May 7, 2026

Protection starts with a map

Data Series
| Part
1

Reading time:

5 min read

5.2 million Canadians exposed in one breach. The root cause wasn’t a hack. It was a cataloguing failure. What a data catalogue actually does, and what happens without one.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

5.2 million Canadians. That’s how many people had their personal data exposed in the PowerSchool breach that hit school boards across 8 provinces in late 2024 (CBC News, January 2025). Student records going back to 1965. Names, addresses, health card numbers, social insurance numbers. Data accumulating across systems for decades, held by organisations that couldn’t say what they had or where it lived.

Ontario’s privacy commissioner investigated. So did Alberta’s. Both found the same thing: school boards lacked adequate breach response plans, failed to include privacy provisions in their vendor contracts, and had no policies for overseeing the third-party software that stored it all (Ontario IPC and Alberta OIPC, November 2025). The breach started with compromised credentials on a support account. The attacker walked through a door nobody knew was open, into rooms full of data nobody had inventoried.

That’s a cataloguing failure. The ransom demands, the class-action threats, the privacy commissioner orders: all of it followed from one starting condition. Nobody could answer “what do we have, and where does it live?”

Your catalogue is either a living system or a decorative spreadsheet

A data catalogue is a live, integrated system that inventories your data, applies metadata, classifies sensitivity and ownership, and makes it findable across teams. Not a spreadsheet someone built during the last migration and titled “master_list_final_v2.”

When it works, your analytics team finds a dataset, verifies it’s current, confirms it’s governed, and uses it. No waiting for someone in another department to forward last year’s CSV. No discovering 3 weeks into a project that the data was never approved for that purpose. When it doesn’t exist, every other initiative stalls at the same question nobody can answer.

What lives where (and what nobody told you about)

Here’s the inventory nobody wants to do.

Production. Where the governed data is supposed to live. In practice, where 3 teams run reports on 3 different versions of the same data, because each extracted what they needed at a different point and nobody synchronised.

Dev. Someone needed realistic test data. Copied production over. Unmasked. Real names, real addresses, real account numbers. This happened 2 CISOs ago and nobody cleaned it up because nobody knew it was there.

Analytics. An extract from 2021, still running, still feeding a dashboard 6 people check and nobody questions. The source changed 18 months ago. The extract didn’t.

The legacy file server. Survived 2 migrations, a cloud transition, a reorganisation, and a Saskatoon winter. Contains data from a system decommissioned in 2018. Nobody owns it. Everybody’s sure that’s someone else’s problem.

Four layers. Four cataloguing gaps. Four reasons your AI initiative stalls the moment it tries to pull from sources that haven’t been classified, governed, or validated.

Tribal knowledge is a single point of failure with a benefits package

In most organisations, the person who knows where data actually lives is the person who built a workaround in 2017 and never documented it. Call him Gary. He knows which table has the real customer IDs, which extract is current, and which system “doesn’t count” because it was supposed to be temporary 4 years ago. He’s not the architect. He’s the person who needed something to work on a Friday afternoon and made it happen.

A catalogue takes what Gary figured out and makes it findable by everyone. Not because Gary is leaving (although he might), but because an organisation running on one person’s memory can’t scale, can’t audit, and can’t answer a regulator on a timeline that doesn’t involve a war room.

Build it for humans, not for the compliance binder

You’re not cataloguing everything at once. Pick the datasets that matter most: the ones feeding the AI initiative, the ones the auditor will ask about, the ones 3 teams are arguing over right now. Start there. Most organisations are at the mercy of whoever happens to know where things are. A catalogue replaces tribal knowledge with something that survives a resignation letter.

IT could build this alone. If business units don’t use it, it’s shelfware within a quarter. The catalogue has to be intuitive enough that a project lead in Winnipeg can search it without filing a ticket with the team in Regina.

Treat metadata like infrastructure. Ownership, access rights, classification, lifecycle status: tagged and maintained. Most organisations build the catalogue, declare victory, walk away. Six months later the metadata is stale and the whole thing is about as useful as the spreadsheet it replaced.

Microsoft Purview handles the heavy lifting: automated discovery, classification, lineage tracking, sensitivity labelling across cloud and on-premises. The tooling exists. The discipline to keep feeding it is the part that separates a catalogue from a monument.

What a catalogue protects you from

The PowerSchool breach is the headline version. The quieter version happens every week. AI trained on unvalidated data. Test environments running on unmasked production records. Migration plans stalled because nobody can confirm what’s in scope. Legal finding out during a review that was supposed to be routine.

The catalogue answers the question that precedes every other question: what do we have?

Where this leads

Once you can see what you have, the next question is who else can see it. That’s Your policy says one thing, your environment says another.

After privacy comes the rules that keep the catalogue honest. That’s Nobody gets promoted for governance work.

And if you’re looking at how cataloguing connects to whether AI initiatives ship or stall, that’s what the AI Readiness service is built around.

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA