The security implications of the new Australian data-sharing scheme

Spurred on by the COVID-19 crisis, Australia looks set to have a new national scheme to reform how public sector data is shared. The goal is to have a ‘tell us once’ approach for accessing government services. “Australian people and businesses would be able to receive tailored information, advice, and services without having to waste time giving the same data to different agencies,” said Stuart Robert, minister for the National Disability Insurance Scheme and minister for Government Services, when introducing the draft bill in Parliament.

Robert pointed to the powerful lesson of COVID-19: that government data and digital services are critical to the nation. However, the government believes the country is operating in a tangled data sharing system where contradictory rules and inconsistent ways of sharing data is stifling this potential. “Data sharing will support us to develop simpler government services, saving Australians time by prefilling forms with information already provided to government,” he said.

Australia’s proposed data sharing scheme

The federal government wants this scheme to create a new path to enable data sharing between public sector agencies and departments, along with outside organisations such as universities and think tanks, which are currently blocked by existing laws. It stems from a 2017 Productivity Commission data-availability report and is intended to reform the system of data governance aiming to maximise the economic and social benefits of increased data use.

The bill is currently in Parliament; once it’s enacted, it will create the Data Availability and Transparency Act (DATA) scheme, overseen by the national data commissioner, who will be responsible for ensuring participants adhere to the safety and security requirements.

How the data-sharing scheme will work

The government has said the data-sharing scheme has three central goals:

• improving delivery of government services
• using the data to inform government policy and programs
• developing insights for national research and development

Once the scheme is in place, any organisation wanting to request government data will need to apply for accreditation from the national data commissioner. There will be two types of accreditation:

• user accreditation, which lets organisations request access to data from Australian government agencies
• data service provider accreditation for organisations providing data services to government agencies to help them share data with users

Organisations will be able to apply for one or both types of accreditation.

Under the DATA scheme, a request to access data will need to be assessed against the data-sharing principles, which will guide decisions by federal government agencies around the benefits and risks of accepting or declining the request.

The principles are:

• Projects: Why the data is being used.
• People: Who is using the data.
• Settings: Where the data is being used.
• Data: What data is appropriate.
• Outputs: How the results of the project will be used.

Is the Five Safes standard secure enough?

The government has said the data-sharing principles are based on the Five Safes, an international standard for managing the risks of data sharing, which is used by organisations such as the Australian Bureau of Statistics and the UK Data Service.

However, there have been concerns raised with deidentification of data and whether adoring to the Five Safes is sufficient for this type of data scheme. Ben Rubinstein, a professor and AI co-lead at the School of Computing and Information Systems at the University of Melbourne, told CSO Australia the bill’s foundations in Five Safes “is not fit for purpose for managing risk when sharing data. For example, the framework doesn’t favour rigorous privacy-enhancing technologies like cryptography or differential privacy, over deidentification,” he said. Rubinstein and some other privacy experts have shown how deidentification processes taken by multiple governments in Australia have been insufficient.

For security professionals, Rubinstein nsaidoted, the consequence is that the bill and connected advice do not give sufficient cover of best practice. “Even if a data breach occurring within the auspices of the scheme does not lead to government enforcement, it’s conceivable that civil legal or reputational damage could still occur,” he said.

Privacy protections in question

While agencies are required to have strong safeguards in place to protect data—such as privacy and secrecy legislation, secure buildings and IT systems, and strict requirements on employees who have access to data—there has been criticism of the scheme’s security parameters. Damien Manuel, director of Deakin University’s Centre for Cyber Security Research and Innovation, told CSO Australia that, while there are benefits of enhancing data sharing, as it stands the current design of the scheme undermines a key privacy principle from Europe’s General Data Protection Regulation (GDPR), principles which many countries including Australia follow.

“It doesn’t adhere to Privacy Principle 6, which relates to the use and disclosure of information. It allows data to be shared for the purpose it is collected for—delivery of government services, R&D, and government programs—but it’s so broad that data could be shared for any reason,” Manuel said.

“It needs to be clear how it upholds Principle 6, rather than undermine it. There is also no provision for opting out of the data-sharing scheme. This needs to be provided,” he added.

If a data-sharing request is accepted, the organisation wanting access will need to enter into a data-sharing agreement with the data custodian. The data custodian is the federal government agency responsible for the data, and the data commissioner has developed a data-sharing agreement template to be used as thebasis of agreements, although it can be modified to fit individual circumstances.

The rules for accreditation and access have also been criticised on the grounds that they’re inconsistent. “Some Commonwealth bodies are granted automatic access, but private entities have to go through accreditation. It should be an opportunity to uplift the cybersecurity provisions of all Commonwealth agencies, and there needs to be enough resources allocated for checking and accrediting all entities,” Manuel told CSO Australia.

“It’s concerning when the auditor general’s report has highlighted that many government agencies can’t meet the Essential Eight for cybersecurity best practice and hygiene,” he said.

What about the honeypot risk?

Manuel said there’s a very real risk of a honeypot effect from this kind of scheme. “Certain information stored by government agencies will be attractive to nation-states and bad actors with the resources in the form of money, people, and time to circumvent data controls through a variety of mechanisms such as vulnerabilities in common applications that are in use,” he said.

“To limit the honeypot effect, agencies housing data need the assistance of ASD or ACSC throughintelligence around threats from nations states or criminal organisations. They need the appropriate technology and business processes to manage the risks. But this bill is principle-based, so it doesn’t specify that agencies need to be compliant with the Essential Eight,” Manuel added.

Manuel acknowledged that having prescriptive security requirements such as adhering to the Essential Eight creates firmer guidelines, but they can become out of date over time. That reality favours a principles-based approach—if proactively managed. “Being principles-based provides flexibility for what may be needed over time in terms of cybersecurity, but it requires the governing body to be managing and enforcing those principles,” he said.

What CSOs will need to do

Data sharing is aimed at breaking down silos between agencies, but the reality is that bad actors are all too ready to exploit any gaps or vulnerabilities in data-flow systems. Manuel’s advice to CSOs and security chiefs responsible for protecting data is to ensure their agency or department is compliant with the Essential Eight.

If not, then it’s a case of going through the business process and assessing what needs to implemented to bring it up to standard. And, equally important, is the human element, which is overlooked or downplayed at your peril. “Find your cyber champions who know the value and importance of the data they’re dealing with,” he said.

“Be sure that if people see a data failure, they’re not fearful of reporting it. Cybersecurity risks needs to be viewed like [occupational health and safety] risks, as standard practice. People need to understand they’re the frontline defence and their organisation depends and their colleagues depend on them to help keep the defences up.”