The Whole of Government Data Strategy: sharing versus protecting

Opinion piece by Rachael Greaves published in The Australian, December 14th 2021

The Government’s Data Strategy must address the conflict between data value and data risk

By Rachael Greaves, CEO and Co-Founder, Castlepoint Systems

A new Federal Government Data Strategy is due to drop soon and will focus on collaboration, re-use, and security. These themes have been consistently championed by government departments, and are already key aspects of the overarching Digital Economy Strategy for whole-of-government.

What the strategies don’t address explicitly is how we as a nation will manage the inherent conflict between data value and data risk. We get value from data by using it, sharing it, and integrating it together. But the more we use, share, and connect data sources, the greater our security risk grows.

Aggregating and making data accessible is directly at odds with the zero-trust model of security.

That’s not to say we shouldn’t do it – and in fact, increasing data visibility can help manage risk. Knowing what we have, where it is, and who is doing what to it helps us understand our weak points. One of the key causes of breaches is ‘dark data’ – risky information (like IP addresses, passwords, or personal information) that’s ‘lost’ in the environment, not being controlled. The organisation’s governance team may not be able to find it, but a threat actor can. They tend to have more time than the overstretched security teams, and better tools.

So, if we are going to take more steps towards linking data and making it more accessible, it’s clear that we need to put more sophisticated tools in the hands of our own people. They need to have eyes-on everything that’s happening, so that they can identify risks as soon as they emerge, across the network, and act on them before they can cause a breach.

But there’s one more thing we need to know. In order to really properly manage our risk – what rules apply to that data, and are they being met?

The government recently made vaccination certificates available for all Australians via MyGov. These can be downloaded and shared with any organisation who needs to validate vaccine status (like employers, or universities).

But the certificates include an Individual Health Identifier (IHI), which is high-risk data subject to secrecy provisions under law. Protected information that is now spilling into organisations all over Australia, exposing them to penalties for unauthorised IHI use and access.

In most organisations, IHI has never been on the radar as ‘sensitive information’. It’s not security classified, and there are no measures in place to seek and destroy IHIs that enter the network (or, indeed, to stop them coming in in the first place).

So, in this case, using IHI on certificates as a means to get more value, by better matching and relating data sets, has introduced a significant risk.  Not all States and Territories have included the IHI on their certificates, so it’s clearly not essential. But it must have seemed like a good inclusion to someone. That person or group probably did not consider regulatory rules as a factor of the risk/benefit equation.

There are more than 500 secrecy provisions in Commonwealth legislation, with civil and criminal penalties for breaching them. Most organisations are unaware of the scope and scale of these obligations, and cannot map them to their information assets.

This means they cannot properly determine what liability they will have for a breach of that data. Earlier this year, an Australian university contacted us on a Friday, having detected a breach. By Saturday night, we had indexed and registered all of the spilled data so that they could audit it. But we also coded their relevant secrecy provisions, to quantify what penalties they might be facing, and coded their Records Disposal Authority, to show what spilled information they could (should) have already disposed of. When the ANU was breached in 2018, 19 years of student records were taken (including mine), information the University should have disposed of after seven. So, failing to know and apply these kinds of rules leaves organisations very exposed in terms of defensibility.  

As concerns grow about the increasing scale and frequency of cyberattacks and we debate how best to protect important data in the context of the Critical Infrastructure Bill, we must hope that the Data Strategy provides clear guidelines on the importance of understanding (and automatically applying) the full scope of regulatory rules to our data.

This will help manage the tension between the noble, but polar-opposite, intentions of collaborating and protecting. Mapping the rules tells us what we can share, and what we can get rid of, as well as what we must protect, and what happens if we don’t.