Webinars      Login/Register      Cart

InfoGovANZ

Information Governance Think Tank

InfoGovANZ

AI Transparency in Digital Government Highlights

by

To celebrate Right to Know 2020, Information Governance ANZ were delighted to host a timely discussion on the right to access information and the use of algorithms in government decision-making.

This interactive forum was facilitated by Susan Bennett, Founder of InfoGovANZ and our special guests included:

  • NSW Information Commissioner – Elizabeth Tydd
  • Victorian Information Commissioner - Sven Bluemmel
  • Senior Research Fellow, University of Cambridge – Dr Jat Singh

The increasing adoption of technology across society, including in government, requires the preservation, assurance and assertion of information access rights. The right of access to government information also extends to information held by contractors that provide services to the public on behalf of government.

Applying and challenging these rights becomes more complex in the new world of automated decision-making. Legal frameworks, licensing and contracts must evolve to ensure information governance is applied to the design and use of algorithms, so that rights and interests are protected.

Commissioner Sven Bluemmel on building trust through transparency

Commissioner Bluemmel explained that Right To Know Day is actually an global event, recognised as International Access to Information Day (IAID). It aims to raise awareness of the importance of open government, and the public’s right to access government-held information.

We consider this right as the foundation for transparent and accountable government in a democratic society, supporting public participation and scrutiny of government decisions, and by extension supporting better decision-making.

As the public sector is increasingly making use of technology such as artificial intelligence (AI) to provide services and make decisions, there are questions about how the principles of good governance can best be applied. OVIC published an e-book called “Closer to the Machine”, exploring the technical, social and legal aspects of AI, including algorithmic transparency.

The Commissioner noted the importance of trust to the relationship between government and citizens. The relationship people have with government is very different from their relationship with a business or other kind of service provider where an algorithm could be considered the “secret sauce”.

Government decisions impact people’s livelihoods, their freedoms and human rights. It’s one thing if an algorithm incorrectly predicts my favourite songs or shopping preferences. It’s quite another if I’m denied a pension or parole based on an automated decision.

So government has to take a very different approach to the application of AI and similar technologies. It has to ensure transparency and accountability are fully supported so that decisions can be explained, challenged and, most importantly, trusted.

This aspect of trust and trusted information is especially important during times of crisis. “Forcing” people to do the right thing is far less effective than having a trusted relationship with constituents. There has to be trust in the government’s motives as well as its mechanisms. In this situation, reliance on defensible data and explainable modelling comes more into play.

Commissioner Elizabeth Tydd on the shift to digital government

Commissioner Tydd mentioned some findings from the IPC Community Attitudes Survey. There is growing support (72%) for government use of de-identified data to plan and deliver public services. There is also strong demand for accountability and transparency in the collection and use of data with 78-81% support for more public reporting. Overall, 88% of respondents said their right to access government information was important.

People are becoming interested in a wider range of information, not only access to their personal information or information about government services. They also seek access to information about how policy is developed and how agencies operate. This has implications as government makes use of data and technology in new and different ways. Administrative practices must evolve to safeguard the right of access to information.

The Commissioner highlighted several case examples challenging algorithmic transparency in government decision-making and asked: Is the concept of access to information sufficiently “malleable” and “future proof”?

In one case, a social housing tenant challenged the calculation of their rental subsidy, which had been determined using an algorithm. It was difficult for the agency to respond to the citizen’s request for information about the decision-making process. Procurement of the system was below the threshold for public reporting on government contracts, and the developer claimed that details of the algorithm were commercial-in-confidence.

In NSW, the GIPA Act applies beyond government agencies to include certain information held by other organisations contracted to provide a public service. But the way this applies to automated decision making is still being tested.

The Commissioner noted that access to information is an enabling right – it enables a citizen to assert other rights. If access to information is restricted it can have much wider implications. She stressed that “accessibility” means information must be understandable on every level. It’s not sufficient to simply release the source code or require the expertise of a data scientist. Access must also come at minimal cost to the applicant.

In another case study, the Gradient Institute considered an AI-driven system for financial approvals, based on credit history and past transactions, which unfairly discriminated against female applicants. Historical data can introduce bias and AI predictions may become less accurate as society changes over time – leading to more perverse outcomes.

An applicant has the right to understand how a decision was made, but there are also sound business reasons for explainability and algorithmic transparency. The design phase is key. Organisations must ensure their processes are auditable, to understand how learning and recalibration happen.

POLL: Who is using machine enhanced or automated decisions – a high proportion “don’t know”.  Does this suggest that information governance practitioners need to get more involved with AI and machine learning projects?

Dr Jat Singh on how automated decision-making works

Dr Singh noted that automated decision-making sits at the intersection of law, policy, community and technology. He mentioned the difference between automated decision-making and enhanced decision-making, where machine learning uses data to determine probability or make predictions that support human decisions. It is a policy decision, not a technical decision, to determine what kinds of data use are appropriate.

A recent example of enhanced decision-making involved COMPAS software which uses algorithms to assess potential risks of recidivism. Judges may use these predictions to inform their decisions when detaining or sentencing a defendant. The algorithms remain a trade secret and this lack of transparency could cause a breach of due process. The case study also raised concerns about machine bias resulting from training data or input data, rather than the algorithm itself.

Dr Singh emphasised that accountability relies on explainability, but it can be challenging to explain how an algorithm works and make it transparent. Each stage of system design involves embedding norms, potential bias and assumptions – not just the training data. There is also a risk of “model skew” over time. Developers must consider whether a model is still fit for purpose in relation to the data and as society changes. Whether the model needs retraining for a business or other purpose, auditability is essential.

The key is to look more broadly at the system as a whole and identify information that can be made available. For example: information about the underlying data used by the algorithm; its source code and performance or test criteria; the software on which it is built; the process steps or workflow for a decision; and how it is deployed – whether a decision automatically triggers an action, or simply provides advice to a decision-maker. This means record keeping is required at all stages, to answer questions that will arise.

Releasing such information enables people to oversee, interrogate and challenge the validity of the system, as well as the validity of a particular decision. It also helps to improve the accuracy and fairness of algorithms. To be auditable, systems must be able to expose the relevant information in real time and this capability should be clearly defined from the outset.

POLL: Who has received an application for access to an algorithm or information about an automated decision – only 13% of webinar participants.

Many citizens don’t yet know they can ask for this kind of information, but this is changing. NSW IPC have published a fact sheet for citizens and another fact sheet for agencies to raise awareness about automated decision-making and information access rights.

Susan Bennett on the multidisciplinary approach to governance

Susan emphasised that it is important to establish the purpose of new technology, how it aligns with the goals of the organisation and understand who is the intended beneficiary.

She observed the growing interest also in privacy and that effective assessment of ethical data use and privacy impacts requires a multidisciplinary approach. Boards and senior executives must consider whether their organisations have the right governance structures in place to deal with these issues.

Procurement processes have a critical role in achieving privacy “by design” approach, ensuring that licences and contracts include the provisions to meet information access obligations. She pointed out that the “right to audit” should be included in contracts, not just in relation to data breaches but in order to confirm a solution is working as intended.

Organisations must also continue to invest in the fitness of their systems as data, technology and society change.

If you would like to listen to the full discussion you can access a recording of the session here.

Sonya Sherman is a member of the Information Governance ANZ advisory board member and Principal at Zen Information.

APAC Privacy Law Update: Cross Border Transfers

by

With a range of new regulations, tools and projects underway, Information Governance ANZ were pleased to host a virtual forum with updates on the latest data privacy developments across the Asia Pacific region.
This interactive session was facilitated by Susan Bennett, Founder of InfoGovANZ and our special guests included:

  • NZ Privacy Commissioner – John Edwards
  • Senior Research Fellow, Asian Business Law Institute – Dr Clarisse Girot
  • Director, Simply Privacy – Daimhin Warner

Commissioner John Edwards on the new NZ Privacy Act

New Zealand’s Privacy Act 2020 comes into force on 1 December 2020 and introduces new limitations on cross-border transfers.

Commissioner Edwards spoke about the new legislation and provided a brief history of the Act since 1993. It applies across the economy (both public and private sector organisations), is based on the 1980 OECD data protection principles and is technology-neutral. He noted the Act has remained largely unamended during the intervening decades.

New Zealand received an ‘adequacy ruling’ by the European Commission recognising that it provided an adequate level of protection to personal data of European citizens.  In 2011 the Law Commission carried out a review and found the Act remained broadly fit for purpose, although some modernisation was recommended.

The new law comes into effect from 1 December. It includes some new obligations and policy initiatives, including mandatory breach notification. It sets quite a high threshold for harm criteria, to prevent “over reporting” which can undermine public confidence.

The Office of the Privacy Commissioner has released a reporting tool, Notify Us, to help organisations assess a breach situation and report appropriately. The tool was developed with a user-centred design approach, to enable assessment and reporting even if the user knows very little about the Privacy Act.

The Act includes a new principle, limiting general powers of disclosure for overseas data transfers. It is not considered a disclosure if data is simply stored or transmitted, for example in a software-as-a-service or hosted environment. Data must not be used or tracked by the IT service provider for their own purposes. As with GDPR, there is some extraterritoriality and the Act will still apply if the organisation is considered to be carrying on a business in New Zealand, even if the recipient is outside New Zealand.

To facilitate cross-border transfers of personal information, advice and model contractual clauses will be available from the OPC website, along with another tool to print out tailor made contracts.

The Commissioner can issue compliance notices, not fines – although there are criminal offences for impersonating an individual or destroying personal information that has been requested. He noted that updates to the Act are based on recommendations almost 10 years old, so there may be scope for further improvement, but the principles-based approach offers a reliable framework over time.

Daimhin Warner on how practitioners can prepare

Daimhin encouraged privacy practitioners to focus on preparing for cross border transfers, noting there are a few tricky issues to tackle for compliance. The old Act encouraged a ‘reactive’ approach, but the new Act required proactive due diligence.

For example, every entity in a group of companies is considered a separate organisation, so it’s important to manage the risk of disclosure in data that may be transferred within the group.

He noted it will not apply to a service provider or data processor in the majority of cases. Situations that will need more careful consideration may include health research organisations or law enforcement agencies, potentially sharing personally identifiable data with counterparts around the world. Principle 12 does not apply in ‘controller to controller’ transfers if required for public safety.

The Act requires consent to be expressly confirmed but this does not necessarily mean it is freely given. Where citizens are accessing a service provided by government they may have very little choice. Daimhin emphasised consent should always be a last resort.

At a macro level, it can be difficult to compare privacy protections in different jurisdictions and the legal landscape is constantly evolving. As such, regulators are reluctant to issue “white lists” of countries where data can be safely transferred.

Daimhin explained several key things for organisations to consider. He encouraged the use of model contractual clauses issued by the OPC.

He also recommended engaging a local privacy expert, based in the receiving country, to understand how a law is actually being implemented in practice.

Dr Clarisse Girot on the consequences of regulatory cooperation

Dr Girot discussed the interaction and interdependence of data protection laws and data transfer requirements across the region. She noted it is a very complex area of law with a lot of differences in requirements and coverage.

ABLI’s Data Privacy Project considers the convergence of regulations on cross-border data transfers in 14 Asian jurisdictions. It was selected from 850 applications showcased at the 3rd edition of the Paris Peace Forum in November 2020.

The project has produced a comparative table and analytical review of the differences and commonalities across these regulations. It aims to provide up to date information, accessible in English, to support data transfers within APAC and between APAC and other parts of the world.

Data protection laws increasingly include extra territoriality, which means companies may be subject to many laws at once. This is not just the case with GDPR but many existing and upcoming regulations in the APAC region.

There are also challenges of scope. Even when the laws look very much the same, entire parts of an economy or society may not be covered. This has huge implications for regulatory cooperation and assessing adequacy or levels of data protection in a destination country.

Data localisation is another issue attracting attention in APAC. A growing number of countries require data to be maintained onshore not just for privacy reasons but also for national security or digital sovereignty.

Provisions are mushrooming across the region, many inspired by GDPR or OEDC privacy guidelines. A few of the countries issuing new or amended privacy legislation include China, India, Thailand, Malaysia, Indonesia, Sri Lanka and Pakistan. So there is a lot of uncertainty.

Additionally, a recent case between the Data Protection Commission (Ireland) and Facebook (often referred to as Schrems II), raised questions about EU-approved data transfer mechanisms including Safe Harbour, Privacy Shield and standard contractual clauses.

The findings have wider implications globally, including in the APAC region, and may act as the catalyst for regulatory alignment around the world. The interdependence of data protection frameworks is now very apparent. Policy makers are renegotiating and updating standard contractual clauses.

Dr Girot outlined some mechanisms that can be used to promote interoperability, such as contracts, binding corporate rules, certification, codes of conduct and other accountability measures.

Recent surveys show that information governance is regarded as a key enabler for managing data protection and safe data transfers. This includes knowing where your data is held (including copies), lifecycle management, storage and disposal.

If you would like to listen to the full discussion you can access a recording of the session here.

Sonya Sherman is a member of the Information Governance ANZ advisory board member and Principal at Zen Information.

Caryn Png

by

Tell us about yourself?

I grew up in Sarawak, Malaysia and I have worked in various Information Technology disciplines over the past 20 years. For the last 6 years I have been responsible for managing, leading and implementing information and records governance strategy, policies and initiatives for a power utility company in Malaysia.

I also recently obtained the Certified Information Professional (CIP) by AIIM as my career certification path. I am a proud mother of 2 children. I enjoy zumba and I am passionate about family, friends and healthy balanced lifestyle.

What led you into the world of Information Governance (IG)?

Working for an end-to-end energy service provider, the organization operates in a highly regulated industry. In such environment, it is critical for the organization to clearly identify and abide to the relevant regulations and codes of practices. I was tasked to lead the new IG section and to achieve the set objectives and that was how I started in the world of IG.

What pressures are organisations facing to ensure IG best practices?

I think information security is a major driving force for organization to implement Information Governance. Today’s organizations are faced with the overwhelming challenge of managing, finding, and leveraging their information. Before any organisation can find or leverage on any of it, organizations need to first make sure they are safeguarded. The needs have become more apparent as more and more disruptive technologies are invented and rolled out into the industries. One example that I can give is cybersecurity which organisations must tackle. Access to information has become so discrete and fluid that safeguarding the information has become that much harder.

Another pressure point is the need for compliance to regulatory requirements. Organizations would require Information Governance for this to happen. And the challenge of getting this right has become harder than ever. Nowadays, organizations are having difficulties in getting the required critical business information for decision making and organization is also at risk in losing critical business information. As information disorganization are common in many organizations, it increases the risk in breach of information confidentiality, integrity and availability. Non-compliant organizations risk incurring much more than just heavy fine. Loss of customers trust and a damaged reputation are just a few of the risks if information is not tended to properly. These thus put pressure on organizations to embark on IG best practices as quickly and accurately as possible.

What are the biggest developments you have seen in the IG?

Over the last 5 years, the biggest developments that I have seen in the IG is the employment of qualified information management professionals with appropriate skills and competencies. The numbers of certified information management professionals have grown in leaps and bounds all over the world. Moreover, there are various paths to Information Governance professional development nowadays. Formal certifications paths are globally available for IG professionals to demonstrate their knowledge and expertise in various information management-related disciplines.

Do you have any tips for someone starting out in IG?

I think individuals should get as much experience in all areas of Information Governance; strategy and policy, information and privacy, law and regulations, records management, and technology. One helpful advantage is to not think in silo, as governance cuts across domains of management and technology. All these experiences are part and parcels of the journey to implementing proper Information Governance. Never stop learning as Information Governance is a continually evolving program, changing as technology and business needs change.

With the rapidly evolving technologies and digital disruption, where do you see IG heading in the next few years?

As we enter a new decade, we are seeing more and more organizations adopting cutting edge technology and cloud-based workplace. We can work anytime, anywhere! This makes information increasingly tougher to control. Information growth will go on and the need for Information governance cannot be disregarded. I believe organisations will increase their spending on Information Governance products and services to be better equipped when it comes to managing their information.

The future of Information Governance is unquestionably bright. I can see Information Governance gaining more traction within organisations as we enter a world where compliance and security are becoming a competitive edge.

Information Governance by its nature interdisciplinary. In my opinion, to be successful, organization will need to adopt a holistic approach. It takes effort and good collaboration from various teams namely IT, RIM, Audit, Legal and Business Operations in an organization to manage information appropriately and successfully. Any organization that recognizes this effort will undoubtedly be leading the future of information governance.

Why is it important to be a member of InfoGovANZ ?

InfoGovANZ is an interconnected space where members have access to experienced international information governance practitioners sharing and exchanging knowledge, experience and ideas about IG best practices. The networking and professional events are excellent which I find it useful for making new contacts and learning more about what’s happening in the information governance space. I feel very privileged to be a part of InfoGovANZ.

 

 

Exposure Draft of the Data Availability and Transparency Bill

by

 

The draft Data Availability and Transparency Bill aims to modernise and streamline the sharing of government data between agencies and with the private and research sectors. Under the legislation, data will be shared for three purposes: government services delivery, informing government policy and programs, and research and development.  The Consultation Paper contains a simplified summary of the legislative package.

Submissions made by a group of multidisciplinary practitioners and academics highlight privacy and governance concerns.  These include the override of Australia Privacy Principle (APP) 6 and the inherent conflict of National Data Commissioner whose mandate is to encourage data sharing with the enforcement of the regulation.  The submission recommends that governance and assurance be regulated the Australian Information and Privacy Commissioner.  You can read the submission here.

Ilana Lutman

by

Ilana brings more than 20 years of experience as an information professional in government, corporate, industry and nonprofit sectors to Information Governance ANZ's International Council.

 

Having worked in a variety of roles across the information management spectrum, she is dedicated to assisting organizations to be in control of their information assets and helping her clients gain access to the right information at the right time at the lowest cost to maximize workplace productivity. To this end, she utilizes her experience in records management, discovery, litigation support, legal operations, cloud risk evaluation, data privacy and building bridges across disciplines.

 

Tell us about yourself?

I grew up in suburban Sydney and I’ve moved countries twice, first to Israel and then to NJ, USA where I’ve been for twenty years. Subsequently, I’m skilled at starting over and adapting to different lifestyles, cultures, work environments, and making new friends. I love swimming and Pilates. I believe in doing for the greater good and have recently joined the Big Brother Big Sister mentoring program as a Big to my Little 16-year-old sister. Last but certainly not least, I am a mother to two millennials who keep me grounded to what really matters in my life.

 

What led you into the world of Information Governance (IG)?

I came to IG through what I call the “traditional” path. My affinity with contemporary history led me to start in the world of archives, after which I moved into records and information management. With my RIM background I was fortunate enough to land a corporate IG position which enabled me to expand into e-discovery and legal operations.  My journey has been a progression that reflects the maturity and expanding scope of the information management profession. Along the way I completed a Masters in Library and Information Science and became a certified records manger (CRM) and certified information privacy professional (CIPP/US).

 

Tell us about your current role in IG?

After having worked in government, non-profit and corporate, I decided that my next step was to share my craft and experience with a range of clients.  The best way to maximise this was to take the leap into the consulting world and in June 2019 I started at Deloitte in the Information Governance and eDiscovery practice. I love helping clients enhance their organizations’ RIM and IG programs, but the best part is going into a company with my team and leaving it in a better position, more efficient, with more functioning business processes than when we went in. In addition, I’m currently on the ARMA northeast region advisory committee and I facilitate a week on IG for online Records Management classes at several US universities.

 

What pressures are organisations facing to ensure IG best practices?

Writing this as we begin to emerge from COVID-19 stay-at-home orders, the new reality for IG’s future is unknown.  However, IG’s basic tenants of optimizing control, security and disposition of information while mitigating risk will need to continue to function as long as organizations exist.  Pressures to ensure best practices come in the form of external and internal drivers. External drivers include authorities such regulatory and legislative imperatives as well as sectorial and industry compliance and standards. In addition, a huge impetus for many companies is brand reputation, sustainability and loyalty.  No less important are internal drivers such as compliance with internal policies and procedures as well as company culture and mindset.

 

What are the biggest developments you have seen in the IG?

One of the biggest developments I’ve seen in IG is the intellectual thought maturity around IG itself. The last six years have seen a burgeoning in IG models starting with the EDRM, and continuing on with the Compliance, Governance and Oversight Council IG Process Maturity Model, ARMA IG Implementation Model (IGIM), Association of Corporate Counsel Legal Operations Maturity Toolkit, Corporate Legal Operations Consortium and InfoGovANZ. These models are readily available, and each has a different slant that provides a lens through which to view, drive and implement IG frameworks.

Undoubtedly, digitization programmes have had a huge impact on IG as well as data migration initiatives. Finally, the who, what, where, why of records and information and the need for routine deletion is the core of a sound IG program. Most organizations realise that it is important to know data owners, descriptions of data sources, timeframe of the data, location and the purpose of collecting the data and when and how data is dispositioned. It’s our job as IG professionals to get organizations to act on what they know is the right and necessary road to take.

 

Do you have any tips for someone starting out in IG?

IG practitioners come from varied backgrounds – the arts, health sciences, finance, law and IT. A basic function of IG is to build bridges between multi-disciplines such as RIM, privacy, security, RIM and IT (systems and architecture). Anyone starting out today should be competent in several areas and know enough to be able to navigate across disciplines. In addition to hard skills, IG personnel need to bring their soft people skills to the table. So many IG projects depend on integrating teams, negotiating resources and coordinating across boundaries. In addition, IG professionals have to make themselves available for new initiatives and put themselves “out there”. Continual education and self-reinvention are needed to keep moving forward.

 

With the rapidly evolving technologies and digital disruption, where do you see IG heading in the next few years?

The future for IG is positive as long as practitioners consistently align with organizational goals, prioritise information needs and mitigate potential risks caused by inadequate controls. Areas in which IG can partner with business units to be innovative and forward thinking are squeezing the wisdom out of data or monetizing data analytics, using AI for classifying large data sets (think unstructured data on file shares and file sharing sites) and mediating in the tug of war between retaining big data and implementing data anonymization versus the desire to defensibly delete at all costs.

 

Why it is important to be a member of InfoGovANZ?

While I love it in the US and am grateful for the career opportunities and wonderful colleagues, as Peter Allen sings “I still call Australia home”. I was thrilled to first meet Susan Bennett two years ago at Legal Week NY and I immediately signed up to InfoGovANZ. We reconnected this past February 2020 again at Legal Week and took a deep dive into how we could work together and channel our energies to inform, educate and share knowledge. Since then, I’ve got used to attending webinars at 10pm ET so I can meet, connect with and present to information professionals across the globe.

Principles of Explainable AI

by

AI
The US National Institute of Technology and Standards (NIST) has released a draft paper of 4 principles of explainable AI, which is one of several properties that characterise trust in AI systems. Other properties may include resiliency, reliability, bias and accountability. Usually, these terms are defined as a part or set of principles or pillars. This draft paper sets out there are 4 principles encompassing the core concepts of explainable AI as follows:

 

  • Explanation: Systems deliver accompanying evidence or reason(s) for all outputs.
  • Meaningful: Systems provide explanations that are understandable to individual users.
  • Explanation Accuracy: The explanation correctly reflects the system’s process for generating the output.
  • Knowledge Limits: The system only operates under conditions for which it was designed or when the system reaches a sufficient confidence in its output.