The federal government on Wednesday launched a discussion paper calling for views on Australia’s first national data security action plan as it seeks to develop better guidance and clearer expectations for other governments and industry after passing significant data sharing and critical infrastructure cyber security laws.
Despite a looming election, Home Affairs minister Karen Andrews said she was committed to delivering an inaugural National Data Security Action Plan, which will create a “whole-of-economy approach to data security” and complement existing federal cyber policies and recent critical infrastructure legislation.
“In the 21st century, data is a strategic commodity. The Morrison Government is committed to ensuring that the data of Australians is stored securely, so it can’t be stolen, hacked, or held to ransom,” Ms Andrews said in a statement.
“As increasing volumes of data continue to flow between all levels of government, industry and across the community – the Morrison Government is committed is building a national approach to ensure data protection, wherever it is stored or accessed.”
The 28-page discussion paper briefly explores concepts of data security, the value of data, growing threats and the government’s various policies. It asks 14 questions of stakeholders.
These range from best practice and what government guidance is missing to how data security policy and legislation, could be streamlined and whether Australia needs an explicit approach to data localisation. It also floats the idea of “enhanced accountability mechanisms for government agencies and industry” after data breaches.
Home Affairs received $1.8 million in last year’s budget to develop the action plan.
The potential national data security plan would build on feedback received during consultations on the critical infrastructure laws and the government’s 2020 cybersecurity strategy to “develop clear and consistent data security expectations”.
The controversial new critical infrastructure laws were passed last week and establish new security expectations for owners and allow the government to install software on operators’ systems to share data with government spy agencies.
Stakeholders had warned during consultations that expectations and requirements of industry were unclear, with the government saying it would develop specific sector rules after the legislation passed. Similar issues around awareness, varying maturity levels and expectations were raised during the development of the government’s 2020 Cyber Security Strategy.
The new National Data Security Action Plan will offer a “new approach” for the Australian Government, according to the discussion paper.
“It is an opportunity to develop a clear articulation of the settings and requirements for governments, businesses and individuals while ensuring consistency and driving uplift through new and complementary measures,” the paper said.
“The Action Plan will leverage existing legislative and policy mechanisms as a means to further strengthen and coordinate Australia’s data security policy settings. It will provide the Australian Government with new options to cover any existing or emerging gaps based on intelligence analysis and feedback received in response to this discussion paper, as well as previous consultations on associated measures.”
The federal government has recently passed legislation allowing much more sharing of public sector data and holds regular meetings with state and territory digital and data ministers, where federated data sharing is being developed.
