Large government bodies are tempering the ability of cloud services to deliver customer-service objectives with requirements to comply with privacy legislation and minimise security risk, two high-level executives of government bodies in different countries have shared.
Speaking in a panel session at the recent Fujitsu World Tour 2015 conference in Melbourne, Australia Post CIO Andrew Walduck said the current emphasis on improving customer service had created tension between the need for more customer information, and customers' desire to limit the amount of personal information circulating at large.
“We're on a journey of increasing the volume of known customers and the points in time that we have customers wanting to share information with us,” he explained. “We're getting into an environment where consumers are starting to understand about the personal information they have, what's being shared and what they need to do with that.”
“We want to understand enough about customers that, at a point in the interaction, we can provide them with something they may not have thought of buying from us. We're using those particular transactions at our touch points to improve the experience and to remove the friction of that transaction.”
Yet building such intimate customer knowledge required amassing large quantities of data – and this had, Citizenship and Immigration Canada (CIC) director general Stephanie Kirkland shared, created its own problems in terms of limiting the scope of operational data to ensure it maximised the security of citizens' information.
CIC had, for example, recently worked with Fujitsu to implement a $180m system that uses full-palm and fingerprint scanners to collect biometric information from travelers.
Since the agency was authorised to begin collecting biometric information in 2009, the system had proved to be indispensable in identifying applicants that had given false information on their visa applications or had otherwise attempted to hide their identities when entering the country.
More recently, a major project had seen ICI step up its collection and use of biometric data, which it began sharing with authorities in the neighbouring United States just weeks ago – and had already picked up 46,000 hits on people who had “bad biographical information from us,” Kirkland said.
Yet while such data collection had proven to be invaluable for CIC's particular business processes, it had also presented new challenges around personal data protection: sharing data with other countries' border-control authorities, for example, had necessitated often-complex compliance with privacy laws.Read more: Fujitsu brings internal security expertise to Australian market in cloud, managed security services push
To ensure compliance with a raft of different legislation, CIC had to design its back-end systems with privacy protocols “that transmit-delete-transmit-delete,” Kirkland explained. “It was a challenge with different countries because those countries felt that the data we collected in their country was their data – and that created a lot of issues for us from an immigration perspective.”
“We had to almost negotiate with every government, and in some instances the only way we could transmit the data out of that country through our visas office because of some of those concerns.”
Despite the clear benefits of digitising its processes and incorporating new biometrics technology, the complexity of those data-curation issues made Kirkland “a little itchy” when it came to considering the movement of that information into cloud-based services, “where we don't yet understand or appreciate what kinds of protocols you can put in place to protect it.”
Government bodies in Australia, as elsewhere, have been pushing hard towards the use of cloud services and the new Digital Transformation Office (DTO) has given Commonwealth authorities until September to plan out the security architecture they will implement to support this push. The government also announced in its recent 2015 Budget that it would spend $33.3m towards a cross-government identity-management framework
Australia Post's Walduck acknowledged the complexities that such controls placed on organisations that are seeking to make better and more sophisticated use of customer information – but said it was key to be “really pragmatic” about the process.
“Data sovereignty is a very parochial issue for many different industries,” he explained. “You find the whole notion that 'the most secure platform could only be in my country', but you have every single country saying the same thing; this feels fundamentally flawed as an assumption.”
The key to reconciling concerns over data management with the objectives of better customer service lay in building management and monitoring capabilities into any extension of the organisation's analysis capabilities, he continued.
The real question is to assess “how strong is your internal competency to be able to assess how secure something is, what is your risk appetite, and what is the posture you are wanting to take on in the organisation,” Walduck said.
“We have done a lot of work on our internal security capability, as well as evolving it to think about it as a strategic advantage for our organisation rather than a back-of-house operation capability.”
“We have drawn the line on things that can be shared more broadly and things that can't. [Security] enables our cloud position and is fundamental to our future rhythm.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.