Data has been referred to as the ‘new oil’ or ‘new gold’, but it’s more than that. Most organisations can’t function without it. That applies equally to governments.

Australian government data creation, collection, storage and analysis has grown and continues to grow, as does government reliance on it. With continued government policy directions promoting increased outsourcing of data storage, processing and cloud storage, the value and protection that disaggregation and diversification generate may be lost in the absence of appropriate oversight.

Our new ASPI report, Devolved data centre decisions: opportunities for reform?, launched today, looks at the unintended consequences of the government’s procurement arrangements for data centre services. It is aimed at shaping a better conversation on issues, challenges and factors to consider in the management of outsourced data centre arrangements.

Despite the intent of the Digital Transformation Agency’s Data Centre Facilities Supplies Panel, current arrangements place a high level of onus on individual agencies to identify and mitigate risks in the absence of whole-of-government oversight. This limits the opportunity to respond in a coordinated manner to wider interests of government, including those relating to concerns about supply chains and concentrated data holdings.

Established in 2010 as part of the Australian Government Data Centre Strategy 2010–2025 and following Peter Gershon’s 2008 review of the government’s use of information and communication technology, the panel aimed to address the high cost of ICT procurement through a coordinated approach.

The business case was based on analysis suggesting that an estimated $1 billion could be saved over 15 years through a data centre strategy that included a supplier panel.

But the panel has resulted in aggregation of government data holdings, raising the risk of single points of failure, where one breakdown could prevent the government from delivering its services. Aggregation also fosters a lack of diversification in providers, which could reduce innovation.

The high cost associated with moving to alternate data centre providers has created barriers to exit, which in turn stifles opportunity and reduces market flexibility. This in essence establishes a conflict with competition policy outcomes. The cost of transitioning to a different provider may also be higher due to increased contract lengths and extensions. That’s both a symptom and a driver of a level of market capture.

Concerns about the government’s ICT procurement arrangements are well documented. The 2017 DTA Report of the ICT Procurement Taskforce identified impediments to improving ICT procurement across government, including a lack of centralised policies, coordination, reporting, oversight and accountability. The report attributed this to more than 20 years of devolved agency decision-making; the limited capability and risk-adverse nature of the Australian public service with a focus on compliance; a fear of failure; poor collaboration; and industry engagement.

However, the taskforce’s recommendations and the government’s response failed to address data centre procurement, which also includes issues related to the ability and maturity of small to medium-sized agencies to adequately respond to tenders. Such difficulties may be amplified in agencies that are inconsistent in their preparation and assessment of tenders, lack transparency and consistency in decision-making, and have a poor understanding of the costing models used in the data centre market.

What is needed over a five-year horizon, given this changing environment, is a clearer conversation and greater confidence in controlled ownership.

While the unintended consequences of current arrangements have been discussed in some detail, aspects relating to sovereignty, critical infrastructure and 5G network ownership are flagged as areas needing further consideration in the context of outsourced data centre services.

Our report highlights critical issues for consideration and resolution, including the lack of a whole-of-government overview and the fragmentation of management of data security. The absence of a single entity accountable for whole-of-government data centre outcomes results in increased data risk, the perpetuation of market distortions and reduced market flexibility. Accountability has been pushed down to the departmental level. Given the limited resources of small and medium-sized agencies, this drives the selection of convenient options, which in turn establishes barriers to taking advantage of market flexibility and efficiency. While the mandate of the DTA is to provide policies, standards and guidance, it lacks resources and the authority to drive whole-of-government ICT outcomes.

In addressing these challenges, it will be important to respond at two levels. The risk that’s caused and amplified by the aggregation of data centres must be mitigated.

There’s also the need to establish oversight and accountability, including a strategy for managing of government information and data assets, going beyond the current agency-by-agency approach. An authority set up to manage this would have objectives relating to data security and management of overall data risks as well as promotion of market flexibility and efficiency.