There has been a real “sea change” in how individuals and governments understand data security and privacy this year but a major cultural shift is still required, Victoria’s privacy and data protection deputy commissioner Rachel Dixon said.
Ms Dixon is the deputy commissioner at the Office of the Victorian Information Commissioner, a new office launched a year ago, combining a number of different agencies and roles.
With the Facebook and Cambridge Analytica data harvesting scandal earlier this year, and the recent controversy surrounding the switch of My Health Record from ‘opt-in’ to an ‘opt-out’ service, there has never been more attention on data protection and digital privacy, and now is the time for regulators to capitalise on this and drive real change, Ms Dixon said.
“There’s been a real sea change in how people and governments understand privacy. There was an assumption in the last decade that data is an asset and once you’ve got it it’s just a fantastic asset,” she said.
:But the thing that has changed recently is an understanding that you got it from somewhere, from the people, and they needed to consent to giving them that data,” Ms Dixon told InnovationAus.com.
“We’ve seen with things like My Health Record that people have a more nuanced understanding of the purposes for which they’re giving their data and the terms under which they want to give it.”
Ms Dixon will be speaking at ISACA’s upcoming OceaniaCAS conference on the office’s role and the current data security landscape.
OVIC was established in September last year, combining the roles of the previous Office of the Privacy and Data Protection Commissioner and the Office of the Freedom of Information Commissioner.
Former Western Australian Information Commissioner Sven Bluemmel was appointed as Victoria’s new information commissioner, with Ms Dixon and public access deputy commissioner Joanne Kummrow reporting directly to him.
Combining these functions has helped to switch the focus from achieving “absolute security” – an “unachievable and meaningless goal” – and instead looking to change the culture within the Victorian public sector and general public, Mr Bluemmel said.
“We’re trying to change the culture in the public sector around these issues. In the past some the practice and analysis of this issues in the public sector has been very black and white – it’s either secure or insecure, you’re in favour of privacy or in favour of transparency. But by bringing those things together in this office, we have to confront that and have a mature debate about getting away from the simplistic black and white,” Mr Bluemmel told InnovationAus.com.
“Rather than looking at how we can avoid disclosure at all costs, we want to be more nuanced. Unless there’s a good reason not to make the data available to the public, then let’s make it available.”
Ms Dixon said the new office and combined roles has helped the public sector to adopt a more comprehensive approach to data security and privacy.
“One of the keys to information security is people having an understanding of their data holdings. You need to have a good information asset register to effectively deal with FOI and you can’t protect what you don’t know,” she said.
“Information management is not the panacea, it’s the starting point. Having the integrated office enables us to do that in a stronger way.”
A major part of the information commissioner’s first year in the role has been to drive cultural change within the state government and public sector.
“These sorts of things take time to actually filter through the sector. We’re out there constantly talking to agencies and working those relationships. We’re talking to senior executives and agencies saying that they have to be careful about this. It can’t be something you delegate to security people or contractors,” he said.
While there have been improvements in this in the last year, there is still a long way to go, Ms Dixon said.
“At the moment I think the risk is that the culture isn’t aligned yet. We’re making some strides in that but there is still an over-confidence that makes people very bad at risk. They’ll bury their head in the sand and think that nothing bad will happen, but that’s not a healthy thing. That’s a big challenge – making people aware that it’s a shared risk, particularly for government,” she said.
“We sit behind that same giant firewall in government agencies. If one agency behaves badly, they share that risk with others.”
This involves being more than just a regulator that calls out companies or government once something bad happens.
“As a regulator we want to increase capacity and to assist. We’re still independent but we’re not a regulator that comes out and whacks people and then goes away again. We’re a regulator that people are encouraged to come to when there are problems,” Mr Bluemmel said.
OVIC wants to be actively involved with new services or policies while they are being developed, rather than just after they are deployed, Ms Dixon said.
“We want to make sure that agencies come and see us very early when they’ve got an initial proposal to do a thing, and we’ll help them with a privacy impact assessment on it. We don’t design these things for them, that would be improper, but we’re here to help them with an understanding of that tightrope between information sharing and privacy,” she said.
One of OVIC’s main tasks at the moment is helping the Victorian government navigate the balancing act of transparency and realising the benefits of open data with the associated privacy and security risks.
“There has been an assumption that government would just release all the data and thousands of startups would bloom on the back of that. We’ve been relatively outspoken on this issue.
“We haven’t done that to have a chilling effect on government use of data, but we support the idea that government needs to make decisions based on actual information,” Ms Dixon said.
“It’s about walking that tightrope between situations where you must share data, situations in which government will benefit from sharing data and situations in which you should absolutely not combine these data sets. It’s a balancing act and it will require a lot of ongoing discussions at a program level.”
The Facebook data revelations earlier this year helped to shine the spotlight on data security and consent practices across the public and private sector, Ms Dixon said.
“It certainly helped to get people’s attention. We use things like that to talk to agencies about consent practices – do people have an understanding of the uses you’re putting your data to?
“Facebook has taught some of the people in the sector that just because you legally have the right to collect doesn’t mean you should. We’re framing it away from a legal issue and into a practical issue, and that’s really healthy,” she said.