Submission: Go8 response to consultation on the National Data Security Action Plan

June 24, 2022

Data Security and Strategy
Department of Home Affairs

The Group of Eight (Go8) welcomes the opportunity to respond to the Department of Home Affairs’ consultation on the draft National Data Security Action Plan.

The Go8 represents Australia’s leading research-intensive universities, accounting for more than two-thirds of Australian university research activity and spending some $6.5 billion on R&D annually. 

The Go8 seeks direct and close discussions with the Department on the development of the plan, given its relevance to university operations, the broader security environment for the sector, and its potential to streamline and ‘make sense of’ the varied and many relevant regulatory instruments that universities are subject to.

Recommendations

1. That the Department hold detailed discussions with Go8 stakeholders on the development of the National Data Security Action Plan including:
   • the rationale and value of the Australian Government Protective Security Policy Framework being implemented voluntarily by universities
   • relevant international implications including for data held in other countries and regarding adoption of international standards
   • building the relevant skills and capability to support data security
2. That the plan promotes the minimisation of duplication across the regulatory and policy data security environment impacting the university sector
3. That the Department note previous potentially relevant Go8 submissions to Government consultations

Discussion

Go8 universities in a growing security landscape

The Go8 has been at the forefront of the university sector’s response to issues of national security, including cyber security risks and foreign interference, while closely involved in the development of the Foreign Relations Act, reforms to critical infrastructure regulation and Australia’s first critical technologies list.

As part of this leadership, the Go8 has been instrumental in shaping, informing and implementing the outcomes of the University Foreign Interference Taskforce (UFIT), specifically the development of the world-first Guidelines to counter foreign interference in the Australian university sector.

These developments have brought a heightened awareness of the risks to infrastructure, including data, and informed how such assets can be approached and secured in our universities. For data assets, these developments add to pre-existing regulatory oversight and security considerations, such as through state and federal legislation regarding privacy, freedom of information, telecommunications and so on, as well as specific legislation such as around health records. A new legislative instrument, the federal Data Availability and Transparency Act 2022, also impacts on the Go8 – who informed its development.

The Go8 can bring data policy expertise as well as operational security experience to the table in a targeted dialogue with the Department. We recognise that how data security is addressed and implemented is evolving, given technological advances and geopolitical shifts, and this warrants a shared, vigilant and effective approach. It is also highly likely that leading approaches in some jurisdictions and sectors or even according to category of data (such as enterprise versus research data) may be of value across sectors and of interest to the Go8.

A key priority for the Go8 is that the introduction of the National Data Security Action Plan adds benefit and capability, and simplifies and clarifies the data security landscape, rather than complicates and further burdens our universities.

Data in the Go8

As the eight research-intensive universities in Australia, the Go8 generates, holds and manages significant and complex volumes of data, including research data and data for research. The Go8 also shares its data and gains access to external data through collaboration, partnerships and publication. Collectively, the Go8 works with highly varied datasets, which range from raw data acquired from observations or research instrumentation, personal information of students, staff and research subjects, data concerning the foreign interests of staff or partners in projects, to sensitive data pertaining to or arising from defence collaborations with the Australian Government, to give a few examples.

Go8 data may be held outside the university in their principal form, for example may be stored within a national research infrastructure such as the National Computational Infrastructure or on the AARNet CloudStor service. Commercial data storage solutions such as from Google, Amazon or Microsoft may also be used by individual Go8 universities for part of their enterprise, to supplement or complement inhouse data centres and storage. It is worth noting that Go8 universities have international presence for example overseas campuses in Malaysia and Indonesia.

Go8 data policies and information classification

Within individual Go8 settings, security standards and controls are applied to the handling, management and governance of data.

All Go8 universities have relevant policies, procedures and guidelines that cover how data is treated and secured. These include:

• Data, Information or Records management policies
• Research data management policies or guides
• Privacy policies
• Cyber Security, Information Security or IT Security policies

Go8 universities also employ their own individual information classification or data classification standards, which do not align with the Australian Government security classification system of Protected, Secret and Top Secret – nor necessarily even the relevant state government security classification system. Classification systems in Go8 universities show some common classifications as shown below, though each university has its unique form.

The Go8 seeks a detailed discussion with the Department regarding the benefits of adopting and using the Australian Government Protective Security Policy Framework as a common classification system. A specific area of interest is whether such adoption may facilitate secure discussion and correspondence with Government where needed (for example in matters of national security or in key initiatives such as AUKUS that may warrant protected exchanges).

In addition to policy and guidance, skilled personnel are needed – a consideration which is only slightly touched on in the consultation paper[1]. Yet, as technological advances emerge – for example AI capability – new skills and even roles may be needed to address the heightened or unique threats to data security and to ensure consumers as well as businesses have sufficient awareness and understanding to implement protections. The Go8 seeks further consideration of how Australia can both upskill and acquire expertise to ensure effective implementation of data security provisions.

International developments

The Go8 notes a key focus for the Action Plan is how to balance international data sharing obligations with securing Australian information, while considering what international governance arrangements, such as the General Data Protection Regulation (GDPR) are relevant and may even be aligned with.

The Go8 would welcome the opportunity to further explore these issues, given the extent of our international engagements in both education and research (as noted in our submission cited below on the Foreign Relations Bill).

Yours sincerely

VICKI THOMSON

CHIEF EXECUTIVE

Previous Go8 submissions

Noting the Department’s stated intent to consider previous submissions from interested stakeholders, we highlight the following potentially relevant submissions from the Go8. These not only respond to the issue of security and the need to secure assets, but also provide a deeper view into the complexity of Go8 operations including our international partnerships.

• Department of Home Affairs 2020 Cybersecurity Strategy (https://www.homeaffairs.gov.au/reports-and-pubs/files/cyber-strategy-2020/submission-181.pdf)

• Parliamentary Joint Committee on Intelligence and Security (PJCIS) Inquiry into national security risks affecting the Australian Higher Education and Research Sector (https://go8.edu.au/go8-submission-to-the-inquiry-into-national-security-risks-affecting-the-australian-higher-education-and-research-sector)

• PJCIS Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 (https://go8.edu.au/go8-submission-to-the-pjcis-review-of-the-security-legislation-amendment-critical-infrastructure-bill-2020-and-statutory-review-of-the-security-of-critical-infrastructure-act-2018)

• Department of Home Affairs Exposure Draft Security Legislation Amendment (Critical Infrastructure Protection Bill 2022) (https://go8.edu.au/go8-response-exposure-draft-security-legislation-amendment-critical-infrastructure-protection-bill-2022)

• Senate Standing Committees on Finance and Public Administration on Data Availability and Transparency Bills (https://go8.edu.au/go8-submission-to-the-office-of-the-senate-standing-committees-on-finance-and-public-administration-on-the-data-availability-and-transparency-bills)

• Office of National Data Commissioner Exposure Draft Data Availability and Transparency Bill (https://go8.edu.au/go8-submission-to-the-office-of-the-national-data-commissioner-on-the-exposure-draft-of-the-data-availability-and-transparency-bill)

• Senate Foreign Affairs Defence and Trade Committee DFAT Foreign Relations Bill (https://go8.edu.au/go8-submission-to-the-inquiry-into-australias-foreign-relations-state-and-territory-arrangements-bill-2020-and-australias-foreign-relations-state-and-territory-arrangements-co)