The federal government is seeking to harmonise data security regulation and standards in Australia, including across all levels of government, as part of the country’s first data security action plan.
The Department of Home Affairs on Wednesday released a discussion paper [pdf] calling for views on the development of the new “whole-of-economy” action plan.
The plan is expected to deliver a new approach to data security as the take-up of digital services continues, while “clos[ing] the gaps” in data settings likely with new reforms.
“The action plan will leverage existing legislative and policy mechanisms as a means to further strengthen and coordinate Australia’s data security policy settings,” the discussion paper states.
“It will provide the Australian government with new options to cover any existing or emerging gaps based on intelligence analysis and feedback received.”
According to the paper, the data security regulatory environment has become increasingly “complex and contested” as reforms targeting specific sections of the economy have been introduced.
In the space of two years, the government has introduced new requirements for businesses through critical infrastructure laws that also potentially give it a greater role when cyber incidents occur.
Other changes include new expectations for data centre and managed services providers under the government’s hosting certification framework.
In attempting to set out a new approach to data security, the action plan has its sights set on the “harmonisation and enhancement of data security standards” across all jurisdictions of government.
“The increasing complexity of policy challenges beyond jurisdictions warrants a coordinated approach founded upon a common set of security standards,” the discussion paper states.
“At present, the Commonwealth and each state and territory government, has their own security classification system, and as such, similar data sets may be classified (and protected) differently.”
At a time when the federal government has just passed new laws to facilitate greater sharing between jurisdictions, this acts as a “barrier to exchanges of large and complex datasets”.
Privacy legislation is also different across Australian government at present, with some states without privacy laws entirely.
This presents inconsistent standards for protection of personal information across different levels of government,” the discussion paper states.
The action plan will also consider the “concentration of data storage” by government and the private sector data in data centres.
“Over-concentration without adequate redundancy risks creating single points of vulnerability, whereby a failure or a compromise could disable entire functions or services,” the paper states.
Home affairs minister Karen Andrews said the plan would ensure citizen’s data is “stored securely, so it can’t be stolen, hacked, or held to ransom” by foreign adversaries and criminals.
“In the 21st century, data is a strategic commodity,” she said, adding the government is “committed is building a national approach to ensure data protection, wherever it is stored or accessed”.