Gehan Gunasekara argues that digital transformation is about people and skills training

Information professionals are critical to surviving in the digital age. For example, those such as privacy officers, information officers or data protection adviser in organisations are at the front lines in protecting society. The recent cyber-attack on the Waikato District Health Board has, amongst other such recent incidents, highlighted the importance of such staff in preventing future attacks: the loss of personal information led in this instance to denial of access to life-saving treatment.

Personal information may be the new oil and the increasing attacks targeting it signal its value. There is a human dimension that is often neglected here: vulnerabilities are more likely through human error than technical glitches in technology. However, this in turn necessitates investment in human resources and the associated costs. But, failure to do so may result in even greater costs with reputational damage and, with the new powers conferred on the Privacy Commissioner, regulatory scrutiny including fines.

Information professionals will assume ever-increasing prominence in the twenty-first century. The chief privacy officer (CPO) will be as important as chief financial officer (CFO). Even existing roles such as client relationship advisers, recruitment consultants, data analysts and people and culture managers require solid understanding of ethical and legal frameworks surrounding the use of personal information. Digital literacy is about more than technical skills such as, for instance, how to generate and use data analytics.  It encompasses also being able to evaluate the legal and ethical limits to such techniques. Ethics alone is insufficient as understanding the legal frameworks surrounding data use and how these intersect with ethical as well as other standards governing data are required.

Privacy and information professionals require specialised skills. Understanding legal and regulatory frameworks is a starting point. But, where managing data is concerned understanding the legal requirements is not enough: one must be versed in techniques of implementation at the organizational level. In turn this means engaging with the internal management dynamics of the organization and being able to design accountability criteria and mechanisms. Soft skills are also desirable, and these include advocacy with stakeholders and knowing how to resolve conflicts before they escalate.

In a digital age privacy and information handling skills are as important as financial literacy or software creation. Organisations that make the necessary investment in staff and their upskilling inevitably reap the regards whilst those that fail to do so learn the hard way. Testing is needed to see if staff know not to open a phishing attachment by deliberately sending a dummy one to test reaction. Likewise, knowing how to audit a service provider to check its adherence to commitments regarding use or storage of data requires systems and follow-up to see they are used.

Often, knowing when to delete data can forestall data breaches. Many famous data breaches have been enabled or made worse by organisations keeping personal information that was no longer needed or failing to check it was still needed. The Ashley Madison hack of 2015 revealed the company had held on to records of customers who had closed their accounts. Similarly, with the Equifax breach in 2017 retention of databases after migration to its subsidiary and failure to audit as per contract allowed the hack of the parent to obtain the data of millions of United Kingdom users. New Zealand does not have a “right to be forgotten” unlike the European General Data Protection Regulation (GDPR) but does have rules regarding how long data can be held and knowing how to navigate these and differences with the GDPR (in transacting business with Europe) is vital.

Earlier this month, the University of Auckland Business School is hosted a symposium: Who’s doing what with your data? Information governance in a digital world. Keynote speakers were the Privacy Commissioner and Government Chief Privacy Officer and an industry panel included several contributors including a representative of Facebook. The presence of these stakeholders demonstrated the critical need for greater public engagement with the information profession.

Gehan Gunasekara is an Associate Professor in Commercial Law at the University of Auckland Business School and Chair of Privacy Foundation New Zealand.

Interested in a career as an Information Professional? See our Master of Information Governance online programme.