The most dangerous record in a private institution is often not the one marked confidential. It is the one nobody believes they own. A passport copy sits in an assistant’s downloads. A family tree lives in a lawyer’s slide deck. A vendor exported the contact database during a migration. An old adviser retains a deal archive. A spreadsheet used for one board meeting becomes the unofficial ownership record. Everyone assumes the information belongs somewhere else. Nobody can say which copy governs, who may use it or when it should disappear. This is not a storage problem. It is an accountability failure.
Classification without ownership is decoration
Institutions spend time labelling information: public, internal, confidential, restricted. The label describes sensitivity. It does not assign responsibility. An owner must be able to answer four questions:
- Accuracy: who confirms that the record is current and authoritative?
- Access: who decides which people and systems may see or change it?
- Retention: why does the institution still hold it, and for how long?
- Disposition: who can order return, archive or deletion—and verify that it happened?
If no person can answer, the record will usually survive because deletion feels riskier than neglect.
Orphaned data multiplies quietly
The original record may be controlled. Its derivatives are not. Email attachments, exports, meeting packs, AI summaries, backups, screenshots and local working files create a shadow estate around the source. The institution then has two different information systems: the one described in policy and the one created by work. The second system matters more during an incident. Attackers, litigants and journalists do not care which copy was official. They care which copy was available, revealing and credible.
Find the orphaned record through events
Do not begin with an abstract enterprise-wide inventory. Begin with events that generate consequential copies:
- A new adviser or employee joins.
- A transaction opens or closes.
- A family member changes residence, status or role.
- A provider migration requires export.
- A dispute, investigation or insurance claim begins.
- A report is prepared for a board, bank, trustee or regulator.
For each event, trace what information was created, copied, transformed and sent. Ask where the authoritative version now sits and what should happen to the working material.
Value object — The Orphaned Data Register
Create a short register for records that lack a clear owner. It should contain:
- Record or data set: a recognisable name, not a technical identifier alone.
- Locations and known derivatives: systems, advisers, exports and offline copies.
- Sensitivity and consequence: what becomes possible if the information is wrong, exposed or unavailable.
- Temporary custodian: the person responsible until permanent ownership is assigned.
- Decision: adopt as authoritative, merge, restrict, return, archive or destroy.
- Evidence of completion: access report, delivery receipt, deletion confirmation or updated record index.
Set a deadline. An orphaned record with a custodian but no decision is merely documented neglect.
Ownership should follow authority
The owner need not store the data or perform every control. The owner must hold enough institutional authority to decide how the information is governed. A technology administrator should not determine the legal retention of a trust record. A lawyer should not silently control the only operational copy of an identity directory. An assistant should not become the permanent owner of health information because they coordinated an appointment. Separate subject expertise, legal responsibility and technical custody—then make the handoffs explicit.
Deletion is a controlled action
The answer is not aggressive deletion without context. Some records must be preserved for legal, regulatory, contractual or evidential reasons. Others are required for continuity. The institution needs a defensible disposition, not a purge. Where deletion is appropriate, include derivatives and recovery paths. Removing a file from the main workspace while leaving exports, forwarding rules and model indexes intact creates the appearance of control without the result.
The useful question
Ask the private office to name the person accountable for every record that could materially affect identity, ownership, authority, health, reputation or a live transaction. The hesitation points to the information that deserves attention first.
