A speech given by Director-General David Fricker at SIG (Security in Government) conference in Canberra on 5 September 2012.
Good morning and thank you Michael for that introduction.
It's a pleasure for me to be here once again at this important annual event, and to have the opportunity to speak to you today about the importance of information governance in our management of security.
But first let me talk briefly about the National Archives, and explain why I have a major stake in the security of Australian Government information.
The National Archives of Australia is the Australian government's archival authority. We have the foundation role as custodian of the nation's memory, and as an important accountability and integrity agency. More than ever, the National Archives, is also responsible for providing access to these records. Senator Faulkner, a member of the Archives Advisory Council, on occasion succinctly summed our role as 'the ultimate accountability agency'.
It is a sign of a healthy democracy that our government's records bear scrutiny.
The Archives Act 1983 controls the selection of records of national significance that are retained permanently as part of the National Archives' collection and we have an overarching responsibility for the care, custody and disposal of all Commonwealth Government records – and importantly providing continued access to the Australian community. Under the Act, I have the legislated authority to approve the retention, transfer or disposal of these records – as well as the assessment of records to release for public access.
The Archives Act makes it an offence to destroy a commonwealth record without the proper authority – either under a specific clause in the Act or through a records authority issued by the Archives. Remember – in today's Government environment, records include electronic and paper files, but also a lot more.
Under the Act, the Archives has the explicit duty to 'impose record keeping obligations in respect of Commonwealth records', which is why I am concerned with security and why I am addressing you today at the Security in Government conference.
Digital records are not just the digital equivalents of documents and they are not just the records that are contained in a dedicated records management system. Records include all government information in whatever format wherever it is held – in records systems, business information systems, databases, websites, emails, and growing social media including Facebook, twitter feeds, SMS messaging,etc.
It might be stored in digital repositories, data warehouses, data centres, or in the 'cloud'.
The Archives Act needs to be considered in any custodial arrangements for Commonwealth records, and this can be especially significant for digital records. Any consideration, for example, of storage arrangements in the cloud or other environments needs to take into account the requirements of the Archives Act.
Huge volumes of electronic data and information are now being retained in organisations.
In addition, information constantly changes. For example, digital information can be easily combined, or copied at any point in its lifetime.
Keeping digital information in digital format is a critical element of good information management today. Many of us continue to print great volumes of digital-born information to paper with consequent loss of context and increase in risks to accountability, availability and security.
One reason that too many agencies continue to rely on paper-based practices and processes is that ICT systems - in the most part - continue to have inadequate information management functionality or inadequate user interface. We at the Archives are working with software developers and vendors to influence this.
In this environment it is more important than ever that this government information is well managed so that:
Importantly, good information security has as a pre-requisite good information management.
The recent report from the Australian National Audit Office, Records management in the Australian Public Service (released in June 2012), points to the continuing problem of a lack of priority given to information and records management. In times of tight budgets and competing demands it can be tempting to postpone improvements in important infrastructure of this kind.
However, there are clear business, governance, accountability, budgetary and, of course, security reasons why that investment of resources in getting your information management right is well worth while. I recommend this report to you.
Let me now talk to a key security concern linked with our current environment of big data, interconnectivity and information sharing.
One consequence of information sharing in this environment is that it produces information 'buckets' - large collections of classified and unclassified data intended for easy access by a large community of users.
This is a practical solution to the need for more cross agency work, a more joined up response to big policy issues such as border security, cyber-crime or counter terrorism. In practical terms, for anyone to have access to even the least sensitive information they must be granted access to the whole bucket – including of course the most highly classified records.
An unintended consequence of this trend can be that the presence of unclassified information in the bucket can breed some complacency into the administration of the data itself and the processes for vetting of people permitted access. Under this scenario, aggregated data sets become more attractive targets for attack and the risk of people ripe for cultivation by criminal or hostile intelligence agents is increased.
We are also all of us, in the normal course of business, accumulating more and more data. The breadth of material collected includes meeting requests, informal communications - the 'pocket litter' of the organisation.
This leads to business inefficiencies, clogs up our information holdings and data stores, but also presents a security risk. The 'pocket litter' hangs around in email accounts, web servers and temporary data stores outside formal systems, making it more accessible and making its unauthorised access less likely to be detected.
The Mosaic effect is well known to you all, and having this material in great volume in digital form makes it a prime target for malicious use.
What may surprise you is that my advice is to reach for the delete key. Much of this informal data should be erased - and can legally be destroyed.
Whilst it is illegal to destroy many records without my permission, what many people are unaware of is that there is a provision in the Archives Act, known as ‘normal administrative practice' that allows for destruction of very low level, low value records without formal authorisation.
However, before you rush back to work and run a magnet over your hard drives, I am also telling you that there are risks in applying this inappropriately and each agency needs to establish their own policy, which the Archives is happy to review, and guide their staff to ensure unauthorised destruction doesn't occur.
But what about the important stuff? The big data that is fundamental to our new strategies for deeper analysis and information sharing? How do we get on top of the security risks without losing our edge?
The answer here is information governance that takes an enterprise-wide view of all information holdings; the value of those holdings to the organisation; the ownership; its usage and rules for access and disposition.
As we have seen in the ANAO's recent report, the need for action on this is immediate and real.
We have seen the consequences of major breaches of information security overseas and the widespread and long term effects of dealing with it, while still maintaining our higher agenda of information sharing and open government.
The role of the Archives in this arena is clear. It is my job to set records management standards and impose obligations on Commonwealth agencies. And right now that means a thorough understanding of our collective obligations and a united push to reach a common standard of digital information management across the 200 or so agencies covered by the Archives Act. Whilst mainly in Canberra, these agencies are located in every state and territory in Australia.
I also need to be clear on this point: It is your job, your obligation under law to treat Commonwealth records with the highest professional respect and diligence. As the Attorney-General said at the opening of this conference, 'you are entrusted with valuable and personal data of Australian citizens and they expect you to treat their information sensitively and with the respect it deserves'.
It is not a discretion you have, the records don't belong to you or indeed to your organisation. They belong to the nation and to the future, and the future will extremely upset with you if they're not in good order when they need them!
This is a very important point to remember. The records provide the connection between the public and government – in the future even more so – where the Archives will provide the 'digital pathway' between contemporary issues and lessons we can learn from our history. Without agencies and the Archives ensuring the existence of secure, authentic, reliable and usable records – this information will be lost to future generations.
So what am I doing to lead us into through this digital transition? What strategies are you expected to adopt? And what am I doing to make it as easy as possible to adopt them? It's not lost on me that these are difficult times for many of us, as we balance our own challenging and important agendas with a period of considerable fiscal restraint.
'So what', I hear you ask, 'do you expect me to do and how much do think I can spend on this?' And of course we're all here to deal with matters of security, so where are the benefits to the information security regimes that we must manage?
I have some good news. The way ahead is clear. I have some more good news. For many of you, your agency is already well along the way. I have a little bad news. For a few of you there is still much work to be done.
There are two policy instruments that you must all be aware of: the Digital Transition Policy and the Digital Continuity Plan.
The Digital Transition Policy is a whole-of-government policy that was released in July 2011 that aims to move agencies towards fully digital management of their information and records. The policy sets a number of requirements for agencies including reducing the backlog of existing paper records and limiting the creation of new paper records. Importantly it requires agency heads to lead is achieving cultural and practical reform.
You also need to undertake three annual assessments of your information and records management capability, using Check-up 2.0, the online questionnaire developed by the Archives. Last year, when the first assessments were required, almost 90 per cent of agencies submitted their assessment to the Archives as required by the policy. The second submission is due at the end of this month and many of you will already be well under-way with this. If you're not, you need to get on with it.
The Archives has a number of obligations under the policy. I have to report every year to my Minister, the Hon Simon Crean, on the status of agencies' information and records management practices, and advise on opportunities and strategies to improve efficiency. My first report was provided in March this year and I will report again in March 2013 and March 2014. Later in 2014 the Archives' Minister needs to report to the Prime Minister on what progress has been made, and providing options for any additional strategies that may be required to achieve the goal.
The policy required the Archives to produce a Digital Continuity Plan to guide all agencies on managing digital information to ensure it remains accessible and usable for as long as needed – and this advice is on our website.
In developing the plan, we were mindful of the diversity of Australian Government agencies from less than 10 to more than 20,000 staff so the plan needed to be flexible and adaptable. It is principles-based and identifies three key outcomes. There are recommended actions in the plan, but in developing your individual action plans you need to approach it incrementally and take into account your risks, priorities and business goals.
As described by the ANAO, we need to act on this now. The ANAO made several key findings in its report that leave no room for doubt on this.
One of these is that records management requirements should be considered when selecting, developing or upgrading electronic business systems.
I need to stress that in an interconnected, information sharing environment it is not enough for just a few agencies to take this issue on. Although the Audit Office focused on just three agencies when compiling the report, the findings are relevant to all agencies and we need a whole of government effort, coordinated around a common target.
Responsibility for the management of information does not solely belong to the National Archives. Agencies need to clearly define, assign and resource responsibilities and accountabilities for information management at the officer level, right through to senior levels.
We need to work together across government to address these information management challenges, to advance real change and to provide a more efficient and effective way of conducting government business.
To that end the Archives works closely with many other agencies, including the security and intelligence community.
Information created using digital technology should be stored and managed digitally and transferred in digital formats to the Archives. To achieve this I am keen to see a more comprehensive shift across agencies to comprehensive digital information management and a targeted effort and focus.
We must keep a watchful eye to the future on this issue.
It is my view that unless we, and I mean all of us in the Commonwealth sector, have not substantially achieved this digital transition in the next three years we will be placing an unacceptable risk on the integrity of commonwealth records and our capacity to maintain open and accountable government.
This is an important governance issue as well as being a smart business and environmental choice. Don't underestimate the benefits – more efficient and effective business processes; increased transparency of business activities, and greater accountability to government, stakeholders and the community; reduced storage costs; reduced risks to business of unusable or lost information – therefore less complaints; and importantly the ability to meet the intent of whole-of-government policies.
And don't forget that ultimately these records held in trust for the long term use of Government and the Australian people, with the Archives the 'digital pathway' to this information. We see that more 90% of access to records is occurring online, rather than through our reading rooms as once was the case. The Archives is implementing innovative models for online access – with interactive 'crowd-sourcing' websites to historically rich information. Destinationaustralia.gov.au is but one example – where we have uploaded some 21,000 official government immigration photos from post WWII. The public are adding their stories to the photos, helping to tell the Australian immigration story.
We cannot take this responsibility lightly. It requires sound judgement to strike a balance of information as a national resource with requirements for privacy and security. There is much to do, but no time to wait.