Security, privacy and active citizenship in eGovernment

Recommendations from a working group under the Danish Board of Technology.

Public administration in Denmark is on its way to becoming digital. Digital technology, specifically the Internet, is increasingly applied to manage public administration and casework, and to communicate with citizens. This, taken together with numerous organizational changes, signals the coming of an entirely new infrastructure for the public sector. The primary focus of eGovernment policies has been on the benefits to be gained from freeing up resources and increasing effectiveness within and among government agencies. Meanwhile, considerations such as citizens’ access to and control of their own data are given a lower priority following the rationale that there is a trade-off between effectiveness and service, and the protection of privacy.

A panel of experts under the Danish Board of Technology has investigated how we are to avoid a situation where demands for efficiency and effectiveness in the public sector put citizens’ security and protection of privacy at risk. The committee focused on two important strategic initiatives in the Danish eGovernment project: the development of service-oriented architecture (SOA) and the introduction of joint electronic document management systems (JEDM). These initiatives have been popularly described as “breaking down the silos”; meaning that the legally defined “walls” between institutions are being removed to the benefit of creating one integrated administrative body. The idea is “one-stop shopping” in the public sector, where the citizen is only required to make contact with the system at one location, and from this location, all of their social service needs can be met. In addition, administration and casework are made more effective and flexible as data is more freely available and can be reapplied anywhere in the service-oriented architecture.
However, this process is putting citizens’ security and privacy at risk.
The working group presents a number of recommendations which aim to:

  • Protect citizens’ basic rights to security and privacy
  • Increase citizens’ access to and participation with the public administration

 

Through consulting with a group of citizens, it became clear that the creation of an infrastructure to exchange citizens’ data must be matched with improved transparency in public administration, as seen through the eyes of the public.
The working group has furthermore focused on privacy enhancing technologies (PET’s) as an opportunity to give citizens greater control of and secure access to their own data. The working group has not assessed these solutions in detail, as the Danish Ministry of Science, Technology and Innovation has already charted and assessed the current PET-solutions.

 

Recommendations of the working group:

In this report, the expert group outlines 3 general and 29 specific recommendations. While some of these recommendations require legislative changes, others require that technical systems be reconfigured or reorganised to better ensure the rights of citizens. Some of these recommendations are presented in brief below.

 

More political leadership in eGovernment
The establishment of eGovernment is an important and costly societal project, which requires the attention of politicians. Technicians and public servants alone should not decide the form and contents of eGovernment. Politicians must demand solutions that provide citizens with greater access and a wider range of possibilities when dealing with administrative bodies, as well as the unequivocal protection of their rights.

 

Greater access, more options, and increased self-determination
EGovernment must give citizens better access to and understanding of their own data used in administration and casework. In general, it should give citizens a better basis for decision-making regarding their personal affairs, and finally it should strengthen their ability to utilize existing procedures. It is already possible to develop digital technology in such a way that we can attain both effectiveness and the protection of privacy. The opportunity to access one’s own data exists by virtue of information technology, and should be applied so that citizens are able to take advantage of it when they choose.

 

Systematic assessment of privacy protection
A consequence-analysis of IT-systems’ should be conducted before new systems are implemented to ensure that they meet the standards specified by personal data legislation and “good data management practices”. The analysis can then serve as a basis for incorporating data protection into eGovernment strategies and reference guides.

 

Some specific recommendations

  • Introduce legislation to ensure that record keeping and accessibility of digital case journals and data meet the minimum standards at the very least. JEDM systems must be designed and regulated in such a way that they are able to meet the standards and ensure the consistent development of eGovernment throughout Denmark. Digitalisation increases the need for correct record keeping, as electronic documents are easily changed and original copies can be lost, etc.
  • Employees’ access rights in a JEDM system should be limited to their field of concern. It should not be possible to extend access to cases across administrative fields.
  • IT systems should be designed in a way that citizens receive direct access to their own case journals. The right to access must be more rigorously enforced and extended to a wider number of administrative areas; something that requires changes in Danish legislation. Amongst other things, citizens should have access to log files with information concerning who has created, seen, changed, forwarded, or received information regarding that citizen.
  • The use of metadata should ensure that the provisions in the personal data act concerning purposefulness and data quality are maintained during the repeated use of data.
  • The exchange of data between various administrative agencies/working areas in eGovernment should only occur upon a formal request for the disclosure of personal data (to avoid function creep).
  • Citizens should have access to see “paradigm cases” which illustrate the possible outcomes of the agency’s casework, thereby creating a more transparent administrative process.
  • Technology should be employed to make it easier for the citizen to give their voluntary, specific, and informed consent for the disclosure of data (instead of changing or making exceptions to the rules of consent; something that has happened in a number of examples).

 

The members of the working group comprise:

  • Jeannette Viale, Department manager, Municipality of Næstved
  • Rikke Frank Jørgensen, Senior Advisor, Danish Institute for Human Rights.
  • Peter Blume, Professor of Law, University of Copenhagen
  • Oluf Jørgensen, cand. jur., Head of Department, Danish School of Journalism
  • Jens Georg Kristensen, IT-chef, Municipality of Holstebro
  • Steffen Stripp, Projekt Manager IT-systems, Dansk Metal.