Skip to content
Shannon

Policies

Policies applying to the technical systems and data documented in Shannon. Not a substitute for PWG’s organisation-wide policies held elsewhere (HR, finance, compliance) — those remain in M365 / SharePoint with formal version control through the relevant owners.

All sections on this page are currently marked draft pending formal review and sign-off.

Access policy

Section titled “Access policy”

Status: draft.

Intended to define:

  • How access to Shannon itself is granted and revoked (kb_reader Entra role).
  • How access to each underlying system (Salesforce, MYOB, XPLAN, Hex, PWG_DATA, Workato, Azure, M365) is requested and who approves.
  • Standard access tiers per role (adviser, advice support, technology, data, offshore operations).
  • Review cadence — how often access lists are reconciled against active employees and contractors.

Retention policy

Section titled “Retention policy”

Status: draft.

Intended to define:

  • Retention periods for logs, event data, and audit trails across systems.
  • How retention interacts with Australian regulatory obligations (ASIC, Privacy Act APPs, FSG/FDS record-keeping under the Corporations Act).
  • Archival destinations for data past its active-use window.
  • Who is responsible for enforcing retention in each system.

Sensitive-data handling

Section titled “Sensitive-data handling”

Status: draft.

Intended to define:

  • What PWG considers sensitive (client PII, advice records, financial account details, identity documents).
  • Where sensitive data is permitted to live, and where it must not (e.g. no sensitive data in Shannon itself, ever).
  • How to handle sensitive data in incident response — what can be copied into tickets, what must be redacted.
  • Third-party handling obligations (vendors, Hex, Workato, etc.).

Change control

Section titled “Change control”

Status: draft.

Intended to define:

  • What technical changes require change control vs. normal PR review.
  • Who approves changes per system.
  • How emergency changes are tracked (post-hoc change records).
  • Expectations for the admin-procedures.md page in each system repo.

If you are about to rely on any of these policies for a decision: confirm the current state with David Bramwell. A page marked status: draft is a work-in-progress placeholder, not an approved control.