Webinars      Login/Register      Cart

InfoGovANZ

Information Governance Think Tank

Data & Infonomics

Exposure Draft of the Data Availability and Transparency Bill

by

 

The draft Data Availability and Transparency Bill aims to modernise and streamline the sharing of government data between agencies and with the private and research sectors. Under the legislation, data will be shared for three purposes: government services delivery, informing government policy and programs, and research and development.  The Consultation Paper contains a simplified summary of the legislative package.

Submissions made by a group of multidisciplinary practitioners and academics highlight privacy and governance concerns.  These include the override of Australia Privacy Principle (APP) 6 and the inherent conflict of National Data Commissioner whose mandate is to encourage data sharing with the enforcement of the regulation.  The submission recommends that governance and assurance be regulated the Australian Information and Privacy Commissioner.  You can read the submission here.

Automated Decision Making Transparency under GIPA Act

by

The increasing adoption of technology requires the preservation, assurance and assertion of information access rights. To achieve these outcomes, government licensing and contractual arrangements should ensure accessibility and ‘explainability’ in the provision of government services and decision making.

The issue of algorithmic transparency of a government agency’s contractor is currently before the NSW Civil and Administrative Tribunal. The Agency provided some information to the Applicant but decided that other information is not held by the Agency as it is held by the Contractor and remains its intellectual property. The GIPA Act provides a right to access information held in a record of an NSW Government agency and that right may also apply to information held by contractors providing services to the public.

The NSW IPC has published guidance for agencies under section 121 of the GIPA Act, including a template clause for agencies to include in contracts with third parties regarding the right of access to contractor records.  You can access the Guides in the IPC’s case summary on Automated Decision Making and access to information under the GIPA Act here.

Protecting Privacy by Minimizing Data

by

Posted with permission from Active Navigation, originally published on June 1.

Ten years ago, there was no such thing as too much data. Notions about data being the “new oil” prompted organizations to horde every byte they could, hoping that they might be able to harness it down the road. Combined with the notion that “storage is cheap,” this belief has led many companies to exponentially increased their risk rather than their opportunity.

New data privacy regulations in Europe and the United States impose a significant burden of care on organizations regarding their data collection processes. In fact, data minimization is a fundamental principle within the European Union’s General Data Protection Regulation (GDPR). Whether governed by the GDPR or state privacy regulations like the California Consumer Privacy Act (CCPA), businesses must now limit the personal data they collect and dispose of it once it is no longer needed for a legitimate business purpose.

New obligations require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach. As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.” The focus now is on mitigating risk by adopting a strategy of data minimization.

ROTT(en) Data

Because regulations do not specify precisely what data should be erased, determining where to start with data minimization can be difficult. For most organizations, mapping their data estate is the most pragmatic way to begin.

Data governance experts frequently use the acronym ROT (redundant, obsolete, trivial) to describe data that provides no business value to an organization. Some experts expand that acronym to ROTT, adding “transitory” as another area of data vulnerability or duplication.

Using the ROTT acronym as a guide, the search for data that can be easily disposed of should be organized along the following lines:

Redundant: People tend to grossly underestimate how much of their data is redundant. Redundant information is duplicated in multiple places, either in a single system or across multiple systems. At any given time, up to 30% of an organization’s storage might be duplicate data. That is a huge amount of information that can be removed and will also make searching for information easier.

Obsolete: The value of information decreases precipitously over time, while its risk-to-value increases. Information can become obsolete if it is incomplete, outdated or incorrect. Using obsolete information can lead to poor decision-making, further posing risk to the business. An easy way to quickly assess obsolescence is by checking the creation or last accessed date.

Trivial: A surprisingly large amount of the information circulating around an organization’s systems does not have a legitimate business purpose. Documents detailing who is bringing what to the office potluck and back-and-forth conversations about meeting schedules do not provide value and should be deleted as soon as practical.

Transitory: Data in motion—information moving around a private or corporate network—should have a classification of its own for data minimization. Transitory data is not exactly duplicate data, but often includes data that is secured elsewhere. This type of data has sometimes fallen into the wrong hands, revealing sensitive information that was subsequently misused. It needs to be culled to minimize the risk it poses by remaining accessible and ungoverned.

Using Data Mapping to Improve Data Hygiene

Few organizations understand the totality of their data, and even fewer have a single, focused data protection or governance officer. Instead, there is a broad constituency in the C-suite overseeing data collection and usage for their separate domains. The CISO obsesses about leaks, hacks and phishing attacks. The CIO focuses on ensuring the business can monetize its data. The CTO looks at data through the lens of storage. And the legal team—some of the most vocal champions of data minimization—sees data as a legal and regulatory threat.

Even though only one is usually the designated custodian for information governance, each executive also has a different perspective on data hygiene. While each officer will naturally champion their own area’s needs, the one thing that will bring these widely differing interests together is understanding all the data the organization owns and the risks it poses. Data mapping is therefore key to minimization.

To start, it is essential to locate all data that an organization retains and expose the hidden areas of “dark data.” Gartner defines this as “assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes,” such as analytics, business relationships and direct monetization. This is the only way to measure the depth of an organization’s exposure, assess the location and magnitude of the data, and identify what needs remediation and what is overdue for erasure. To do so, a company can use a range of technology to:

· Gain a cross-repository inventory of all content to identify the real data of value in your business

· Add pre-defined rules for handling a wide range of e-trash, stale, outdated and transitory (ROTT) content

· Adapt rules to make them actionable in your environment

· Test minimization policies across large volumes of files to understand their impact

First and foremost, shed light into all potential data repositories. For example, even if one department has decided to use a specific data storage solution like Dropbox, there is a good chance that different departments might be using others, like SharePoint or Box. All must be examined.

Once the data mapping is complete, organizations must digest and process the extent of their data chaos. Internally, this includes discussions on budget, responsibilities, authority, timing, people and processes. Organizations need to understand the various business drivers, stakeholders and risk areas in data privacy, such as audits, litigation, GDPR and CCPA regulations, and data migrations to the cloud. With this step complete, organizations can then decide what to fix and what type of tools or support they will need to remediate the issues.

Whatever the company needs to do, bear in mind that it cannot be done overnight. No one wants to get bogged down in a multi-year, multimillion-dollar initiative. After the initial sense of urgency, efforts can sometimes stall as a result of thinking too big. Instead, break down a project into modular, bite-sized chunks.

Throughout the journey, start to build in minimization concepts during the earliest phases of a data accumulation program. Acquire data progressively, and only when genuinely needed. The less information collected, the less to store and manage. This is the way to achieve good data hygiene, and a path to ongoing data minimization.

Is Your Data Estate an Unstructured Mess? How a Spring-Cleaning Project Can Reduce Your Organization’s Risk

by

Posted with permission from Active Navigation, originally published on June 10.

In this special guest feature, Dean Gonsowski, Chief Revenue Officer at Active Navigation, InfoGovANZ's Foundation Sponsor, focuses on what steps a company needs to follow to review, understand and clean-up their data to eliminate security risks. As a former litigator/GC/AGC, Dean has a proven track record of accelerating the rapid development of high growth, venture backed software companies (such as Relativity/kCura, Clearwell/Veritas, Recommind/Opentext).  He is a seasoned professional with the ability to build/manage teams, run P&Ls in executive leadership roles including Sales, Strategy, Business Development, Marketing and Professional Services. Dean has a JD from the University of San Diego School of Law and a BS from the University of California, Santa Barbara.   

The volume and variety of data created in the past decade doesn’t show signs of slowing down – nor does the pace of hacking attempts. Unstructured data, also known as dark data, is increasing at a rate of 62% per year, according to IDG. By 2022, IDG predicts that 93% of all data will be unstructured. 

Unstructured data – information that does not fit easily into structured systems like databases – is inherently more risky data because it’s easily accessible and often ungoverned. Unstructured data also poses a threat to organizations because it can be difficult to know where it resides within an enterprise network, making it a treasure trove for hackers. 

Often organizations have little, if any visibility, into their unstructured data estate, meaning they may be hoarding data that has little value or poses a risk. Storing and protecting such data raises compliance with laws such as the California Consumer Privacy Act (CCPA) and New York Cyber Regulations. 

When was the last time you looked at your data estate? If the answer is, I don’t know or Never, it might be time for a good Spring Cleaning. 

For companies struggling with where to start, there are fortunately some basic foundational paths that are well established. Achieving visibility into your dark data should be your first goal on the way to cleaning up your proverbial “data closet.” 

Understanding Your Data Estate 

A recent study conducted by Relativity and the Coalition of Technology Resources for Lawyers (CTRL) found that more than 60% of respondents didn’t fully understand their data universe and its potential to contain risky, sensitive or personal data. This means that more than half of a company’s data is likely to be “dark” – rendering it both risky and unavailable for effective use by the larger organization. 

Data mapping helps you understand the types of personal data your company manages, how it’s collected, what it’s used for and where it’s stored. Knowing where your data is located across all your content repositories is a constant challenge, but you can’t protect what you don’t know you have. Data mapping is a key component of operationalizing and maintaining a rigorous, fully compliant data governance program, and in turn, can reduce IT and legal costs. Without a data map or inventory as your bedrock, it’s near impossible to build an effective security or risk management strategy.    

Classify Unstructured Data 

In the era of “Big Data,” many organizations want to hoard information to use for future value extraction. However, this practice is not only a privacy blind spot, but also increases the risk of Personally Identifiable Information (PII) and Highly Confidential Information (HCI) being accessed in a breach. The longer you hold data, the more risk increases while value decreases – a lose/lose situation. 

Once you have mapped your enterprise network, you then need to know what kinds of information you hold. According to Gartner, unstructured data can make up as much as 80% of the data footprint of an organization, while 33% of stale data stores have not been touched in three years or more. Many companies are unaware of what sensitive information resides outside of typical security protocols. CISOs need to think beyond the perimeter as threats continue to evolve. 

By classifying your unstructured data, you can identify data that holds no business value and will be on the journey to effective risk remediation. Given the sheer volume of unstructured data (often in the petabyte range), this data classification process cannot be achieved manually. File analysis software can be deployed to automate data discovery by using a combination of rulesets and thematics to identify and classify data.   

Data Minimization Through Actionable Insights 

Once you fully understand your data profile, the “spring cleaning” can really get started. The insights you have gleaned from mapping and classifying your data needs to be actionable in order to discriminate between “trash” and “treasure.” To truly be actionable, it’s critical to convey data in a way that is easy for decision-makers to consume with visualizations, graphs and intuitive dashboards. 

With visibility into your data, you can identify and act on risky data, remediate Redundant, Obsolete and Trivial (ROT) data and highlight areas which require additional protection. Minimizing your data reduces the effort (and cost) required to safeguard personal information or respond to data security incidents. 

With the onslaught of data breaches, and privacy regulations now imposing fines on a per record breached basis, it’s more important than ever to delete or quarantine data that isn’t providing value to your organization.   

Unlocking Dark Data’s Value 

“The best time to plant a tree was 20 years ago. The second-best time is now.” The same can be said about content-clean up — the best time to start is now. 

Every day, organizations are using structured data to make themselves more competitive. Many don’t realize how much their business could improve by leveraging their unstructured data too. By cleaning up ROT data, companies can reveal trends and patterns and differentiate themselves in the market. 

When starting your spring-cleaning project remember: 

  1. It remains important to take a holistic (global, enterprise-wide) view toward your data governance. 
  2. Reach out to all necessary stakeholders. This project requires buy-in from several departments, not just IT. 
  3. Start with data mapping. It will be your guide throughout this project. 
  4. Determine what business outcomes you want to achieve, for example deleting or securing data, and then act accordingly. 
  5. Start now. Don’t wait for an unsavory trigger like a data breach or audit. 

Effective data governance and regulatory compliance is virtually impossible without a clear understanding of what data you’re storing and its risk profile. Clean out your data estate before an event, like a data breach, forces your hand. 

 

COVID19 – Data and Privacy

by

COVID-19 has brought to the forefront the importance of real-time accurate data for scientists to analyze and model and for government leaders to make decisions on. InfoGovANZ has complied a series of COVID-19 curated articles and resources, updated monthly.

June 2020

OVIC has released new guidance on how the exemptions in the Freedom of Information Act should be applied.  OVIC has updated the FOI and COVID19 FAQs for agencies – read them here – to include questions about the new COVID-19 regulations including: what to do if your agency is completely shut down; and how to verify an applicant’s identity.

Australian Information and Privacy Commissioner (OAIC) has updated it’s FOI FAQ with the latest COVID-19 relevant questions including how to make an FOI complaint during the COVID-19 outbreak.

May 2020

Australian and New Zealand Information Access Commissioners join with their international counterparts in their clear call for documentation, preservation and access to information as governments, businesses and citizens deal with the COVID-19 pandemic.

The COVID-19 Omnibus (Emergency Measures) (Integrity Entities) Regulations 2020 were made on 19 May. OVIC has included an FAQ in its FOI business continuity and coronavirus (COVID-19) FAQs on what this means for agencies.

Australian Information and Privacy Commissioner (OAIC) has updated its latest guidance on COVID-19 and privacy/freedom of information. and in conjunction with the Australian Competition and Consumer Commission (ACCC) have released the Compliance and Enforcement Policy for the Consumer Data Right developed following consultation with current and future data holders and recipients.

Information Privacy Commission (IPC) NSW have updated their guide to protecting your privacy in NSW  plus their COVID-19 guidelines. They have also published the results of the latest  survey of NSW community attitudes towards privacy.

April 2020

The Office of the Victorian Information Commissioner (OVIC) has released a statement calling for the Transparency and access to information in the context of a global pandemic along with other coronavirus related resources.

Australian Information and Privacy Commissioner (OAIC) has released further tips for good privacy practice in organisations.

NZ Privacy Commission has released information regarding COVID-19 and privacy.

Global Privacy Assembly, a global forum for data regulators and privacy authorities has collated a list of data protection resources from around the world.

March 2020

The Australian Information and Privacy Commissioner (OAIC)  has released a Privacy and Freedom of Information Guides clarifying employer privacy obligations to staff.

The Information Privacy Commission (IPC) NSW has released a Privacy and Freedom of Information Guides including special arrangements that apply during the pandemic.

 

COVID19 – EU, US & International Resources

by

Below is a collection of useful privacy and data protection resources from the EU, US and globally.

Data Protection Authorities guidance on COVID-19 published by Data Protection Authorities (DPAs) collated by International Association of Privacy Professionals. These provide information and frequently asked questions on data processing and COVID-19 across a range of countries.

Resources page on crucial privacy and data protection law issues arising from COVID-19 covering the EU & globally by Law, Science, Technology & Society of the Vrije Universiteit Brussel. The Initiative is of direct interest for LSTS researchers, most notably in the context of the Brussels Privacy Hub (BPH) work on data protection in humanitarian action as well as the work of ALTEP-DP project.

US Privacy and Data Protection Resources related to COVID-19, together with other international resources has been compiled by the Future of Privacy Forum.