It’s time we stopped reacting to hacks after they hit the headlines and started thinking about what we can do to stop them in the future. It’s no easy undertaking — it will require time, resources and significant changes to how our organisations work.

But for decades, most organisations haven’t had a particularly serious attitude to managing sensitive personal information. Some have been legally obligated to, like those in the medical or financial sectors. But in my ten years of working with business and civil society leaders on their data practices, I have been consistently shocked at their relaxed approach to managing personal information.

Small-to-medium organisations are the most concerning, poorly managing highly sensitive information because they don’t have the expertise, time, or resources to do better. Attacks on these smaller organisations often don’t make headlines, but they’re easy targets for the more than a million attempted foreign and domestic hacks each year.

It begs the question, do these organisations even need to have your data? Whether you’re applying for a rental property, joining a gym, renting a car or volunteering with a local NGO — it is reasonable (and in many cases legally required) for these organisations to ask for specific personal information. Otherwise, how do they know you can pay the rent or what medicines you take if you suddenly have a heart attack?

But there is currently minimal legal obligation to keep that information safe. For example, the Privacy Act doesn’t apply to organisations with an annual turnover of less than $3 million. Even if it did, the Information Commissioners don’t have the resources to ensure real accountability or consequences for small-scale mismanagement or misuse.

Solving this weak spot is one of the most impactful things we can do to keep Australians safe and strengthen our digital economy.

So how can we, as consumers or customers, give small-to-medium organisations the information they need in a safer way? Digital identity systems go a long way to solving this problem. If you have a MyGov or Service NSW account, you’re already familiar with the concept. Like your passport or driver’s license — you can establish your identity easily, and organisations can trust that it is accurate without having to review every detail themselves. You are who you are, you live where you claim, and you earn what you say you do. With a digital identity, you can also choose what and how much to share with each organisation.

The Albanese Government is pushing ahead with a plan to effectively make the opt-in MyGov identity available for businesses and NGOs to use as well, a plan which had been stuck in limbo since 2015.

The NSW Government rolled out digital driver’s licenses in 2019 and is now expanding this to verify other data. Importantly, once the information is verified, it will be stored securely on your own device, meaning it will not be held centrally by the Government or a private entity.

A digital identity system is the way forward, but we can’t let the panicked urgency of these severe cyber-attacks make us skip past the fine print. Technology must reflect our values and act for our broader social benefit. The hardest part of technology policy is balancing security and safety with individual privacy.

To do this, any solution needs to pass a few tests. First, the most vulnerable in our community need to easily understand what is being held, by who, where. Second, it must be secure, private and ideally held on your devices rather than centrally, and thirdly these platforms must be technologically neutral and easily interconnect with each other — just the same way our passports do internationally.

Finally, if we’re asking our government to step in to solve this market failure, we need to ensure it is independently and publicly accountable for how it operates. To do this, our federal and state Information and Privacy Commissioners must play a strong role in protecting the public interest. This means increasing their powers to hold government and businesses to account while also increasing their resources to actually investigate potential failures before they become disasters.

The series of cyberattacks we’ve suffered over the last few months have been deeply damaging to many, but they also give us a valuable opportunity to improve the way our systems and society operates to create a safer future.