It is hard to overstate the importance of the federal government’s decision to create a consumer right over the data created about them.
Spurred by various inquiries calling for measures to enable consumers to more easily shop around for their financial and utility providers, federal cabinet has created a right designed to give citizens control over the data that is collected about them. The right will enable consumers to send their usage data to a competitor, to get a better deal based on their actual spending, usage and saving patterns.
The new right is predicated on the view there are enormous economic and societal benefits to better understanding the modern world through shared data. Better competition has been called out, but the benefits in collating and integrating administrative and personal data across virtually every sector in the community, are now obvious to everyone.
The Productivity Commission (rightly) convinced Cabinet that to seize these benefits it is imperative to build a national framework that gives citizens confidence in the governance of data and their ability to control the data created about them.
How much actual mobility and better consumer outcomes this will really lead to, is a leap of faith by Canberra’s econocrats. In the much-maligned finance sector, the competition regulators think giving consumers “control” over what in essence is their credit rating, will spur innovation and competition through the fintech sector. How much this reduces the well-documented premiums Australian bank customers pay for core services, is frankly anyone’s guess.
What value data?
Data is often touted as the currency of the so-called gig economy, but as the Facebook-Cambridge Analytica data leakage fiasco reveals, we are really only at the silent movie phase when it comes to considering data, its real value to the economy and society, and how to govern and manage the inevitable sharing of data across the economy and society.
At its highest, data is a slippery concept. Economists and accountants still can’t agree on how to even value it. This means you won’t see on any company’s balance sheet any precise valuation around its data holdings. The entire business model of companies like Uber and AirBnB is based on manipulating data for commercial gain, but yet we have no agreed way of valuing that data. Modern banks derive major returns through their management of transactional and other data, but again there is no dollar value associated with these holdings.“We are really only at the silent movie phase when it comes to considering data, its real value to the economy and society, and how to manage the inevitable sharing of data.”
Data gains value through its application and linkages and, to date, we haven’t found a way to slot it into commonly understood accounting and economic frameworks. This makes it difficult to measure, for example, how much is the right amount to invest in cyber security. And suggests much of the enormous economic value created through two decades of digitisation is currently built on sand.
Which makes this week’s announcement of a consumer data right very brave, especially for a country that has been a major laggard around digital rights and privacy.
Australia plays catch-up
The new European data right (known as GDPR) begins this month and is light years ahead of anything Australia could possibly design and will have a significant impact on any Australian business with European data holdings or digital processes. The public policy debate in Australia about GDPR has been nought.
Basic digital policy issues, such as cookie management, do not follow, and the right to be forgotten are not even on the regulatory horizon in Australia and, in any case, which regulator has the skills and clear mandate to consider how to apply them?
For a country that does not even have a privacy right, we have just created a whole new statutory right around data that goes to the heart of our modern economy and society. This is not to criticise the data right initiative, but to be realistic about our capabilities to drive a mature and sophisticated whole of economy approach to the many issues it raises.“Basic digital policy issues, such as cookie management, do not follow, and the right to be forgotten are not even on the regulatory horizon in Australia.”
Legally, the creation of a sophisticated right over the data created about you, is a major regulatory change and will have profound impact on many industries, ranging from e-commerce and marketing to sensitive data areas like health care and public safety. It could also be a significant measure to help break down the global platform dominance that worries many economists (and market incumbents, most notably Rupert Murdoch’s News Corp).
The new right will initially apply to the banking, energy and telecommunications sectors, and “will be rolled out to other sectors over time.” What data the right applies to is mired in legal and technical complexity. The sheer volume of structured and unstructured data being generated through digital commerce, not to mention social media and common, everyday events, like catching the train or driving, is huge. And growing exponentially.
And that is before we really fire up our networks with billions of internet-connected beacons and devices, powered up by ultra-fast, low-latency, fixed and wireless broadband.
This data ranges from core “transactional” data to enormous amounts of metadata, including location and time, and a raft of tags, pixels, scripts and personal identifiers. This is more than enough data for experts to agree that advances in computing means that, for at least the next decade, citizens should be wary of any claims of complete anonymity.
Big transactional businesses, like banking and telcos, argue the business intelligence that gets thrown from their systems goes to the heart of their competitive advantage and are very wary of sharing anything but the most elementary account data. Where that line gets drawn, is going to be a major battleground for every serious industry lobbyist in Canberra.
Digital smarts hard to find
The new data right leapfrogs Australia to the front end of countries looking to develop regulation around data rights and usage — at a time when frankly our bureaucratic policy skills and understanding of data are woefully thin.
This is especially so in Canberra where sharp, digitally aware, policy resources are spread thinly across a variety of portfolios, including Prime Ministers (which includes the Digital Transformation Agency), Defence, Attorney General’s, Home Affairs, Industry, Communications and Treasury. Here we are, in the third decade of the digital revolution, and there is no centralised capability around digital policy and regulation. Nowhere is a holistic view of the sophisticated policy frameworks we need to rapidly build if Australia is to successfully snare its share of the global digital economy.
Much of the real technical capability sits in the big service delivery agencies such as Human Services, the Australian Tax Office, Immigration (now part of Home Affairs), and in its own way, the Bureau of Meteorology. This capability, however, is a long way from the central policy agencies and is predominantly focused on core legacy and renewal projects.“Nowhere is a holistic view of the sophisticated policy frameworks we need to rapidly build if Australia is to successfully snare its share of the global digital economy.”
Through a national security lens, there are also solid cyber skills and practices in the Department of Defence and the ADF’s emerging information warfare capabilities. How solid, is hard to assess, but we face at least five years where Australia (and the West) will be playing catch-up against the offensive capabilities, now very much on show around the world.
Meanwhile, in a world where regulatory compliance has been front page news, our regulators seem to be sleep walking into the world of real-time regulatory compliance. This is where regulation is codified in a way that enables instantaneous, machine-to-machine, checking of core regulatory requirements across various domains. Absolutely made for product and service-level compliance that government spends millions on in the financial, telecommunications, transport and utility sectors. Well implemented, it promises to end the sort of compliance nonsense the Financial Services Royal Commission has been exposing. And fundamentally changes the role of regulators from being administrative, tick-the-box, compliance auditors.
Canberra has also been slow out of the blocks around the whole data exchange and matching issue. ABS has been integrating data for years, but only last Budget finally got serious funding to create a safe, professionally managed, data integration platform for researchers to tap so-called anonymised administrative date.
Most of the states now have maturing data access and sharing regimes, with South Australia the leader in the nation. South Australia got out in front by leading the conversations around the public benefits of sharing data, children at risk being the exemplar. Instructively, the New Zealand government is at least two years ahead of any thing in Australia around data integration and exchange. The Kiwis are taking a typically practical, permission-based approach, to solving real citizen issues through integrated personal services (eg birth of a child, death of a relative), that are still many years away in Australia.
Governance is critical
The creation of a data commissioner to implement a simpler and more efficient data sharing and release framework within government is long overdue and will help overcome the huge aversion to data and information sharing that exists in all tiers of government. Fearful of being liable for data breaches, often uncertain as to the pedigree of the data they hold, and worried about what will happen to the data they pass on, officials are culturally very wary of any data integration initiatives.
Even in states where the statutory barriers to exchanging data between agencies have been lowered, there remain deep-seated anxieties about even the most basic of data sharing for research and policy purposes. In both NSW and Victoria, their advanced data analytic projects have seen long delays, as agencies cautiously consider the release of every data set.
And this is at the lowest end of data matching and integration — data science-type projects.
We have already seen how the “Robo-debt” exercise of matching Centrelink and Tax office data can go awry, when starting to use data for compliance enforcement and fraud purposes. In the case of, say, family violence, linking various operational systems like justice, health and education, to better respond to victims is a no-brainer, but requires a very sophisticated set of protocols, governance and engagement skills.
Victoria’s approach of building consensus around a royal commission has helped create the environment for a sensible discussion around the operating system and architecture for data sharing hubs to ensure an integrated response to victims of family violence. It is this type of full-court, strategic work that needs to be done, if government is to win the debate around personal data.
The huge prize is precision government, where services are tailored to each citizen based on a deep understanding of their needs. Personalised health and education plans are already being touted by federal cabinet ministers, where health services and schooling is designed around a precise understanding of each person’s data map. Better services, focused on those who need them, is a win for everyone.
But the obvious anxieties of an Orwellian world where big government has all its large agencies totally hooked up, means there needs to be a very considered and mature approach to balancing the public benefits of data integration with the high-profile governance risks of getting it wrong. The interaction of data and privacy is proving to be very complex and in many ways paradoxical, as large numbers of users seem ready and willing to forgo basic privacy norms, in return for free access to powerful platforms.
This demands an engagement approach that government still really struggles with, especially in Canberra, where on-the-ground service delivery is so far away from the policy bureaucrats. Getting real and sophisticated citizen engagement is a challenge governments agencies are just coming to terms with, let alone driving sophisticated all-of-government approaches to such a major and controversial shift in the basic government operating model.
Identity, the elephant in the room
Identity in a world of joined-up services is absolutely critical. As we build integrated services across jurisdictions (eg birth of a child), agencies have to be confident they are dealing with the same citizen to ensure the right person is getting that service. The resolution of how we verify and manage identity has been effectively stymied, after the Australia Card fiasco in the Adelaide by-election in the mid-1980s spooked a whole generation of officials and ministers.“The huge prize is precision government, where services are tailored to each citizen based on a deep understanding of their needs.”
We are edging forward, but remain a long way from a workable identity model that all government, private providers and citizens are vested in.
Having wired up a whole generation to live their life on the internet, the lack of a working identity model is now reaching crisis stage as the economic and societal costs of identity fraud goes through the roof. Governments (and business) are busily spending billions on digital moats, when in reality they cannot be defended. This demands much more higher-level thinking, than the relatively technocratic approach all Australian governments have taken to identity to date.
Faced with billions of dollars of ICT spend to defend their information systems, some states are starting to rethink their whole identity play. This is especially so in the health sector, where the massive number of public and private operators, means it is fanciful to think we can build a secure and resilient system for confidently moving sensitive patient health data around.
Strategically, this means really questioning key assumptions and operating protocols that have underpinned the till-now analogue version of government. This could start with legislation. The whole, top-down, Westminster approach could not be further from the citizen-at-the-centre model, digital government is built around. In New Zealand, they are starting to explore what this actually looks like, a world where legislation is drafted using user-centred design models, rather than the traditional, government-knows-best approach.