Understanding best-practice security principles of data exchange
Friday Nov 04, 2016mail
In the face of increasing data breaches and hacks, more and more companies are engaging in expensive and time-consuming practices to secure and protect proprietary data access. The problem? Analysts know that data has the potential to unlock a treasure trove of insights about societal and consumer behavior. They understand that by exchanging information with other organizations, everyone can benefit – from the healthcare industry to logistics conglomerates and beyond. In short, exchanging data is becoming a critical means of applying context and insight to individual data sets.
That’s why something needs to change. Organizations need to start approaching their data security differently. Instead of hiding it behind layers of security protocol, organizations should govern data in a way that allows it to be safely exchanged between groups. It’s counter-intuitive for companies to continue raising walls around their data; this only acts to reduce the number of people who can access it, and no one benefits. Luckily, there’s a better way.
A new understanding of data
It’s easier to make the data itself safer than to continue to build more elaborate security safeguards. Those safeguards can fail – we see it every day in the breaches occurring in business and government. Instead, groups hoping to exchange information should implement methods of making the data itself less sensitive in the hands of hostile agents.
Many organizations are doing this by employing ‘private by design’ engineering principles when developing new technologies, applications and services. This sees organizations separating and securing potentially sensitive data away from data that’s more operational in nature. This means data that is operational and non-sensitive can be more freely leveraged to generate insight, while sensitive data remains protected.
This ‘private by design’ separation of personal information from operational and attribute-level data was a guiding principle in the development of Data Republic’s own technology; which doesn’t allow the personally identifiable information (PII) of customers – or individuals associated with a data contributor organization – to enter the platform or technology infrastructure. For legal, privacy and security reasons, we require that all PII is extracted and securely stored within Westpac’s Data Bank prior to data sets being uploaded to Data Republic’s Senate platform.
De-identification and tokenization
In addition to ‘private by design’ separation and encryption of differing data types, tokenization methods – whereby customer data is represented by algorithmically generated replacement information – are also being increasingly leveraged to ensure that where potentially sensitive data must be referenced for operations, the sensitive data itself isn’t accessible to hackers.
When it comes to secure data exchange, de-identification and tokenization of personally identifiable information are key to ensuring that potentially sensitive information about individuals can’t be compromised, inferred or leaked.
De-identification refers to the practice of stripping identifiable factors in data so the underlying information can be used anonymously. Some of these methods include arranging data into categories, deliberately allowing the data to be skewed so that it’s still statistically significant but ultimately anonymous, and manufacturing data to replace the original sets to preserve patterns and trends, but lacking identification.
Many healthcare app developers use HIPAA standards, which state that de-identification can be achieved through an expert review by a statistician, or by removing 18 different identifiers.
Having a compliance and governance framework within an organization can ensure that, whenever data exchange occurs, no vital information falls into the wrong hands. This is all the more relevant considering that, according to a Trend Micro report, nearly 20% of respondents said that breaches occurred due to internal errors. To be effective, businesses should implement a top-down safety and security infrastructure. This can be done by creating a policy structure for data, establishing councils to oversee how data is stored and used, and ensuring each individual in an organization lays out a business case before accessing information. Equally, these tried-and-tested methods help position data as a valuable asset. Of course, this is a major culture change – and it isn’t easy. That’s why the approach business leaders take is important. They need to ensure that the way an organization views data comes from the very top and filters through every department.
Establishing a data governance framework
As a starting point, businesses should look to the Office of the Australian Information Commissioner, which lays out a framework for how data should be handled within a business:
- Change the culture to see data as an asset.
- Appoint key roles for privacy management, including staff responsible for privacy and a chief privacy officer.
- Adopt a ‘privacy by design’ approach.
- Provide resources to a privacy plan that helps you follow privacy obligations.
- Create reporting mechanisms to create health checks around data on a regular basis.
Although implementation will vary from business to business, these are important first steps. In particular, organizations should start thinking of themselves as custodians of data rather than owners of information. This will change the way decisions are made about how data is handled.
The security of the technology being used to manage the exchange of the data shouldn’t be overlooked. Even with all of the above protocols in place, poor execution of an exchange via insecure technology like USB, physical hard drive swaps or through a file-sharing website can result in serious risks to both companies and individual consumers. Data Republic’s technology infrastructure has been designed and built ‘from the ground up’ with protection and security of data at the forefront of every activity. From the initial ingestion through to the processing and exchange of data, Data Republic provides dynamic analysis and data security controls which ensure that data is protected from unauthorised extraction. The benefits of exchanging data are huge. A McKinsey report from 2013 claims businesses could unlock as much as US$3 trillion in economic value just from sharing data. This is why businesses need to start focusing on investing in the data security protocols required to safely enable the exchange of data with external parties. Establishing best practice when it comes to sharing data doesn’t just benefit the companies exchanging data, by protecting consumer rights and maintaining trust, data exchange can continue to expand as a practice – driving productivity, innovation and ultimately benefiting us all.