the organization's information management program

This kind of incident can erode trust and lower confidence in an organization’s information management program. When IT, privacy, and data governance teams already struggle to gain buy-in for their digital transformation programs from the wider business, this kind of issue can be crippling.

But in this case, the issue had the reverse effect.  

“The ability for me to respond immediately to a privacy concern was really useful in demonstrating the system’s value. To show that these kinds of things do happen, but we're able to quickly respond when they do. It builds trust in the system.”