data mapping...a comment from a fellow blogger and tech-expert.
(Parry is "The Privacy Lawyer" for Information Week and has called for the creation of a "Data Map" to manage privacy.)
I enjoyed your article "It's time to build a data map." I have referenced it favorably on my weblog www.erp4it.com.
My perspective is that what you call for should not be done episodically (e.g. through a periodic audit process) but rather should be intrinsic in how the IT organization is managed...
Doing this requires sophisticated systems and processes to get it right and keep it up to date, and the irony is that IT tends to be the "cobbler's barefoot child" -- building and running powerful systems for its clients, while struggling along with spreadsheets and undocumented, easily-abused processes to run its own business. This is an increasing topic of conversation in large IT shops as the dot com hangover wears off and enterprises start to face the reality of managing complex application portfolios.
My day job is working for a Fortune 100 electronics specialty retailer, where I head a capability called the Metadata Management Office. I don't know if you have ever heard the term "metadata," but it is the core of what you are talking about. It means data about data, and data about the systems that process the data. It's a longstanding concept in large scale IT; in earlier years it was called the "data dictionary" which became the "metadata repository" and now there is a related concept called a "configuration management database." Supporting process frameworks have emerged in ITIL and COBIT. Other relevant concepts are enterprise architecture, systems management frameworks, and portfolio management; tools marketed under these categories would cover large sections of the problem (but by no means all of what you call for). One key thesis of mine is that all of these tools are inexorably converging into a generalized "ERP for IT" domain.
One question I have as a non-lawyer is what is meant by "privileged" information. I assume this means that if the information were captured as part of an audit done under certain protocols, it would be harder to subpoena in a court case?
I can't speak to whether this is a significant risk, but I do know that your "data map" is information generally hard to come by in most large IT shops, and eagerly sought whenever it is compiled. It has day to day value in planning, building, and running IT systems, and it would be unfortunate if this complex and hard to inventory data were locked away once compiled; it's just too useful. It's also information not easily represented in the tools I imagine an external audit team would use: spreadsheets, Word documents, and so forth. Kind of like trying to "audit" an Intel microprocessor; you need specialized tools just to handle the complexity.
All for now; very interested in your perspectives.