The federal government should treat the personal data of Australians like critical infrastructure, with better protection needed to keep information secure as a consideration in foreign investment and takeovers.
Speaking at an Australia China Business Council event in Sydney on Monday, Foreign Investment Review Board chairman David Irvine went off-script and detailed his efforts at FIRB to protect personal data during foreign takeovers.
Mr Irvine, who is a former ASIO chief and the current Cyber Security Cooperative Research Centre chair, detailed his “long-running battle” to treat data like critical infrastructure and his concerns about this data being moved “willy nilly” offshore, but these remarks were not included in the official transcript of the speech published by Treasury.
In the full speech, as reported by Glenda Korporaal of The Australian, Mr Irvine said FIRB had been paying special attention to personal data lately.
“The protection of sensitive data is becoming the issue du jour, and not just sensitive national security data. The development of data-security conditions – conditions on the foreign investor to protect data – continues to be a key area of focus for us. Our policies are evolving in that sense,” Mr Irvine said.
“In recent years, FIRB has seen an increased number of foreign investment proposals seeking access to data centres and other facilities which house or have access to sensitive private data about Australians.”
FIRB makes recommendations to the Treasurer on potential foreign takeovers, and works with the Critical Infrastructure Centre, which was established in 2017 to safeguard infrastructure from sabotage, espionage and coercion.
Mr Irvine said he has been trying to get the centre to recognise the importance of data.
“I am having a long-running battle with the Critical Infrastructure Centre, which says critical infrastructure is ports, water, power, energy and telecommunications. I am saying there is another one: it is called data,” he said.
“Because technology is evolving so quickly, our policies are going to have to evolve quickly too.”
The version of the speech published on the FIRB website includes only two short paragraphs on data.
But Mr Irvine appears to have gone further in the actual speech, raising concerns that the personal data of Australians will be taken by a foreign company “willy nilly and dumped in some foreign storage unit in Hyderabad or Qatar”.
FIRB will also look to place conditions on foreign bidders to ensure data is kept secure.
The Critical Infrastructure Centre already considers “systems and data” as a key potential risk area when reviewing a potential takeover, and requires information from companies on their security policies for data security, among others.
The Coalition government last year passed legislation requiring critical infrastructure operators to reveal all outsourced IT work and giving itself the ability to force these entities to take action to reduce national security risk.
The Critical Infrastructure Bill requires 160 utilities and ports operators to provide “specific, high level information” to the government on who has access to and control of their assets, including outsourced IT providers. The Coalition was particularly interested in outsourced data holding.