Protecting Data and Mitigating Risk with Comprehensive Data
Enhancing Governance Models and Frameworks for a Proactive Approach to Data Privacy
Director, Information Management, Analytics & Strategic Governance
Office of the Australian Information Commissioner
At the recent Public Sector Data Governance and Privacy event, we heard from Michelle Veljanovska, Director, Information Management, Analytics & Strategic Governance, Office of the Australian Information Commissioner as she dived into how to prioritise improving data literacy and building a data-driven department. In this article she explores:
- Strategies for building data-literate environments and teams
- Discussing the importance of upholding responsibilities and preserving rights in digital government
- Top tips, best practice and lessons learned from data governance transformations
Privacy is nothing to be feared
Large public sector organisations the world over generate, and are responsible for, lots of data. In fact, it is because of data that many of these organisations have the ability to do what they were created for. But protecting that data is not always the priority it should be. Nonetheless, Michelle Veljanovska, the Director of Information Management, Analytics & Strategic Governance at the Office of the Australian Information Commissioner, says that there has been a “kind of shift” recently, and now, “privacy and data are actually one and the same in government circles. We can’t necessarily do one without the other.” This shift has produced “models and frameworks to help guide us,” but privacy needs to be embedded into the thinking of the public sector, and “there are proactive approaches that we can take.”
The first thing to consider is that “privacy isn’t (or shouldn’t be) a thing to be feared. Rather, it should be leveraged to build better trust and confidence for our interaction with government services.” To achieve this, it may be necessary to think of privacy as a journey. Usually only the essential parts of the journey are taken into account, but maybe it is time to think about the “horizonal things that we are trying to achieve.” For instance, guidelines might only be reviewed annually or even less frequently, but data and therefore privacy changes all the time, so agility and flexibility should be part of the aspirational requirements of the privacy journey. To do that, “we need to keep ourselves up-to-date with best practice.” The key is to see privacy as part of a “holistic framework and not the boring stuff that we need to get out of the way.” For most people that starts with “getting the basics right.”
Ultimately, having and collecting data is a means to an end, usually towards “informed decision-making.” From a privacy perspective, this means “aligning actions to frameworks” so that privacy is part of the structure of the way data is collected and handled. Knowing the guidelines, knowing the basics and how privacy is used, being agile and knowing how to plan, are good indicators for “having an approach that can be sustained over time.” Privacy should never be seen as just “compliance auditing.” To ensure this is the case, the people who work with data should “look at the way they manage and handle their own information,” by embedding privacy “concepts, criteria and principles” into their daily lives.
”Doing privacy well is what I call the bottom up approach: Aligning the actions of today into the frameworks of yesterday so that we can move into a model for tomorrow.
What this really means is ensuring that “privacy is not a constraint and is not seen through a negative lens.” Privacy should instead be seen as just another part of the regular “tools of operation” and part of the “data and privacy ecosystem.” One of the key components towards that goal is “identifying potential risks, and assessing, advising, acting, and then thinking about them in terms of a system-wide impact.” The only way privacy can truly be embedded into the ecosystem of everything that happens in an organisation is “by building confidence in our colleagues, and by having knowledge about the knowledge we manage.” There are many models and frameworks to achieve this, but one of the main ones includes “having constant conversations.”
In many public sector institutions there are two sets of data: the data that is collected or generated, and the data that comes from all other information that circulates around an organisation. Sometimes people question why they are asked to hand over certain information and how it will be protected, but are fine with handing over other information in a different context. The purpose of getting privacy right is to ensure that “all data is protected in the same way,” and that no one is ever hesitant to hand over their personal information again because they know it will be “well protected and looked after.”
A change in mind-set
This is especially important because as the “consumption and creation of information and data grows,” these questions will become even more critical. It is known that data is being used for “building better insights and informing better decisions,” but if it comes in different formats and from different sources, can it still be trusted? The only way it can be is if “we in the public sector see ourselves as partners in privacy with the public and with our organisation. The minute we touch information in any role, our responsibly is to ensure that we act in ways that reflect our practices and are within distinct parameters.” This means that every piece of information (data) needs to be traceable, accountable and transparent. “We need to work in such a way where we can prevent reactive mistakes or lose the confidence of the community.”
Essentially this is about a change in mind-set. When it comes to who owns personal information, “is it about ownership, or is it actually about government relationships?” Either way, “it is definitely about optimising our role in government and our relationship with our citizens.” This can be achieved by government employees seeing themselves not as owners of data, but as “guardians of information for the period of our term. It’s not about owning or even being custodians of data. We have a responsibility to guard people’s personal information and any other information that we create.”
At the end of the day, everyone needs to have “a more positive understanding of privacy, rather than it being the thing that happens after the data is generated.” Being “proactive” and working in partnership with everyone is one way of getting to that point, as is ensuring that all employees understand the significance of privacy so that there is “constant development and continuous improvement.”
”As data professionals, we are guardians of data, and before we do any kind of analytics, we need to regulate ourselves and then to explain to the public what we are doing and how we are doing it. That way we enter into a proper relationship between agencies and citizens.