Australia Post, Canadian immigration walk a fine line between data-driven customer service and security, privacy

Australia Post's Walduck on left, Canada Immigration and Customs' Kirkland on right.

Australia Post's Walduck on left, Canada Immigration and Customs' Kirkland on right.

Large government bodies are tempering the ability of cloud services to deliver customer-service objectives with requirements to comply with privacy legislation and minimise security risk, two high-level executives of government bodies in different countries have shared.

Speaking in a panel session at the recent Fujitsu World Tour 2015 conference in Melbourne, Australia Post CIO Andrew Walduck said the current emphasis on improving customer service had created tension between the need for more customer information, and customers' desire to limit the amount of personal information circulating at large.

“We're on a journey of increasing the volume of known customers and the points in time that we have customers wanting to share information with us,” he explained. “We're getting into an environment where consumers are starting to understand about the personal information they have, what's being shared and what they need to do with that.”

“We want to understand enough about customers that, at a point in the interaction, we can provide them with something they may not have thought of buying from us. We're using those particular transactions at our touch points to improve the experience and to remove the friction of that transaction.”

Yet building such intimate customer knowledge required amassing large quantities of data – and this had, Citizenship and Immigration Canada (CIC) director general Stephanie Kirkland shared, created its own problems in terms of limiting the scope of operational data to ensure it maximised the security of citizens' information.

CIC had, for example, recently worked with Fujitsu to implement a $180m system that uses full-palm and fingerprint scanners to collect biometric information from travelers.

Since the agency was authorised to begin collecting biometric information in 2009, the system had proved to be indispensable in identifying applicants that had given false information on their visa applications or had otherwise attempted to hide their identities when entering the country.

More recently, a major project had seen ICI step up its collection and use of biometric data, which it began sharing with authorities in the neighbouring United States just weeks ago – and had already picked up 46,000 hits on people who had “bad biographical information from us,” Kirkland said.

Yet while such data collection had proven to be invaluable for CIC's particular business processes, it had also presented new challenges around personal data protection: sharing data with other countries' border-control authorities, for example, had necessitated often-complex compliance with privacy laws.

Read more: Fujitsu brings internal security expertise to Australian market in cloud, managed security services push

To ensure compliance with a raft of different legislation, CIC had to design its back-end systems with privacy protocols “that transmit-delete-transmit-delete,” Kirkland explained. “It was a challenge with different countries because those countries felt that the data we collected in their country was their data – and that created a lot of issues for us from an immigration perspective.”

“We had to almost negotiate with every government, and in some instances the only way we could transmit the data out of that country through our visas office because of some of those concerns.”

Despite the clear benefits of digitising its processes and incorporating new biometrics technology, the complexity of those data-curation issues made Kirkland “a little itchy” when it came to considering the movement of that information into cloud-based services, “where we don't yet understand or appreciate what kinds of protocols you can put in place to protect it.”

Government bodies in Australia, as elsewhere, have been pushing hard towards the use of cloud services and the new Digital Transformation Office (DTO) has given Commonwealth authorities until September to plan out the security architecture they will implement to support this push. The government also announced in its recent 2015 Budget that it would spend $33.3m towards a cross-government identity-management framework

Australia Post's Walduck acknowledged the complexities that such controls placed on organisations that are seeking to make better and more sophisticated use of customer information – but said it was key to be “really pragmatic” about the process.

“Data sovereignty is a very parochial issue for many different industries,” he explained. “You find the whole notion that 'the most secure platform could only be in my country', but you have every single country saying the same thing; this feels fundamentally flawed as an assumption.”

The key to reconciling concerns over data management with the objectives of better customer service lay in building management and monitoring capabilities into any extension of the organisation's analysis capabilities, he continued.

The real question is to assess “how strong is your internal competency to be able to assess how secure something is, what is your risk appetite, and what is the posture you are wanting to take on in the organisation,” Walduck said.

“We have done a lot of work on our internal security capability, as well as evolving it to think about it as a strategic advantage for our organisation rather than a back-of-house operation capability.”

“We have drawn the line on things that can be shared more broadly and things that can't. [Security] enables our cloud position and is fundamental to our future rhythm.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Fujitsu World Tour 2015Citizenship and Immigration Canada (CIC)Andrew Walduckaustralia postsecurity riskcloud servicesbiometric dataCSO Australia

More about Australia PostCSOEnex TestLabTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts