Data as a Strategic National Resource: The Importance of Governance and Data Protection

39934477_s (1).png
 
 

As we rapidly move toward a technology-driven, globally interconnected world, the exponential growth in data collected by business and government enables significant value to be derived from this resource. In December 2015, the Australian Government released its Australian Government Public Data Policy Statementas part of the National Innovation and Science Agenda, recognising data as ‘a strategic national resource that holds considerable value for growing the economy, improving service delivery and transforming policy outcomes’.

While there is the potential to derive enormous value from data, there is a fundamental requirement that data be secured, meaning both government and business must protect citizens’ and consumers’ personal information. Key to achieving the benefits of data optimisation and mitigating the inherent risks is governance. Good governance enables organisations to control data by securing, protecting, managing and optimising the value of data.

Digital Continuity 2020 Policy

Supporting the Australian Government’s digital transformation is the Digital Continuity Policy 2020, which applies to all Australian government agencies. The keystone of the policy is Principle 1, which states that information is valued. It requires by 2020 that ‘agencies will manage their information as an asset, ensuring that it is created, stored and managed for as long as it is required, taking into account business requirements and other needs and risks.’ This principle recognises that:

‘Information is a key strategic asset and economic resource of the Commonwealth and is as important as budget, property and equipment. Digital information management enables efficiencies in service delivery, increases opportunities for information sharing and can improve business decisions and accountability.’

Data Delivering Value

The following illustration shows that data or data sets from which accurate information and insights can be drawn is of high value because it supports and results in decisions that deliver on strategic goals.

 
Picture1.png

Data Governance

To achieve the potential gains from the exponential volumes of data being created, collected and stored, it is essential to collect and manage data in accordance with appropriate policies and procedures. Doing so ensures the data is properly controlled, as well as accurate and reliable so that insights and information obtained are also accurate and reliable. Therefore, data governance is the way in which data is controlled, managed and optimised. It comprises policies, procedures, and the mechanisms by which these are coordinated within organisations to control and manage data. Importantly, the policies and procedures need to include accountability mechanisms.

Data governance requires clear policies and procedures, including:

  • Data policies;

  • Data standards;

  • Data roles and responsibilities; and

  • Accountability

Data that is no longer required to be retained for record-keeping obligations or business purposes – referred to as redundant, outdated or trivial (ROT) data – should be disposed of in accordance with accountable archiving and retention policies and disposal schedules.

Cybersecurity and Protecting Personal Information

Data needs to be secured and personal information protected. As David Fricker, Director-General of the National Archives of Australia, stated earlier this year in the Australian Strategic Policy Institute (ASPI) report, Identity of a Nation:

And more often than not, the intent that motivates a cyberattack is access to data. It’s the data that needs to be protected from exfiltration, manipulation, or destruction because it’s the data that holds information critical to Australia’s agency and success as a sovereign nation.

Therefore, cybersecurity and information technology policies and processes, together with privacy policies and processes, need to align and coordinate with the overall management of data. This includes privacy impact assessments (see Australian Government Agencies Privacy Code) and embedding privacy by design and ethics by design in governance policies and data initiatives.

Australian government agencies are required to comply with the Australian Government Agencies Privacy Code, which began on 1 July 2018. As the Office of the Australian Information Commissioner states, the Code ‘symbolises thecommitment of Australian government agencies to the protection of privacy, and helps build public trust and confidence in personal information handling practices and new uses of data proposed by agencies.’

AI Data Ethics and Governance

The UK Information Commissioner’s Officer report, Big data, artificial intelligence, machine learning and data protection, describes the connection between big data, artificial intelligence (AI) and machine learning as follows: ‘AI can be seen as a key to unlocking the value of big data; and machine learning is one of the technical mechanisms that underpins and facilitates AI. The combination of all three concepts can be called ‘big data analytics.’In the context of the significant value from AI and its potential for good (e.g., delivering improved services to citizens and consumers) and the risks (e.g., privacy breaches through reidentification of personal information, lack of algorithmic transparency or algorithmic bias and/or discrimination, increased cyber risks arising from the size and value of the data), there have been a number of papers and guidelines issued for ethics in AI. This includes, The Ethics Guidelines for Trustworthy Artificial Intelligence (AI), published in April 2019 and prepared by the High-Level Expert Group on Artificial Intelligence, which is an independent expert group set up by the European Commission; and Artificial Intelligence: Australia’s Ethics Framework, a discussion paper developed by Australia’s leading data innovation group, CSIRO’s Data 61, and released in April 2019 to publicize the government’s approach to AI ethics in Australia.In May 2019, the Organisation for Economic Cooperation and Development (OECD) adopted its Principles on Artificial Intelligence, the first international standards agreed by governments for the responsible stewardship of trustworthy AI. The standards include recommendations for public policy and principles to be applied to AI developments around the world. The principles ‘promote AI that is innovative and trustworthy and that respects human rights and democratic values’.

A key issue in considering the role of ethics in AI is the development and application of an ethics assessment as part of or in addition to the aforementioned privacy impact assessment requirement. The challenge for organisations across government and business is grappling with the myriad of data opportunities, new and rapidly changing technologies, and data risks. This can be addressed by implementing a unified strategic governance framework that is cohesive and features strong accountability mechanisms. Top-down leadership and collaboration across organisational silos and professional disciplines responsible for the different facts of information are key to successful implementation. This includes: information technology and cybersecurity, data/digital strategy, legal, privacy, records and information, innovation and other stakeholder areas within an organisation.

Information Governance

As part of the Digital Continuity 2020 Policy, Australian Government agencies are required to implement an information governance framework to manage information assets across the entire organisation to support its business outcomes. It sets out the steps involved in building a robust framework to ensure that the overall legal, regulatory and business contexts, within which information assets are created, are used and managed. This enables coordination, planning and leadership throughout the whole agency. The importance of governance and a whole-of-government approach is highlighted in the ASPI’s Identity of a Nation report as being necessary for ensuring robust and reliable management of national identify data.

Benefits of Good Governance

The benefits of good data governance include improved accuracy, reliability and integrity of data, and accountability.

The benefits of good information governance include a holistic approach for data and information throughout the organisation to improve accountability and reduce risk.

Good governance means a unified strategic approach that meets the organisation’s strategic objectives and, in the case of a government agency, the whole-of-government objectives. It includes cohesive policies, procedures and frameworks with top-down leadership, and well-implemented accountability mechanisms.

Good data and information governance requires effective implementation of policies and processes and robust frameworks, together with fit for purpose technologies and people equipped with the necessary data and information capabilities for the work they perform. All in all, good data and information governance enables whole-of-government innovation and provides value for growing the economy, improving service delivery and transforming policy outcomes for all Australians.

Susan Bennett LLM (Hons), MBA, FGIA, CIPP/E

Principal, Sibenco Legal & Advisory

Co-founder & Director, Information Governance ANZ