The Data Dilemma: What if data is more like uranium than gold?

For years, data has been espoused as the new oil, or gold - a resource of high value just waiting to be tapped into. But what if, instead, data is like uranium? A risky yet powerful resource. 

At last year's Tax Summit, ATO Second Commissioner Jeremy Hirschhorn said exactly that: "Treat data like uranium". Why? Because "before you get it, you better know how you're going to use and store it... and there needs to be very good reasons to take the risk." This is a big shift from the free-for-all approach of recent years. 

This comes as conversations around data grow and change after a slew of high-profile data breaches, like Latitude Financial, Medibank and Optus. Amidst this heightened cybersecurity landscape, Australian businesses - including DSPs - are now starting to take a closer look at how they store and manage data. This raises the question of not just securing it, but what they should keep and why.

These conversations are happening at all levels. Late last year, the Federal Government increased penalties for businesses that fail to protect customer data and further changes are anticipated in the upcoming modernisation of the Privacy Act. These could include the right to erasure (now standard in the EU due to GDPR) and the potential for individuals to sue for damages for breaches of their privacy. But there needs to be a cultural shift around as well as potential policy reforms. 

If data is treated like uranium, it means changing how it is collected, used and stored. Here's what we can learn. 

Unlike gold, few want the burden of managing uranium on their hands. That's why it's best to use as little as possible. 

The same applies for data: more data equals greater risk. Counteracting this requires a culture of data minimisation - which includes limiting the amount of information collected. Software companies collect huge swathes of data but much of this isn't necessary. For example, optional fields in online forms can collect extra details that aren't needed and even many mandatory fields aren't always relevant to their use in software, like gender or physical address. 

Add to this that surplus data may be of poor quality - businesses deal with huge amounts of 'bad data' - and it's even clearer that it's best to only collect what you need.

There are proper protections around how uranium is stored, every step of the way. Unlike Homer in the Simpsons, you'd never haphazardly leave uranium lying out; the same goes for data. 

Software providers adhere to principles and documented standards outlining how sensitive information is stored and accessed, whether government, like the ATO Operational Security Framework or Australian ISM, or industry-based certifications like ISO27001, NIST, SSAM or SOC 2. But that doesn't mean these are always adhered to. Employees often download documents and attachments, sometimes to personal devices, and many file formats (like .csv) offer no security at all as they can't be encrypted or password protected. 

Sometimes sensitive data ends up in the wrong environment, like being used in a test environment. Once data is breached, there is the risk of reputational damage no matter the more specific details of how it happened. The best solution is to stop it from happening in the first place.  

Uranium's half life is 4.5 billion years, which is a long time to become safe. It must be disposed of properly to avoid harm - as must data. 

While some businesses are obligated to store records for set periods, like the superannuation sector, the reality is that most technology companies hold on to far too much, which can make it costly and labour intensive to find data when you actually need it. Last year, prime minister Anthony Albanese even said it's 'pretty commonsense' to dispose of data which is no longer needed. Think of it as chopping up your old credit card before putting it in the bin. 

These data minimisation practices, including the right to erasure, are a step in the right direction but DSPs need to be proactive. Make sure to delete the data of former customers or trials, old document versions and backups of discontinued products. The more data you hold, the higher the risk. Uncover where you may have this toxic uranium hiding in your organisation.

Uranium should only be handled by people with proper training. You wouldn't hand it to an intern on their first day and similarly data should only be accessed, used and managed by the right people. It's important to note that using data and securing data are two distinct skills. 

This includes people both inside and out of your organisation, whether employees, partners or other parties via APIs. Human error is a major factor in data breaches, accounting for around one-third of breaches reported to the NDB scheme. Proper storage of data offers identity access controls and ensures only the right people can get into centralised platforms, helping keep human error to a minimum. 

In some cases, third-parties or the government can help limit access to sensitive data. The NSW government, in partnership with Mastercard, recently launched a digital ID pilot where individuals can verify their age without sharing personal documents, limiting how businesses access this sensitive data. This is a positive step towards DSPANZ's suggestions for improved cybersecurity in 2023. 

Nuclear power plants are highly regulated worksites and undergo regular safety tests, including by independent third parties. Consistent monitoring of data using data scanning tools gives ongoing status updates while external checks ensure you meet legislative or industry criteria, like the ATO's Operational Security Framework. 

Ensure these safety checks are carried out on a regular basis. More importantly, when something is uncovered take the steps to resolve it quickly, whether through patching, added processes or, in some cases, notifying customers or authorities. These processes need to be well established to take action when needed. 

Data is fundamental to how DSPs operate. However, applying data minimisation principles can ultimately reduce the risk of compromise and keep sensitive information safe, protecting your reputation, customers and partners. The gold rush is over; it's time to change how we see data. 

For more information on data and security, stay up to date with the latest DSPANZ news. We regularly contribute to submissions around data, including the Australian Privacy Act, and share relevant updates with our members on our website and in our monthly newsletter.