Brian Fletcher (pictured) is director of government affairs for Symantec in the Asia-Pacific region and spent 21 years working for the federal government in cyber security. In this article he offers five tips to tighten privacy controls in the public sector, as mandatory data breach reporting comes into play.
When reading coverage of the changes to the Privacy Act, you could be forgiven for thinking that the main impact of these new laws is limited to the private sector. In reality, the Privacy Act has as much, if not more, of an impact on the Australian Public Service than on the country’s private sector.
The Privacy Act was first brought into being in 1988, partially as a result of concerns raised by ordinary Australians about how the federal government was handling their data in the wake of the failed Australia Card policy. While this fear of government misuse of data may be somewhat displaced, when compared to the wholesale collection and use of personal data by some parts of the private sector, it highlights a general concern from the public about personal data.
This is highlighted by the 2017 Australian Community Attitudes to Privacy Survey from the Office of the Australian Information Commissioner who found only 58% of Australians thought of governments as trustworthy custodians of personal data. This is on par with the financial sector but well behind the health sector, which polled at 79%.
This was not helped by the very public recent Census debacle. Now, more than ever, there is much concern from citizens on how data is handled.
The scrutiny on the government’s handling of data is somewhat unfair, considering how well some parts of the government handled very sensitive personal data. However, as perception is reality for many, it would not take too much in the age of mandatory data breach reporting for that trust to be further shaken.
So with that in mind, here are some suggestions to maintain better privacy in the public sector:
1. Implement the top four cyber security strategies.
Whitelisting applications, patching applications, patching systems and limiting administrative privileges. This is the bare minimum that agencies need to do to protect data according to the Australian Signals Directorate and the Attorney-General’s Department. In the wash-up from any potential future breach, it would be looked upon particularly poorly if these were not implemented.
2. Only collect the minimum amount of personal data to do the job.
In years gone by, agencies required mountains of data to provide very basic services to citizens. Less data means less to protect and less can go wrong. Review your business processes – you might even find other process efficiencies as you improve your privacy posture.
3. Update your risk registers.
The risk of being publicly named as a recalcitrant data custodian needs to be considered — particularly as nobody wants to be the first.
4. Awareness of privacy requirements.
People are a very important part of good privacy practice. Now is the time to remind staff of their obligations under the agency’s privacy guidelines. A simple awareness campaign on privacy could save the agency the shame from having to be publicly named after a relatively simple process error.
5. Include the privacy officer in new projects.
Yes, it is another issue you need to account for early in project planning, but building it in from the beginning will save much more time and money in the future if you have to retrospectively apply privacy to a near-complete project.
Privacy compliance does not need to be onerous. It requires technology, business processes and people all working together towards protecting the privacy of personal data. It is not an impossible task but getting it right will save you and the agency the very embarrassing scrutiny of public opinion.