Department of Administrative Services: Data Protection Strategy Report

Verified

Added on  2022/10/02

|17
|4103
|27
Report
AI Summary
This report outlines a comprehensive data protection and privacy strategy for the Department of Administrative Services (DAS), an Australian government agency. The report addresses the challenges of migrating to a shared services model and a 'Cloud First' policy, focusing on a SaaS-based HR and personnel management system. It proposes a privacy strategy with a vision to safeguard personal and governmental data, emphasizing transparency, accountability, and security. The report details the mission, values, goals, and scope of the policy, including data management, access control, and disaster recovery. It recommends controls to mitigate privacy risks, such as access management, staff training, and data encryption. Additionally, the report presents a personal data protection strategy focusing on data security at all stages, from transit to storage. It also covers access management, breach response, and performance measurement, ensuring the protection of sensitive information within the cloud environment.
Document Page
Running head: Data Protection 1
Privacy and Data Strategy:
A Department of Administrative Services’ (DAS) Report.
Student’s Name
Institution’s Name
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Data Protection 2
Privacy and Data Strategy:
A Department of Administrative Services’ (DAS) Report.
Introduction
The Department of Administrative Services is an Australian government agency that
provides services such as payroll, HR and personnel management, contractor management and
contract tendering management among others to other government departments. Changes in
government policies have made the department adopt a shared services delivery model. The
implication of this migration is that the some services will have to be centralized and that each
agency running thee services for its users will have to migrate into the platform too, from where
the amalgamated services will be provided to all other governmental agencies. The ‘Cloud First’
government policy requires that DAS to first acquire a cloud-based application first before
making any further updates. For this reason, the department has contracted a US based company
to provide a SaaS-based HR and personnel management system that will facilitate all the
necessary updates.
Such a migration often comes with risks, thus calling for a security control plan,
management and policy while migrating and using the shared services. Managing these services
could increasingly become complicated, data security levels can escalates, and vendor lock-in
can be prevented (Paquette, Paul, & Susan, 2010). This report purposes to provide a security
control approach of the migration, and the ultimate IT service management. The first section
presents a Privacy strategy proposal; the second one presents recommendations for the
implementation of the strategy and mitigation of previously identified privacy risks; the third
Document Page
Data Protection 3
section gives a personal data protection strategy; and the last one recommends on how to
mitigate data security risks.
Privacy Strategy Proposal
Vision
The Department of Administrative Services functions as an Australian government
agency through which all other departments are serviced. Migration into cloud and shared
service model implies that the department becomes a leader in safeguarding the privacy of
personal and governmental data as well as promoting the establishment of a transparent,
conducive and healthy working culture for all stakeholders, employees and clients.
Mission
The mission of Department of Administrative Services through this privacy proposal is to
protect the privacy of all stakeholders, employees and individuals accessing government services
by embedding privacy control mechanisms and strategies that promote transparency, reliability
and accountability at all government departments.
Values
1. Transparency
2. Accountability
3. Reliability
4. Professionalism
5. Code of conduct and ethics
6. Integrity and security
Document Page
Data Protection 4
Goals for the Plan
a) DAS is commited to ensuring smooth transition of all government services into the
cloud.it is also commited to ensuring that data stored in the platform is protected and
secured from unauthorized access and manipulation. It is the responsibility of DAS to
ensure smooth running and availability of all government services.
b) This strategy is based on the goal of maintaining high standards of stewardship,
accountability and integrity. Privacy goals, policies and practices are enhanced and
enforced and considered as critical components for the realization of this strategy. Hiring
of competent individuals and thorough user training shall be used to complement both
physical and ‘intangible’ security control mechanisms.
c) DAS shall make sure that all users are aware of and adhere to current governmental
regulations.
d) To provide a security framework suitable for the establishment levels of security for all
governmental services and information systems running on cloud platform.
e) Provide principles by which all users and departmental employees understand their
respective roles in the maintenance of a secured computing environment.
f) Protect DAS from unnecessary legal actions and ligations that would result from illegal
handling and unauthorized access and/or exposure of personal information.
g) Respond to changes in the context of organizational change, changes in governmental
regulations and technological advancements.
Scope of the Policy statement
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Data Protection 5
This policy statement shall be applicable to DAS and all other governmental departments and
agencies. It shall consequently be communicated to all stakeholders and employees as well as
third parties who in one or another interact with DAS systems.
Terms of Reference
1. Management of personal information
Information belonging to personnel- departmental staffs, stakeholders and clients shall be
stored using the most advanced encryption technique. Respective users’ shall have access to their
information through the active directory.
All personal data shall be legally acquired and lawfully processed, in a transparent and a
fair manner in relation to its owner. All individuals shall have the right to understand how
information gathered about them shall be used and stored in the system.
All personal data shall be collected for specific, legitimate and explicit purposes. Such data shall
always be processed in manners and formats that are compatible with the purpose for which they
collected.
All personal data shall be maintained at the highest degree of adequacy, accuracy and relevance.
Data collected and stored in the system shall be relevant and limited to what is necessary as far
as DAS SaaS cloud services are concerned.
All personal data shall be complete, consistent, accurate and regularly updated. Updating this
information shall follow the due process of law.
Document Page
Data Protection 6
A data plan management system shall be used to protect all personal informant from the
initial stages of data collection, organization, processing and storage.
2. Collection and management of solicited personal information
The collection and usage of information shall be subject to pre-collection agreement. All
stakeholders shall be consulted. Data clerks collecting this data shall have the responsibility of
convincing the client that their data will be used for the right purpose and shall not be disclosed
without their consent.
3. Use and disclosure of personal information
All personal information stored in the cloud will be in encrypted form. This information
shall not be disclosed, exposed to unauthorized persons or published. In case of publishing this
information, data managers will have the responsibility of informing and getting consent from
the owner. A breach of this shall lead to legal implications and dire consequences shall follow.
Personally identifiable information shall be masked to ensure that it is not revealed to third
parties in cases where consent are successfully achieved.
4. Applications of digital identities
Digital identities shall be used to identify and authenticate all service users. However,
this information will remain masked to ensure maximum protection from unauthorised access.
Electronic data and its traits shall be strategically hidden using pseudonym files.
5. Securing personal information
Document Page
Data Protection 7
Advanced encryption techniques should be applied to all departmental data stored in the
cloud. Higher privacy levels can be achieved this way since third parties may have access to, but
not be in a position to read data.
6. Controlling access to private information
Access to personal information will be based on access level and user priveleges.
Additionally, no personal data shall be accessed or otherwise published without getting its
owners’ consent or without meeting all legal requirements. Identity access management system
shall be used to control access to this information. Disaster recovery and backup systems shall be
used to create replicas of information thus increasing info availability and performance.
7. Quality and correction of personal information
It shall be the responsibility of departmental data managers and clerks to ensure that data
collected is filtered before being fed into the cloud. The filtering process shall be used to
guarantee the completeness, accuracy and consistency of data.
Any incorrect editions of data once uploaded in the cloud shall be detected and deterred.
Privacy Risks Controls’ Recommendations
Practical solutions should be put in place to ensure maximum protection against privacy
risks. DAS should use these solutions as a roadmap for implementing practical solutions, useful
for the minimization of identified risks without compromising quality of services (Pencarrick,
Nancy, & Kimberlyn, 2012).
Mitigating previously identified risks
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Data Protection 8
a) Control access to personal information by developing and maintaining strong passwords.
Password management policies should be used to manage these passwords.
b) Different users from different departments should be assigned varying user levels and
access privileges. This would amicable limit access to certain personnel.
c) Access management policies should be developed, and used to limit incidences of
unauthorized access to the system.
d) All processes involving data entry, processing and storage should constantly be
monitored.
e) Personal information should be categorized based on sensitivity.
f) Conduct thorough training for all departmental staff, making them aware of the Dos and
DONTs while using the shared services’ platform.
Privacy Strategy Implementation Control
The realization of departmental objectives will only be possible if a privacy policy is
implemented. Control mechanisms put in place should have three qualitative benchmarks in
accordance to Privacy Bridges Report: easy to use while expressing individual decisions an
consent for collection and processing of personal data, scalable and must respect both procedural
and substantive differences between national privacy laws (Kristina, Svetlana, Joris, & Marcelo,
2017). This is implies that control mechanisms should be aligned to organizational/departmental
goals/objectives. To fully realize this, DAS should:
a) Develop and maintain adequate data backup and recovery procedures. These procedures
would help the organization establish sound safeguards through which data copies of data
may be availed offline and help recover from disaster. Where original data is corrupted,
backup data may help recover the actual data (Suguna & Suhasini, 2014).
Document Page
Data Protection 9
b) Implement a storage strategy. Such a plan will push employees to apply best practices
applicable in the implementation of security technologies. Moreover, storage system
strategies would help supplement the already existing network safety protocols.
c) Different sites for the various governmental departments should be built. These would
then be used to serve all government agencies.
d) Access risks associated with the migration into cloud service for all departments and
come up with an integrated viable solution.
e) Uniquely configure data management system for the payroll system as a way of
protecting personal information from unauthorized manipulation.
f) Continually monitor and review all processes in line with its privacy strategies. On
weekly basis, the department should assess and monitor ther ares of weakness and find
solutions for the same.
g) Lay out security issues reporting and addressing procedure.
h) Create security breach incidence response plan. Such plans provide adequate response to
security incidences in time.
i) Ensure that all government agencies and departments periodically conduct performance
measurement against its privacy management strategy.
Personal Data Protection Strategy
Protecting Personal Information
Security is a critical consideration for all IT infrastructure and systems. All organizations
understand the need of securing their information systems as it not only streamlines its processes,
but also leads to higher profit margins, increased revenue and returns on investments. Securing
personal information is one way of gaining clients’ trust, builds organizational reputation, and
Document Page
Data Protection 10
cultivates a healthy working relationship between organizational stakeholders. Data is protected
at its three stages: transit, processing and in storage thus creating a business enabling
environment. DAS should, therefore, shall give data protection vital importance which will
transform into general security for all organizational assets.
Personal information will be managed with utmost care and concern. To efficiently and
successfully achieve this, DAS shall implement a personal data management and protection of
personal protection. This plan will consist all the stages of private information from management
starting from getting consent to collect data, capturing data and enlightening the clients
(departmental staffs in this case) to ensure that their data is secured and that it shall be used at for
the right purposes. The executive shall be tasked with the responsibility of creating a taskforce to
spearhead the protection of personal information.
A personal data management and protection strategy will make it easy for DAS and other
departmental heads to assign to various officials with the responsibility of spearheading
protection of personal data. Officials to be appointed for these tasks must be qualified and
experienced in data security and management systems. Access to organizationally-controlled
data will strategically be planned and designed to ensure maximum data protection.
Security breaches have always dealt governments, organization and individuals’ toll
blows. Information leakages damage organizational reputation and may see them lose their
customer base and market shares. DAS shall, therefore, be required to enhance its security
systems to avert any form of data loss in addition to abuse of personal data. All aspects of, and
activities that prevent data theft, unauthorized data access and manipulation and any other form
of interference shall be put in place to ensure that system services do not get compromised and
unreliable. A security policy strategy shall be used to control access to information system thus
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Data Protection 11
preventing any chances of unauthorized manipulations from happening. A security level based
on the level of information being protected and the harm that might be caused by the interference
of such information. The organization shall similarly establish both physical together with the
technological security measures for the protection of individual data.
Due to high dependency on data, DAS will be needed to put in place flexible and some
special types of storage. It is the responsibility of the department to move data that is rarely
access or used to special storage devices where it can be stored over long periods of time. From
these storage devices, these data shall be retrieved in need-arise basis. Data archiving a
computing technology that ensures that DAS can store information for quite long periods of time
and retrieved in future. In addition to this, data archiving allows organizations to retain certain
types of information and data thus creating room for compliance. All archived data is indexed
while files with this information/data are issued with search capabilities for eased retrieval and
access. The SaaS cloud platform shall be an ideal solution for DAS to archive such data. In this
case, the organization shall use cloud storage platform for data achieving.
Authorised Acess and Disclosure of Personal Information
Confidentiality is one pillar in the CIA security triad that is used to ensure that data is not
exposed to unauthorized access. In the DAS SAAS application, access to private data shall be in
accordance to laid-down procedure. Access to personal information will be based on access level
and user priveleges. Additionally, no personal data shall be accessed or otherwise published
without getting its owners’ consent or without meeting all legal requirements. Consultations with
individuals may result in an agreement between the two parties after which personal data storage
officer will have to sufficiently prove and ensure that only accurate, consistence and complete
Document Page
Data Protection 12
data is released, and for the right purpose. No personal data shall be disclosed or published where
an agreement is not reached.
Unauthorized information disclosure of personal information shall be legally prohibited
and criminalized. Individuals who will breach this law shall be subjected to criminal
investigation and dire legal consequences shall be meted on the. This law shall also prohibit any
members of staff from aiding unauthorized access to personal data.
Personal Information De-Identification
While personal information refers to info which describes an identifiable individual, de-
identified information refers to any other information that lacks sufficient attributes to be
identified with an individual. While de-identifying information, DAS shall strive to ensure that
no any individuals’ identities shall be connected with the information relating to them. As such,
any information that can be used to successfully identify a person shall be permanently deleted.
As an example, all the names belonging to connected individuals shall be deleted from other
information that might be subjected to third parties. This will be achieved by masking individual
identifiers so that unique personal information is not revealed. Once masked, this information
can easily be shared with third parties at minimal security risks. Nevertheless, security experts
will be required to consider governmental laws and policies that regulate collection and handling
of personal data.
Use of Personal Digital Identifiers
In present day computing, digital identifiers provide highly secured mechanisms through
which users can be identified and authenticated. Digital identifiers are based on individual
unique traits and are used to identify people and their devices. Nevertheless, when misused or
chevron_up_icon
1 out of 17
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]