Governments tread a fine line between providing better public services and protecting citizen data. The debate surrounding Covid-19 contact tracing tools have resurfaced that.
But these may not be opposing issues – ensuring data privacy is essential for delivering public services. Agencies and officials need to be assured that the data they have can be used safely, and not have to be held back by constant privacy tests before using any dataset.
Anand Ramamoorthy, Director, APJ Head of Data Governance and Data Security at software and data firm Informatica shares how data privacy tools have enabled organisations to improve their services, and the fundamental steps to ensuring data privacy.
Data privacy in action
Effective data privacy allows organisations to do more with their data. Here are two companies that have used data privacy tools to serve their customers better.
Data breaches spell more trouble for healthcare than most other industries – each compromised patient record cost US$408 on average, according to the HIPAA Journal. Independence Health Group, a US insurance firm, turned to Informatica to protect the 8.3 million customers it insures.
It uses Informatica Dynamic Data Masking to anonymise names, birthdays, social security numbers and other sensitive data in real time. Each new bit of data added is immediately masked. The tool also blocks access to unmasked data, lowering the risk of exposing sensitive customer information.
This allowed the firm to build applications using real data. Developers, whether in-house or external, could create new services based on actual customer needs, without being able to identify individuals from the data they are given.
Israeli telecommunications company Hot also found Informatica’s data masking helpful. It wanted to make use of customer data to create new services and targeted bundles for their customers. Hot offers TV and internet services to around 1.3 million households in the country.
Traditional encryption methods require staff to decrypt the data for every use, and encrypt it again after. This would make the whole database difficult to use. Informatica’s dynamic data masking ensures data is only given on a need-to-know basis, so Hot can continue finding new ways to serve their customers.
How to ensure data privacy
More than 60 per cent of security breaches happen within the firewall, not because employees are corrupt, but because they don’t understand how they can use their data, says Anand. With this lack of visibility and understanding, they think that they’re using it for the right purpose. And in the process, the data might be landing in the wrong hands, he explains.
Organisations need a proper framework to manage and protect their data. The first “non-negotiable” step is data discovery, he says. Agencies need to be clear about what types of citizen data they’re holding across various systems.
They can then classify their data by labelling them as first names or last names, for instance. “Lack of visibility to what data you’re holding is the biggest problem,” he adds.
The next crucial step is to decide which of these datasets need to be protected. “It’s a question of what kind of risk am I ready to take for certain sensitive data to be out in the open,” he says.
This framework is important for data subject access requests as well. This is when citizens write in to the government to ask what kinds of data they have on them. Even though there is no clear mandate in the local privacy acts, it is in the best interest of organisations to be able to deliver data subject access requests for improved citizen confidence and transparency, he notes.
“Typically, organisations are challenged. They go in and manually investigate, and they come back a month later with potentially 50 per cent of what they are holding about you,” says Anand. Having proper visibility into the data would allow governments to produce the reports with just “a click of a button”.
Knowing where each type of data is stored is also important for notifying affected people when breaches happen. Many data protection laws require organisations to disclose the types of data and affected subjects or citizens that have been compromised within days.
How AI and automation help
Informatica uses AI and automation to make data protection easier. For instance, some sensitive information might be hidden away in free text fields. Agencies wouldn’t know to protect it unless they scan through all the data.
AI can look through these data to tag personally identifiable information. Over time, as the algorithm learns what the agency’s data looks like, the tagging will become more accurate.
Informatica can also help to automatically detect anomalous interactions with data. Officials can look at what type of data employees access as well as their activity log. 62 per cent of insider threats are related to negligent employees or contractors, according to the Ponemon Institute 2020 Cost of Insider Threats Global Report.
If an employee looks at the data outside of business hours, or downloads large amounts of information right before they leave the organisation, Informatica’s tool would be able to pick it up and trigger an anomaly, Anand shares.
“Our world is getting more complex by the day. So unless and until we have visibility into what we have right now, it becomes even harder for us to get a hold of it,” says Anand. Understanding data is the first step for organisations to improve public services, while ensuring citizen’s data are protected.