SAN FRANCISCO — As one of the largest collectors of personal data, government is in the unique position to both use and lose valuable constituent information. An expert panel took to the issue to at the 2016 RSA Conference the morning of Wednesday, March 2, discussing the risks and necessary next steps in this space.
Because of the ever-changing nature of data collection, data use and privacy concerns, J.R. Reagan, global chief information security officer with Deloitte, said there is simply no easy way to flip-flop between acceptable and unacceptable data uses when presented with the aggregate nature of huge amounts of digital information.
“At the moment, it’s sort of crude,” Reagan said. “We’re left with de-identification stuff, that’s nice if you want to make sure that no one can be identified, however, then we strip out maybe attributes that would be extremely useful for other purposes. It’s just a very crude construct that, at the moment, we don’t have the digital sophistication to yet to start doing this at a very small, atomic attribute level.”
And ultimately, until all parties are on the same page when it comes to the ails of data in the digital age, Lee Tien, senior staff attorney with the Electronic Frontier Foundation, said that progress around the issues will remain.
“I don’t see any solution anytime soon other than for all sides to appreciate that there are real issues and problems,” he said. “There are a lot of folks who don’t want to acknowledge that there is a privacy issue in the first place.”
Here's a look at four primary issues of data in the digital age.
One issue facing many public organizations is the fact that much of the data being collected is not properly accounted for, said Wyoming CIO Flint Waters.
“In talking with CIOs around the nation, we have a history of agencies that have siloed data collection and we truly do not know all that is gathered by them,” he said. “In many cases, we’re finding government entities, through some legislative or reporting or audit mandate, have gathered additional data sets from other entities and now they have workforce and transportation and education data sitting at the Department of Health. So we’re trying to go through and inventory all that.”
This flow of information from one agency to the next adds to the confusion around who has what, where it is being kept and why, Waters said.
Another point was the lack of guidelines for data retention. According to Tien, as storage capacity grew within government, more agencies moved to hold onto constituent data — especially in the cases of law enforcement agencies.
“This is a radically underdeveloped area because historically they didn’t have any rules about retention and as long as the state IT capacity was not all that great, they didn’t need to think about it that much,” Tien said. “What we are seeing, around the state of California at least, is a very strong desire to keep as much of the data they collect as possible. And it’s not because they are required to keep it, it’s that they think it might be useful.”
The reasoning behind the retention often falls to a “just in case” mentality, he added, or the desire to mine for other valuable information.
Despite what may be seen by some as harmless collection and mining, Tien said information taken from smart utility meters poses substantial privacy concern due to the ease of re-identifying who the data belongs to as it moves through its lifecycle.
A major concern in the data space is the fact that many in the IT world are not privacy minded and lack the ability to evaluate risks to personal privacy, he said.
Though the conversation around data privacy and protection often falls to the negatives ramifications, Deloitte's Reagan said there is also a significant amount of positive benefit that can come with data. He points to studying data sets for cancer indicators as one example.
“It is a tension. We were trying to apply yesterday’s, in some ways, physical privacy constructs to a digital world that keeps moving faster," he said, "[and we] assume that we can resolve those two in the same way when I think that we need to actually have different constructs to manage the data."
One potential solution, Reagan discussed, was the deployment of technologies like block chain to “self-identify” data, remove the “middle man” (i.e. people) and limit the inappropriate uses of potentially sensitive information.
“I think we just need to move away from these blanket policies around privacy and give a much more atomic or a much more discreet attributes and rules so it can be used for purposes which we would like and, which we would get permission for, but also protect it at the same time for those things we don’t get permission for,” Reagan said.
Waters also noted that another challenge facing government in the data collection and security realm is that leveraging relationships with corporate partners is often a necessity when faced with the staffing and retention problems.
“I think it's a struggle for states to tackle because across the board, we struggle in recruiting. We struggle in IT having a voice in terms of funding to be able to bring in and train, certify and work with some of the best folks in that realm,” Waters said. “They tend to get pulled out of our sector very quickly. The best and brightest go on. So, it is a huge challenge.”
The CIO said the resources of corporate partners have helped to fill experience gaps and update legacy systems.
“We’re pushing really hard to leverage our corporate partners because there is no reason to think the state is where we are going to do that the very best,” he said. “We’ve been pushing to try to get it out of the legacy state data center and get out of the business we don’t do well.”
For smaller public agencies, Waters said the inclination to try to handle IT undertakings in-house has led to problems and pointed to three police departments that had been hacked as one such example.