Australia’s government agencies and the changing landscape of privacy
As citizens, we’re interacting with data in a changing way, as awareness around the lifecycle of data once it’s left our control becomes daily news. This was precipitated by a scandal involving Facebook and political marketing firm Cambridge Analytica, and has continued with revelations involving businesses, government agencies around the world, and universities involving security breaches, misuse, loss and opaque issues around the lifecycle of information. The relationship between governments and citizens, in the context of the collection and storage of deeply personal information, has come into sharp relief in 2018.
At CSIRO’s Data61, finding solutions to the challenges raised by shifting attitudes and increased sensitivity towards security and privacy are a priority. The secure collection and storage of information created by citizens remains a focus, given the dire consequences for all parties if sensitive information is lost or stolen.
Cybersecurity
The most recent quarterly report from the Office of the Australian Information Commissioner (OAIC)’s Notifiable Data Breaches Scheme (NDBS) reveals an important breakdown of data loss in Australia:
Source of the breaches reported in the quarter.
Human error dominates the sources of breaches of personal information in the quarter, closely followed by malicious criminal attack. The prevalence of this human element in data breaches is significant, as human error can be trickier to understand and preempt.
Government agencies are sensitive to the risks of sensitive personal information being subject to intentional or unintentional loss. It’s a combination of retaining the trust of the people who create the data, and boosting compliance with current and new legislation, such as the OAIC’s NDBS . Any instance of data loss or theft, through negligence or malice, is considered a significant lose-lose situation for government agencies. Once trust is lost, it’s incredibly difficult to get it back. Boosting cyber security is therefore an increasing priority for Australian government agencies.
Data61’s cyber security research and product development has focused on ‘trustworthy’ systems – technology that protects the information of users. In addition to the clear threats relating to cyber security, privacy can be protected through the use of technologies that enable analysis without risking leakage of personal information.
Privacy preserving technology
Ben Kloester, Senior Product Manager at Data61, highlights the importance of finding a balance between protecting privacy and enabling the utility of data sets for Australian government agencies.
“It’s pretty clear from the budget that the government is moving forward with the major recommendations of the Productivity Commission on data availability and use, and one of the big emphases in that report was on how society should decide this balance between the public good and the individual right to privacy,” he told Algorithm.
“Sometimes this is simplified by giving the individual the choice – the Consumer Data Right is an example of handing a lot of control back to the individual, so it can be win-win in that sense. But you also have questions where the privacy – utility trade-off is much more relevant – for instance this idea of national interest datasets, which is about using the data of many individuals to benefit all of society. And this a trade-off where lives are genuinely at stake, so maximising the utility is obviously of concern.”
Data61’s research and capabilities create breathing space in this sensitive trade-off, through obfuscation of data, encryption to facilitate analysis without exposing raw data, and the de-identification (and assessment of re-identification risk) of sensitive data. Ben expanded on this,
“The notion of what is identifiable has shifted enormously, in part due to sheer volume of data, from naive assumptions that removing name and date of birth is ‘de-identified’, to a recognition of the mosaic effect – where almost anything can contribute to identification. This has lead to demand for more rigorous guarantees of privacy and measures of re-identification risk, which our research and technologies seek to address.”
An undeniable component of the increasing use of large data sets to derive novel insights about human life is the applicability of this trend to the operation of government agencies. The risks and benefits are numerous, and establishing positive outcomes for every party involved is a priority, facilitated by our scientific and analytical prowess in privacy and security.