FEBRUARY 2013 • ISSUE 16 GOVERNMENT TECHNOLOGY REVIEW
Fifty Shades of Privacy Protect your citizens
BYOA:
GATEWAY DRUG TO THE CLOUD
INSIDE
VIC POLICE’S PANOPTICON
IPV6: WHO MADE THE DEADLINE?
●
CONFERENCE GUIDE DIMS 2013 AND CLOUD COMPUTING FORUM 2013
PRINTING... AND BEYOND
wonder
Ever how much your peers earn?
COVER STORY: FIFTY SHADES OF PRIVACY Government organisations have long laboured under the legal obligation to protect citizens’ privacy. But with new threats and new modes of attack continually threatening the integrity of citizen data – and new privacy laws changing the goalposts for public and private enterprises alike – protecting data from unwanted eyes is no longer a black-andwhite pursuit.
SPECIAL FEATURES
16
8
29
REGULARS 2 Editor’s letter 4 News 56 Opinions: Steve Hodgkinson, Ovum; Nuance; Efficiency Leaders; Candle IT; ESRI
FEATURES 12 Why lax privacy can kill e-government Think privacy is just a nice-to-have? The citizens you serve think otherwise – and if you violate their trust, the consequences may be severe. 22 BYOA: Gateway drug to the cloud Easy access to applications in the cloud is revolutionising worker productivity – and creating new nightmares for IT staff. 45 IPv6: Who made the deadline? AGIMO’s mandate that all government bodies support IPv6 by the end of 2012 was ambitious and world-leading. Now that 2013 is here, how successful was it? 48 Printing in the web age… and beyond Printing strategies have been evolving continuously for decades, but the introduction of cloud access is creating new opportunities – and new threats. 54 Councils warm to free Wi-Fi The idea of providing free Wi-Fi isn’t new, but after myriad failures it’s seeing a resurgence. 70 NBN update Address-quality problems affecting NBN rollout; Tasmania Police sign on for NBN; UFB shares broadband lessons
CASE STUDIES 14 Western Australia WA is one of the few jurisdictions without privacy protection laws – but that doesn’t mean it doesn’t respect data privacy. 64 IP Australia Australia’s peak intellectual-property agency has learned a lot since embracing telework to preserve its own viability.
INSIDE VICTORIA POLICE’S FOOTSCRAY PANOPTICON
CONFERENCE GUIDE: DIMS 2013 AND CLOUD COMPUTING FORUM 2013
The Panopticon – a building design in which all inmates can be watched at any time – was designed in the 1790s to improve prison policing. For Victoria Police and Maribyrnong Council, a high-tech camera network is using a similar approach to clean up a crime hotspot – with stunning results.
Our pullout guide will tell you everything you need to know about these two key conferences. Inside are session information, speaker bios, and an industry overview by GTR editor David Braue.
67 Wollongong City Council Filtering was only the start of protecting data for Wollongong City Council, which knows staff remain the key to preserving privacy of citizen data. 68 Ambulance Victoria An investment in 3G-capable laptops is empowering a major overhaul of Ambulance Victoria’s management of patient data. GTR FEBRUARY 2013 | 1
Ensuring information security is tricky, thankless work on the best of days, but when you’re a government agency you’re a higher-profile target than most. Because everything government bodies do relates to managing the affairs of citizens, their IT infrastructure is a treasure trove of personal information that’s enough to make a malicious identity thief drool with anticipation. Witness recent indications from security companies that government bodies are, more than ever, in hackers’ crosshairs. As if keeping the government running wasn’t enough, your job – whether a frontof-office employee or a back-end database administrator – requires preserving the integrity of that information. This is nothing new, of course: Privacy Act provisions have long put the onus of protecting privacy onto government bodies. But with legislative changes through the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, that burden will increase from March 2014 with the consolidation of private and public-sector privacy provisions into 13 Australian Privacy Principles (APPs). These APPs tweak existing protections and introduce new requirements in areas such as trans-border information flows, of particular interest to those agencies considering cloud computing. And, these days, who isn’t. Will you be ready? Our cover feature this month looks at security and privacy, and may offer added impetus to your department’s efforts to plan for the changes. One place where privacy is being invaded on a regular basis – with stunningly good results – is the western-Melbourne suburb of Footscray, which recently installed a network of security cameras around its CBD and is seeing crime down and police effectiveness up. GTR got an exclusive tour of the Victoria Police facility, which blends some great tech with good old-fashioned police work. Privacy APPs aren’t the only security challenge facing government departments this year; surging on the back of the peril-fraught Bring Your Own Device (BYOD) model is a new trend – or, at least, a new acronym from the people who make up such things – known as Bring Your Own App (BYOA). Like BYOD before it, BYOA threatens well-established security models by allowing users to dip into cloud-hosted repositories of mobile applications, which they’re bringing into the workplace with nary a thought for security protections. It’s a concrete example of the chaos that the cloud brings to long-established ICT models, and we look at not only the threat it poses but what some forward-looking organisations are doing to keep it in check. You will notice this issue of GTR is especially thick, thanks not only to a bumper crop of great magazine content but to the program guide for our dual conferences, the 3rd Annual Cloud Computing Forum 2013 and Digital Information Management & Security Conference 2013. If you’re attending the conferences, have a great time and keep this issue with you as a guide to the wealth of content available across both events. If you’re not attending the conferences – well, why the heck not? Either way, security, privacy, and the cloud will continue to be hot-button issues throughout the year. Drop me a line; I’d love to know how you’re addressing them.
EDITOR David Braue E: editor@govtechreview.com.au NATIONAL SALES MANAGER Yuri Mamistvalov E: yuri@commstrat.com.au Tel: 03 8534 5008 ART DIRECTOR Annette Epifanidis E: annette@commstrat.com.au Tel: 03 8534 5030 DESIGN & PRODUCTION Nicholas Thorne CONTRIBUTORS Beverley Head, Natalie Apostolou, Dr Steve Hodgkinson, Karen Raccani, Efficiency Leaders, Timothy Lee, Alicia Kouparitsas MELBOURNE OFFICE Level 8, 574 St Kilda Rd. Melbourne Vic 3004 PO Box 6137, St Kilda Rd Central 8008 Phone: 03 8534 5000 Fax: 03 9530 8911
Government Technology Review is published by CommStrat ABN 31 008 434 802
www.commstrat.com.au All material in Government Technology Review is copyright. Reproduction in whole or in part is not allowed without written permission from the Publisher.
To subscribe to GTR magazine
David Braue, Editor E: editor@govtechreview.com.au
2 | GTR FEBRUARY 2013
phone: 03 8534 5009, email: subs@govtechreview.com.au or go to www.govtechreview.com.au/subscribe
eCopy
Paperless productivity for organisations of every size
Using eCopy, Government organisations can integrate paper documents into their digital document management systems, via existing scanners and copiers. By integrating eCopy ShareScan with your exisiting multi-function device you can: • automatically convert hardcopy originals into accurate, formatted, editable digital files - including graphics & tables. • transform static text images into searchable documents as they are scanned. • transport information directly into Microsoft® applications such as SharePoint®, alleviating the need to rekey, distribute or archive paper. • integrate with HP TRIM and other records management systems, making it easy to search and retrieve scanned information. • use secure scan-to-mail, scan-to-PC and scan-to-file functionality. • lower document-processing costs and keep your organisation moving faster. The best-in-class user interface in eCopy Sharescan eliminates training, ensures rapid adoption and generates a fast ROI for your organisation, so talk to one of our team today. Email: John.Broughton@nuance.com or call +61 2 9434 2382. Visit getecopy.com.au for more information
AGIMO restructured as new government CIO, CTO appointed Commonwealth ICT policy making will take a different tack as peak strategy organisation AGIMO is split into two different parts after a significant reorganisation of the group’s status within the Department of Finance and Deregulation (DFD). According to a blog post by current AGIMO Policy and Planning Division head Glenn Archer, on 4 February AGIMO was subsumed into a new DFD division called the Governance and Resource Management Group
(GRMG), with Archer to serve as CIO of the new organisation. AGIMO’s other operations, which had previously been managed as its Agency Services Division, will be grafted onto DFD’s Procurement Division to create a new organisation, called the Technology and Procurement Division (TPD). TPD will sit within DFD’s Business, Procurement and Asset Management Group, which will be headed by Jan Mason, currently
deputy secretary of the Asset Management and Parliamentary Services operations. TPD itself will be run by John Sheridan – formerly first assistant secretary with AGIMO – who will become Australian government chief technology officer and will also serve as government procurement coordinator. Sheridan’s role will include the provision of government service delivery and support spanning networks, online services, and ICT procurement. Read the full story at bit.ly/T3d2c7.
Aussie workers bypassing IT organisations for BYOD: survey Australian organisations have prioritised the need to secure bring your own device (BYOD) mobile-device policies, but are continuing to use insufficient security measures to actually secure their devices, new research from Unisys and Forrester Research has found. Unisys’ third annual Consumerisation of IT study surveyed 2609 information workers (referred to as ‘iWorkers’) and 590 business and IT decision makers from organisations with more than 500 employees, in nine countries.
The Australian contingent comprised 307 iWorkers and 79 IT and business leaders, predominantly from large organisations. Forrester identified an iWorker subgroup it calls the ‘Mobile Elite’ – of which there were 84 in the Australian cohort – who are the most proactive adopters of mobile technology to improve their productivity, work satisfaction, and collaboration with colleagues. The Mobile Elite ere two to three times more likely to use consumer-grade Web
conferencing, social-networking or documentsharing tools at work than the other iWorkers. Fully 81% said they had downloaded unsupported apps or used unsupported Web sites for work purposes. And 69% of respondents said they use unsupported apps to communicate with customers, partners and suppliers. The prevalence of this practice is giving rise to a new moniker – BYOA, or Bring Your Own App – that is seen as posing a significant threat to operational security. Visit bit.ly/UihtDy for the full story.
Telstra boosts local cloud commitment with four new data centres Working to bolster its credentials in the increasingly competitive cloud-computing market, Telstra has announced the construction of four new data centres designed to increase its appeal to government bodies, large businesses and others concerned about data sovereignty issues. Designed to improve performance and data management through provision of local hosting, the new hosting sites will be operational soon from completed premises in Western Australia, South Australia and the ACT, with a Victorian facility due to come online in 2014. They will complement existing facilities in Sydney and Melbourne.
4 | GTR FEBRUARY 2013
Paul Geason, group managing director for Telstra Enterprise and Government, said in a statement that the new facilities were part of the company’s previously announced $800m cloud investment and would capitalise on Telstra’s Next G wireless and Next IP fibre backhaul networks to deliver highly-optimised performance for the company’s customers. “With many organisations moving into the cloud, the feedback has been clear,” he said. “The option to use local data centres is important either because their applications are sensitive to latency, or they require data to be hosted within their state.”
PM sets 12% telework target for government agencies The Commonwealth government will promote the use of telework as a workplace strategy by pushing its own agencies towards a target of 12% teleworking penetration by 2020, prime minister Julia Gillard recently announced. Speaking via teleconference to the Telework Congress conference in Melbourne, Gillard said the government as a big employer “has an opportunity and a responsibility to show some leadership here….I believe we can be demonstrating the range of options.” Arguing that teleworking is about much more than reducing workers’ commuting time, Gillard
said agencies must focus on the opportunities for technologies such as teleconferencing to help increase the participation of workers who have traditionally been disenfranchised by physical work structures. Gillard also launched a report from Deloitte Access Economics and Colmar Brunton that found: • two-thirds of people with disabilities, who are not in the labour fource, would take up telework if it was available to them; • 74% of people with family or carer responsibilities who are not in the labour force would take up telework if it was available to them; • 60% of people nearing retirement age would take up telework if it was available to them; and • 70% of people living in regional/remote Australia who are not in the labour force would take up telework if it was available to them. “Teleworking has got to be an instrument of fairness,” Gillard said, “to get people into the workforce who currently can’t get into the workforce… who would want to be in the
BlackBerry 10 gets security clearance, US Customs trial before its release Research In Motion’s (RIM’s) BlackBerry 10 operating system, a significantly revamped platform that forms a core element of the troubled company’s attempt at a turnaround, has been cleared for the handling of sensitive information even before its long-awaited worldwide launch. BlackBerry 10 has received FIPS 140-2 certification – a cryptographic certification standard established and maintained by the US-based National Institute of Standards and Technology (NIST) – that certifies its suitability for the handling of secure information to many government requirements. The BlackBerry platform incorporates 256bit AES encryption and has a long history of acceptance at government levels, although this is becoming a challenge for IT administrators as users and departments progressively abandon BlackBerry devices in favour of modern devices like Apple’s iPhone 5 and Samsung’s Galaxy S III.
RIM’s BlackBerry Enterprise Solution has been recognised with Common Criteria Certification and was the first to receive approval through the CESG Assisted Product Scheme. The platform was also certified as being the least expensive to run when configured to UK government-level IL2 security standards. In another lifeline for the platform, RIM also announced that the US government’s Immigration and Customs Enforcement (ICE) organisation will conduct a formal trial of RIM’s upcoming BlackBerry 10 operating systems and management environment. Like many government organisations, ICE and its more than 20,000 employees have been long-term users of BlackBerry smartphones and accompanying server software, which have long enjoyed government status thanks to their robust security certifications.
workforce if they got the opportunity but are locked out of the workforce now.” Bill Shorten, the minister for employment and workplace relations, echoed this theme: “Telework offers the opportunity to include people that don’t always get to be included,” he said, noting that workplace participation amongst mothers is just around 55%. “It gives them the ability to make a partial re-engagement in the workforce as per where they are in their lives. It means we don’t lose over the cliff of retirement, the skills that people have to provide to the rest of us. “The other thing we have is people with disabilities,” Shorten added, “where the unemployment rate is ridiculously high. I ask why would we want to put into exile literally hundreds of thousands of people with significant impairment and say that they deserve a second-class outcome?” “When the mineral prices eventually come down, we’re going to need our people.”
Yet in an era where RIM has been bleeding market share to rivals Apple and Samsung – particularly as bring-your-own-device (BYOD) strategies catch hold – many government organisations have been turning away from the platform. Indeed, in October ICE announced that RIM “can no longer meet the mobile technology needs of the agency” and that, after eight years as a BlackBerry user, it would spend $US2.1m to replace more than 17,000 BlackBerry phones with Apple iPhones. That the organisation has subsequently even agreed to BlackBerry 10 pilot, therefore, is a sign that RIM’s new platform may still have some prospects. Read the full stories at bit.ly/ UyWozc and bit.ly/ TRBhZt.
GTR FEBRUARY 2013 | 5
Cloud sovereignty boost as Amazon Web Services targets Oz Cloud-computing giant Amazon Web Services (AWS) has launched a major play into the emerging Australian cloud-computing market after a year of hush-hush investment in Sydney data-centre capacity. AWS had long been rumoured to be considering an Australian data centre to assuage widespread concerns about data sovereignty, which has remained a bugbear for cloud-computing providers seeking to woo risk-averse government organisations. AWS had previously serviced Australian clients from its Singapore data centre. AWS isn’t the only firm targeting Australian customers with local investments designed to boost the credibility of their services: IBM, for one, recently launched its full-featured SmartCloud Enterprise (SCE+) infrastructure, while AWS rival Rackspace played the sovereignty card with its move into the Australian market earlier this year. And hosting provider Bulletproof recently pushed
into the AWS market, with a managed service designed to improve the management of AWShosted platforms. In the longer term, AWS worldwide vice president for the public sector Teresa Carlson says trends like the need to manage big data, and a desire to modernise core applications, will push government bodies much further onto the cloud. “In meeting with Australian government customers I’m hearing that they want to be able to start creating sandbox environments, and get their engineers and partners to really understand the workloads they could use AWS for,” she told GTR. “The great thing about this model is that you can just get going. It’s not difficult to try it out and begin to design, develop, and deploy solutions on it.” With sovereignty issues resolved, Carlson expects that government bodies will progressively deploy larger and larger applications because the cloud environment lets
them be developed iteratively, as opposed to the monolithic development processes of the past. “In government you’re often seeing the failure of big applications,” she said, “where they’ve spent millions of dollars developing a system that they couldn’t then take into production because it wasn’t set up in an environment where they could test it out before going into production.” The availability of an Australian server will also benefit local customers because it will significantly slash the latency of access to hosted platforms. Australian government bodies “really like” AWS Direct Connect, the company service that allows large enterprises to run a fibre or other connection directly into the AWS data centre – bypassing conventional routing delays and delivering an instant application experience that’s managed as a conventional virtual LAN. Read the full story at bit.ly/WThPgE.
Australians ahead of West on BYOD but lag developing world Australian organisations are more likely than their peers in the Western world to support bring your own device (BYOD) policies, but are being outpaced by organisations in fast-growth developing countries, according to recent figures from research group Ovum. Working for solutions provider company Logicalis Australia, Ovum surveyed 3796 users in 17 countries as to their BYOD practices and found that 79% of respondents in emerging markets (such as Brazil, Russia, India, the UAE and Malaysia) were working with BYOD policies while just 54% of employees were working under BYOD policies in countries like Japan, Australia, France, Germany, the UK and US. Australia was ahead of the game, with 61% reporting that they had been actively encouraged to BYOD by their employer, and just 10% saying they had been actively
6 | GTR FEBRUARY 2013
discouraged from the practice. Spain was also flagged as being progressive amongst developed countries, with 63% of employees pursuing BYOD policies. Exploding adoption of BYOD within organisations has already been linked, in a separate survey, to a growing habit of bypassing IT organisations’ security controls. The Ovum-Logicalis research confirmed this, with 29% of Australian survey respondents saying their IT department doesn’t know about BYOD popularity or simply ignores it.
“Even when they do encourage it, many companies simply don’t have the controls or policies in place to manage the business impact and risk,” Ian Ross, strategic solutions director with Logicalis Australia, said in a statement. “The implications of losing sensitive data via a personally owned device can be dire. Every business must understand the behaviour of its own employees and have a strategy and measures in place to minimise the risk and maximise the opportunity.”
Expansion planned after Ballarat’s IBM tech-skills investment pays off A technology training hothouse and live servicedelivery centre in the regional Victorian city of Ballarat has proven so successful for IBM and the University of Ballarat that Ballarat City Council is expecting even bigger returns after recently pledging support for a significant expansion of the venture. The Ballarat Technology Park (BTP) was established in 1994 as a site for a data centre to support IBM Australia’s domestic operations. In 2000 it began following IBM’s incursion into the exploding business process outsourcing (BPO) market, and in the intervening years the site has become a hotbed of development and support initiatives – with over 1000 employees providing 24x7
technology and customer support for 30 different IBM corporate customers. IBM’s Global Business Services, Global Process Services, Global Technology Services, and Global Administration divisions are all represented within the Ballarat Technology Park, which now covers 25,000 square metres across nine buildings. Co-locating the site with the University of Ballarat’s campus has helped the facility become a natural channel for technology and business students, who can gain onthe-job skills supporting blue-chip IBM clients including Qantas, Jetstar, Fiserv, the Australian Bureau of Statistics (ABS), and others. IBM, for its part, gets extra skilled
staff to better manage peaks and troughs in support demand. The BTP also includes an Internet Commerce Security Lab whose employees work on issues around identity management and security in the financial sector. “We see ourselves as the service delivery hub of western Victoria,” Jeff Pulford, executive director for destination and economy with the City of Ballarat, told GTR. “An issue that regional centres have is how you go about providing career paths that are going to be meaningful – and for us, IBM is a central part of the story.” Read the full story at bit.ly/SjLL3i.
Business Process Automation is not
rocket science
www.efficiencyleaders.com/case-study
but it will propel your business forward! Efficiency Leaders can help - the sky’s the limit! ü Accounts Payable Automation ü Mailroom Automation ü Data Entry Automation ü Workflow Solutions ü Business Process Management ü SharePoint Solutions ü Scan to Archive ü Government Accredited
AUS
1800 233 334 NZ 0800 834 111 www.efficiencyleaders.com
P
RIVACY
Fifty Shades of Privacy The global thirst for information is seemingly unquenchable. According to the Digital Universe study released by IDC in December, 2.8 zettabytes – 2.8 billion terabytes – of information was generated and stored in 2012. Story by BEVERLEY HEAD
G
overnments, like private enterprise, are attempting to drink from this fat fire-hose of data: to get a more granular understanding of the populace; to develop policy and services which match what the data suggests is required; and to provide portals so that citizens can themselves access the data and self-serve. However, most hoses leak eventually – either because they are deliberately punctured or because someone fails to look after them properly. Without proper protection, data privacy is a likely casualty of ballooning government data stores. Alister Dias, country manager for EMC (which commissioned the Digital Universe survey) said that the study revealed that only half the information that needs protection – to guard privacy, security and IP – is properly protected. Signs suggest that this situation will deteriorate given “challenges such as advanced threats, the security skills gap and lack of adherence to security best practices”, according to the report. Security and privacy, while two sides of the same coin, require independent consideration. Implementing world-class perimeter security in the form of cutting edge firewalls, mobile device management systems and virtual private networks will not guarantee privacy if employees bring their own mobile devices, thumb drives and mobile broadband dongles, then access and disseminate information unchecked. Privacy can only be guaranteed by holistic programmes melding technology, process and education.
The government’s burden Most states have explicit privacy legislation, with the exceptions of South Australia and Western Australia. Federal government, meanwhile, is on the brink of major changes to the privacy landscape with new laws passed late last year. These come into force in March 2014 and require the public and private sectors to adhere to 13 Australian privacy principles (see sidebar, overleaf ). These principles will require agencies to have specific privacy policies outlining collection practices and what data reserves they hold. They also afford new powers to the Australian Privacy Commissioner, Timothy Pilgrim, allowing him to require agencies to conduct privacy impact assessments and to use new enforcement measures to force organisations to lift their privacy game. Pilgrim said that it was important public and private sector organisations developed a “privacy
“Without proper protection, data privacy is a likely casualty of ballooning government data stores.” by design” mentality rather than attempting to bolt on privacy policy as an afterthought. Peter Lilley, Australasian region director for security specialist Detica, says as more government services have moved online the challenge to secure and protect the privacy of data has become significantly greater. However, he claimed privacy was now commonly considered during the requirements phase, rather than as an afterthought. According to Pilgrim, the public sector has a reasonable privacy track record: more than 60 per cent of the complaints he receives relate to problems in the private sector. However, Pilgrim believes the new powers and principles are timely as “we are starting to see more serious breaches in the private sector and larger breaches”, which could also percolate to the public sector. Pilgrim says that privacy should be afforded particular attention by the public sector since citizens are mandated to provide personal data to organisations such as the Tax Office and Centrelink: “That places a very important onus on agencies to ensure that the information is protected.” This is also the case for the recently introduced personally controlled electronic health record (PCEHR), which will hold particularly sensitive data. The Department of Health and Ageing, which has overarching responsibility for the regime, has implemented a multi-layered approach embracing both technical and process controls to secure data and protect privacy. To access data users need to be authenticated; any access is audited; proactive monitoring detects any suspicious or inappropriate activity; system security testing is ongoing; education programmes are mandated for users; and any data breaches have to be notified with consumers notified of any privacy breaches. “The design of the PCEHR system, and the legal framework provided by the legislation, enables security and privacy breaches to be
detected and prosecuted,” a Department spokesperson explained.
Focus on data security It’s impossible to divorce security from privacy but former privacy commissioner Malcolm Crompton, now managing director of Information Integrity Solutions, warns against conflating the two. He argues that security refers to the protection of data under an agency’s control; ensuring data is not leaked, stolen or accessed by hackers; nor that staff are able to take thumbdrives with them “when they are fired, as some sort of collateral – all of which has happened.” Privacy, by contrast, “is about an organisation’s conscious exercise of that control.” While there are tools and technologies to support protection of privacy – for example, software that can perform a check when people drag and drop data into an email – Crompton says it’s important staff are not only educated about rules and policies governing data use and access, but also understand the underlying reasons for why things are done in a particular way. “If staff know why we are doing things then it’s better than giving them five shelf metres of instructions,” he says. John Vine Hall, security solutions director at Oracle, says that at the federal level in particular, agencies are taking privacy and security very seriously. However, he acknowledges most organisations have focussed on technologies to support network and perimeter security, rather than on data security as such. Vine Hall argues that this needed review as agencies moved more processing to the cloud and were also exposed to security breaches through SQL injection, where poorly designed web forms could be exploited to access and corrupt databases. “This is virtually impossible to detect unless you have tools to analyse SQL traffic as it goes through the network,” he says. Data encryption, he adds, is also useful to ensure
GTR FEBRUARY 2013 | 9
P
“Security refers to the protection of data under an agency’s control…. Privacy, by contrast, is about an organisation’s conscious exercise of that control.” that even if systems are accessed, privacy is not placed at risk. Andrew Wilson, CEO of Senetas, an Australian vendor that makes encryption appliances developed to military and government standards and used by nine government departments around Australia, describes encryption as the “last line of defence”. He says it is critical given the increased mobility of users and their devices combined with a rising appetite for cloud computing. Detica’s Peter Lilley meanwhile says technology and processes are required not only to protect information, but to also contain any attack, investigate incidents, and conduct post mortems to inform future policies. Lilley acknowledges that the Federal government is leading the way, followed by states and local governments, which were often challenged in terms of access to resources.
Fifty shades of privacy Whatever the skills and resources constraints they face, government bodies have no option but to comply with the web of regulations regarding data access and use. Lemm Ex, Queensland’s privacy commissioner, explains that while there are some universal qualities shared by global privacy principles, there are some unique differences that
10 | GTR FEBRUARY 2013
also need to be considered: “We have Section 33 of the Queensland Information Privacy Act, which deals with information going overseas.” That obliges government departments to ensure that any information sent overseas (even for cloud processing) should be protected as well as it would be protected in Australia. Ex claims, however, that the advent of cloud computing has not made as great an impact as the internet itself. “Once information is up on a web page there is no control over access,” he said. “It’s very, very difficult to secure privacy on a web page, and also on social networks, blogs or tweets – so you have to worry about the content per se.” Ex believes government has yet to get to grips on how “big data will change everything”. However, when it comes to privacy, he believes the fundamentals remain the same. “If you deal responsibly with one piece of paper you should be able to deal responsibly with a digital database,” he explains. “What we have to grapple with is incorporating new technologies in work-practices.” Ex is currently deliberating a BYOD policy that will provide “guidance to agencies on how to use these devices responsibly.” Overall, though, he maintains that “in terms of privacy, the principles are the same: only authorised persons should be able to access private information – and only for legitimate purposes.”
Malcom Crompton
Timothy Pilgrim
John Vine Hall
RIVACY
U P D AT E D P R I VA C Y LAWS FOR 2014 A six-year process of privacy-law reform culminated in the December 2012 passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (bit.ly/113xgtw). When it takes effect on 12 March 2014, the new legislation will update the privacy framework in which government agencies and private businesses operate. The reforms harmonise privacy protection for both public and private sectors under an umbrella set of regulations known as the Australian Privacy Principles (APPs). The APPs will replace current public-sector Information Privacy Principles (IPPs) and private-sector National Privacy Principles (NPPs). There will be 13 APPs in total, and not all are the same as existing IPPs and NPPs; APP 7, for example, manages the use and disclosure of personal information for direct marketing and APP 8 manages the cross-border disclosure of personal information. This last requirement requires Australian entities to ensure – before transferring information about an individual out of Australia – that the recipient will also comply with the APPs. A number of exceptions are provided, but it will be up to government bodies to determine which apply to their particular information-sharing architectures. The reform will also expand the powers of the Privacy Commissioner and overhaul credit-reporting laws to introduce more comprehensive credit reporting on individuals’ payment histories. The Office of the Australian Information Commissioner (OAIC) will be advertising the changes to government agencies, businesses and the public throughout 2013. – David Braue
BOOK EXHIBITION SPACE or SPONSORSHIP AT AUSTRALIA’S BIGGEST GOVERNMENT ICT FOCUSED SHOW
EXHIBITION 2013 Bringing together 3 co-located conferences PLUS 1 huge exhibition
SUMMIT
Over 60 expert speakers, including Glenn Archer CIO AGIMO
Bruce Schneier CTO BT (USA) Howard Schmidt Former Cybersecurity Coordinator and Special Assistant to the President of USA
Why exhibit/sponsor? Meet 1000+ Senior Government ICT leaders and stakeholders Consolidate months of prospecting in two days Gain direct access to your potential clients before, during and after the event Showcase new products to an audience of decision-makers Address your target audience by speaking at one of the conferences Get a head start on your competitors
SPONSORSHIP & EXHIBITION SOLD OUT in 2010, 2011 & 2012 DON’T MISS OUT IN 2013 | Reserve your space now! For more information, please contact Jon Treherne | T: +61 2 8908 8516 | E: jon@acevents.com.au
P
RIVACY
WHY LAX PRIVACY CAN KILL E-GOVERNMENT FOR GOVERNMENT ORGANISATIONS, PRIVACY HAS LONG BEEN A LEGAL OBLIGATION. FOR PRIVATE FIRMS, IT HAS MORE RECENTLY BECOME A MUST-HAVE. NO MATTER WHERE YOU’RE COMING FROM, CITIZENS EXPECT NOTHING LESS – BUT TECHNOLOGY IS ONLY PART OF THE SOLUTION.
T
hat’s the consensus after a recent Unisys Security Index, conducted by the Australian arm of security and IT integrator Unisys, found that 85 per cent of the 1205 consumers surveyed said they would stop dealing with an organisation if it suffered a privacy breach. Fully 64% said they would publicly expose the issue, 47% would take legal action, and 24% said they would stop dealing with that organisation online.
And while cutting ties over a privacy breach may be wishful thinking given the monolithic nature of government, the last figure makes one thing very clear: if governments can’t guarantee the privacy of citizen information online, citizens will no longer deal with them online. “The key message from this is that it’s not just a matter for compliance,” says John Kendall, security program director for Unisys Asia Pacific. “There are indications that if there is a breach, the government will actually suffer, with data breaches
AUSTRALIAN SECURITY CONCERN LEVELS JUNE 2006 - MAY 2012
Source: Unisys Security Index
180
TM
Unisys Security Index National Financial Internet
160
Personal
140
120
100
May 2012
May 2011
Oct 2010
Apr 2010
Oct 2009
Apr 2009
Nov 2008
May 2008
Dec 2007
Aug 2007
May 2007
Dec 2006
Sep 2006
80
Australians may be less concerned about personal and Internet security overall than they were in 2007, but expectations of privacy are real and ongoing. Source: Unisys
12 | GTR FEBRUARY 2013
in other countries causing a significant backlash against online services. A major breach that becomes public can undermine trust significantly.” New mobile technologies have created a clear and present danger in terms of the protection of citizen information, Kendall adds, noting the threat from emerging bring-your-own-application (BYOA) practices: 42% of respondents said they had installed unauthorised apps on their work machines. Fully 63% of those respondents explained they had done so because they needed an app and work hadn’t provided an alternative. Such figures confirm the extent of the onus on government bodies to build privacy policies that go well beyond the letter of long-standing Privacy Act provisions. “Data privacy guidelines are adequate,” Kendall explains, “but the challenge is how you actually achieve what they’re asking.” “Traditionally, organisations have restricted access to data by simply restricting access to the network. But the reality today is that you need to treat your internal network as a hostile environment, and protect it so that even if someone can access it, they can’t do anything with it.” Canberra-based Kendall has dealt with a broad range of government agencies, many of which have moved to address these issues by implementing encryption of data at rest and in motion. Unisys’ Stealth encryption technology offers a framework for role-based encryption of critical data. Kendall advocates the use of attribute-based access control to encrypted and on-network data, by which users can be given different access rights depending not only on their profile but on what device they’re using to access the network. For example, an employee accessing sensitive government information after hours, from home,
John Kendall
KE E PI NG PE R SONAL D A T A W H E R E I T B E L O N G S
should raise alarm flags. “Access control is going to have to be more sophisticated, particularly with mobile devices,” he says. “If a person is logging in from McCafé from their iPad, you might not want to put all your information with them.” Indeed, no matter how many technological protections are put in place, the ultimate effectiveness of privacy protections will depend on employees’ everyday usage patterns and personal reliability. “Any time I’m still depending on trusting the individual to do what’s right, there is always a certain level of vulnerability there,” Kendall explains. There are signs the situation is getting better: other Unisys surveys have found that Australians have held approximately the same level of concern about the unauthorised access to their personal information for the past three years, and
that fewer Australians are ‘extremely concerned’ than they were five years ago. But there is still a high degree of concern: Unisys figures suggest that one in three Australian workers is unaware of their organisation’s security policy, while 6% admit to ignoring or working around those policies. These are worrying figures – and a call to action for government organisations keen to enrich their services with the benefits of e-government. For more than half of surveyed Australians, the unauthorised access or misuse of their personal information joined credit-card fraud as by far the most serious concern of people surveyed. Governments must keep this in mind – and keep their obligations to preserve privacy at front of mind if they are going to be able to bring citizens along on their online journey. – David Braue
LEVEL OF PERSONAL SECURITY CONCERN OVER TIME MAY 2007 - MAY 2012 54% of Australians or an estimated 9.4 million people are very or extremely concerned about anauthorised access to or misuse of their personal information UNAUTHORISED ACCESS TO/MISUSE OF PERSONAL INFORMATION 40 May 07 Aug 07 Dec 07 May 08 Nov 08 Apr 09 Oct 09 Apr 10 Oct 10 May 11 May 12
35 30 25 20 15 10 5 0 Not concerned
Somewhat concerned
Very concerned
Extremely concerned
Fewer Australians are ‘extremely concerned’ about misuse of their personal information now than they were in 2007, but 82 per cent of respondents still express concerns. Source: Unisys.
The Attorney General’s Document Verification Service (DVS) provides controlled access to a wealth of official data, but it has been structured with security and privacy at its heart. According to a spokesperson for the department, the service efficiently confirms details on identity documents such as passports and drivers’ licences while protecting personal data. More than a million identity checks have already been run through the scheme. “By the time we hit two million, we expect to see the DVS helping the financial and telecommunications sectors verify the identity of their customers. This will have benefits for citizens in terms of speed of service and enhancing privacy, as well as for law enforcement and national security. “The DVS is a non-disclosure system,” the spokesperson adds. “It does not provide any information to a user that they do not already hold. Neither does it allow users access to any databases, store personal information or act as a database itself.” The system routes a user’s queries to the relevant document issuing authority which then performs a match itself – for example, a passport query is processed and matched by the Australian Passports Office, a Victorian birth certificate query is processed and matched by the Victoria Registry of Births, Deaths and Marriages (BDM). The results of these matching processes are then returned by the document issuing authorities to the DVS Hub, which forwards these back to the user confirming or denying the match. No free text search is available. The DVS operates to policies and procedures that are informed by the Privacy Act 1988 and align with the Information Security Manual (ISM) to ensure that the DVS meets the requirements of the Protective Security Policy Framework (PSPF). Operated by the Department of Human Services, the system has been built to Commonwealth ICT standards and subject to annual security checks. As part of the 2012-2013 Budget, the government announced it would extend the service to private-sector organisations to allow them to conduct real-time checks to ensure the accuracy of identifying documents. This capability came into effect in December and is available to businesses with client identification obligations under Commonwealth legislation. – Beverley Head
GTR FEBRUARY 2013 | 13