Data-Enabled Government How Well is Our Personal Information Used and Protected (White Paper)

8/7/2019 Data-Enabled Government How Well is Our Personal Information Used and Protected (White Paper)

1/20A

DAA-AbD gvm

How well is the citizens personal inforation used and protected?

In co-operation with the conoist Intellience Unit


2/202

CONTENTS

3 Foreword Security conscious Technological solutions

5 Aboutthisreport&Executivesummary

Many doubt the need for government to collect more data Sharing information across departments will be

a leading concern A lack of transparency about data usage will be

a barrier to gaining citizen trust The human element in data privacy procedures

needs tightening Protecting paper-based data remains an important concern Despite the challenges, the benefits of data-enabled

government are clear

7 Introduction

Case study: Baden-Wrttembergs myService-BWcitizens portal

8 Section1.Whyholddataoncitizens?

The downside: a necessary evil? Too much for too long: is more data really better?

12 Section2.Servingcitizens:whatdataisreallyneeded

andbywhom?

Data representation

15 Section3.Protectingcitizens:canitbedone?

Protecting paper-based records Avoiding a paper chase in local government Putting policies in place

French government puts public services on mobile devices Risk management and accountability

19 Conclusion


3/203

FOREWORD FROM P

Good governance depends on good data management.Only by effectively gathering, analysing and understandingdata can a modern state hope to provide its citizens withservices that are closely tailored to their needs.

Citizens have high expectations of what the state willprovide, and the resultant interaction between the two isvast and complex. Within the scope of those interactions,the role of the state varies enormously, from provider andprotector, right through to arbiter and enforcer. To carryout its responsibilities, the state must be able to tell apart

citizens, residents and visitors, legal or otherwise. It mustbe able to assess the various rights and duties attachedto members of each group. This inevitably involves thecapture of extensive information. Moreover, governmentscan better and more efficiently provide the servicesthat citizens demand if such data can be shared easilyamong those who need it.

If data is to be easily shared, then it must also besubject to security so stringent as to make theft or misuseimpossible, or as close to impossible as can be achieved.Not only do citizens expect their personal details to beprotected against third parties, they also have a legitimateexpectation of some level of privacy and protection fromstate intrusion into their lives. Governments must balancetheir own requirements for information to meet theirlegal obligations with the privacy rights of privacy rightsand aspirations of citizens, as well as cost. There is noperfect solution.

SecurityconsciousMany governments seek to create this balance withinitiatives around security and transparency. Nevertheless,stories of massive data losses by states have becomeregular media fare. Among the more spectacular wasthe disappearance, in 2007, somewhere in the Britishgovernments internal mail, of two small computer diskscontaining private information relating to 25 millionindividuals over 40% of the population. The British casearose from an error, but in Australia in March 2009, afteran IT staffer in the Northern Territorys prison service broke

off his engagement, his ex-fiance drank too much, stole hispassword and deleted over 10,000 files.

Such events are too often presented as scare stories the dark side of the power of information technology.Instead, they should provide an opportunity to consider someimportant underlying issues, such as what should be collected,how should it be used, how can citizens have equal accessto government initiatives, how should the data and informationbe protected, and with whom should it be shared?

As this study shows, the scare stories are right in onerespect: IT has raised the stakes by making it possible totransfer much more data faster than ever. The problem,however, goes far beyond surreptitious downloadsto handheld, storage devices. The study finds thatprotecting al l information, including paper documents,is crucial. In the rush to meet the technological challenges,traditional file folders and they are still legion arenot receiving the protection they need. The problem isa broad one, and too often under-appreciated.

Data is usually switched from digital to paper storageseveral times in its useful life through scanning, printing orkeyboard input, for example and each change createspotential insecurities. The technology and processes used tocontrol data storage and transfer, however, as well as theaccompanying security arrangements, are frequently notwell-planned, integrated systems. Instead, they tend to beinefficient, ad-hoc accumulations that reflect organisationalhistory rather than rational strategy. Finally, and mostimportant given that data is collected for a purpose, feeding

the information on these myriad printed pages into thedecision-making process in a timely and effective way isvirtually impossible.


4/204

Technologicalsolutions

If technology has exacerbated some problems, it also

presents new solutions to others. For instance, byautomatically checking applicant data, the state can speedup the process of benefit applications. It can also provide afull, auditable decision trail, making key processes not onlyfaster but also fairer, more transparent and less expensive.Advanced IT also allows much more subtle and powerfuldata management techniques. To share information ornot is no longer a simple binary choice. Meta-data aboutdata where it was captured, in what context, and whohas accessed it can be monitored and used to decidefurther access; those looking to use databases in other

departments can receive specific information with otherassociated data names, say automatically strippedout at point of access; software can handle necessarydata redaction activity in a host of circumstances;whole networks can be hidden from each other whilesimultaneously interacting with other networks within abroader system. Meanwhile, the ways to protect paperrange from tamper-proof ink, through data redaction whendocuments are photocopied, to the generation of alarmswhen key papers leave a building.

Although such tools can help retrofit existing, ad-hocdata sharing and protection arrangements, they are

more effective when organisations approach issues aboutinformation however stored holistically. Those that donot do so risk missing holes that seem obvious in retrospect:the best computer firewall and most advanced ink will notdo not much good if secret documents spend time spooledon unencrypted hard drives within networked printers, or ifdocuments in transit or waiting in a pile at central scanningpoints are not secure or cannot be accessed for criticaldecision making.

More important, a holistic approach to information, one

that decides who should see what and when, basedon reasoned criteria and implemented via auditablesystems, can lead to more efficient data use. P can helporganisations with all these security tasks, from the specificsof redaction technology to understanding the bigger pictureand systemic dangers.

Citizens around the world understand that governmentsneed some information and they are willing to provide itwhen convinced of the necessity. In return, most want theirgovernments to treat them fairly and protect their personaldata, by keeping it private and using it only for the purposefor which it was provided. Rather than leading to scarestories in the press, such systems can let governments servecitizens while demanding less information of them and putthem at ease by protecting their privacy better.

We at P would like to thank those who gave their timein the preparation of this report and look forward to thediscussion it will promote.

GaryRodgersWorldwide Market Development Consultant,Public Sector P Imaging and Printing Group, EMEA


5/205

ABOT TIS REPORT

This report examines the key issues surrounding the useand protection of personal data by governments in keyparts of Western Europe. It draws on in-depth interviewswith experts working on the front lines of public sector datamanagement in the K, Germany, France and Sweden.Interviewees include executives from central and localgovernment, as well as academics and other authoritiesable to comment from a cross-border standpoint. Thisbroad range of expertise was combined with desk researchto form the basis of the insights presented here. This reportwas written in co-operation with the Economist Intelligence

nit. The views expressed do not necessarily reflect thoseof the sponsor.

EXECTIVE SMMARY

Governments have always collected data on their citizensfor a variety of purposes, ranging from taxation andmilitary conscription to economic planning. In the 21stcentury, there are few remaining functions for whichpersonal data is not collected. From the provision of publichealth and welfare services, to law enforcement and publicsecurity, governments have been expanding the breadthand depth of data they hold about their citizens. This isespecially true today as governments continue to digitiseoperations and share information in the pursuit of greaterefficiency and improved public services.

Our research suggests that the debates and issuessurrounding both how to deliver better service and safeguardprivate citizen data are becoming increasingly complex.

Keyfindingsfromourresearchincludethefollowing:

Manydoubttheneedforgovernmenttocollectmore

detaileddataoncitizens.Most experts agree that better data management techniques,rather than the collection of ever more detailed data, will bethe most important factor in improving government service andefficiencies. For example, information on individual citizenscan be effectively combined from different databases for aspecific task, avoiding centralised storage that generates BigBrother fears among citizens. owever, in order to provide

the quality and ease of online services that the public nowexpects from commercial organisations, government doesneed to retain a certain minimum of personal details.

Sharinginformationacrossdepartmentswillbealeading

concerninpersonaldatamanagement. A range of high-profile failures from security issuescited after 9/11, to social services flaws cited afterthe now infamous case of Baby P in the K havefuelled the drive to better link information from variousgovernment departments. This is not without controversy:a strong utilisation versus privacy debate is underway,regarding cross-departmental data sharing. Numerousconcerns exist, ranging from which departments shouldbe able to share information with each other, to theextent and time period that data is shared. There is alsoan issue regarding transparency (see next point).


6/206

Alackoftransparencyaboutdatausagewillbeabarrier

togainingcitizentrust.

For the most part, citizens provide personal data for a singleuse or application without any knowledge of how thatinformation could be used elsewhere. While there are manyexamples where this is a less controversial issue, such aswithin emergency services, a lack of transparency overfuture usage of the data may well become a significanthurdle to building trust in some countries.

Thehumanelementindataprivacyprocedures

needstightening.

The number and type of high-profile data breaches in the

K alone highlight how basic some of the procedural gapsare within government. Back-office servers may be securelylocked down, but a memory stick containing millions ofrecords can be inadvertently left on a desk or in the backof a car. It is often the case that organisational cultureand procedures have not caught up with technologicaladvances. In general, rigorous policies need to beestablished regarding data access. This extends acrossboth the digital and non-digital domain (see next point).

Protectingpaper-baseddataremainsan

importantconcern.

The separation of paper-based and digital processes issomewhat artificial as the two are not mutually exclusive.Many believe that protection of paper-based data hasbeen neglected in the move towards electronic datarecords. But procedures linked to printing, copying, usingand sharing of personal information are often outdated.Experts recommend audits to expose deficiencies in relatedpolicies and procedures.

Despitethechallenges,thebenefitsofdata-enabled

governmentareclear.

Amid the concerns about security and misuse, numerousschemes are already underway that are both benefitingcitizens and helping to cut costs. One tele-health application,for example, has enabled elderly citizens to reduce thenumber of days spent in hospital each year from around 50to just a handful, with the help of home monitoring. Similarly,many routine tasks, such as vehicle tax renewals, have beenstreamlined and put online. Plans are also afoot to enableinteraction with government services via mobile devices andpersonalised citizens portals.


7/207

INTRODCTION

European citizens are unrelenting in their expectations oftheir governments. As their own lives are transformed bytechnology and the immediate availability of informationand communications, they expect governments to keeppace and meet tough standards for efficient and effectiveservices. Yet, at the same time, the same citizens can behighly suspicious of the motives of governments in collectingand storing personal data.

Public concerns generally arise in two areas. First, citizensmay question the governments entitlement to hold their

personal data: What data? ow much? For how long? Andwhy? Recent protests in France, for example, arose overplans to introduce Edvige, a police database carryingdetails on millions of citizens including their opinions, sexualorientation and social circle. As oward Schmidt, presidentof the Information Security Forum, an international ITsecurity professionals group, points out: Every bit of dataabout us draws more of a picture of who we are. Second,there are legitimate fears about the security of data held. Anumber of high-profile cases in which personal data havebeen lost or mislaid substantiate this concern.

As the power of technology increases, governments arebecoming better placed to meet citizens demands for moreeffective and efficient services. But technology also tendsto increase complexity, so it becomes harder to manageand protect data especially that which is shared betweengovernment departments. Indeed, as is often said aboutIT systems, complexity is the enemy of security.

While governments in Western Europe race to digitise andautomate citizens records, issues surrounding private datastored on paper which often outnumbers electronically

held information are regularly neglected. Theres atendency to discuss electronic records, but theres greatreliance still on manual records, says Rudi Leoni, principalinformation management officer for the London Boroughof Wandsworth.

This report will examine these dilemmas, and discuss waysin which Western European governments are seeking toadvance their services by using more private data whilemeeting the challenges of safeguarding it.

A citizens portal with personalised document storageareas connecting to a collaboration platform will be thee-government architecture of the future, says Georg Schfer,head of IT development for the German state of Baden-Wrttemberg. Access is controlled by personal ID cardsand Schfer says that both private citizens and SMEs canuse it to store their data and documents safely, and do all

the tedious paperwork easily and electronically, and get theresults in a well-defined way, back in their secure storagearea of the portal. Baden-Wrttembergs myService-BWportal is already up and running. ere is some of theinitial functionality for users, as stated on the site:

The One-Stop-Government function is available when

applying for a ballot paper (in the period before elections

at around 400 municipalities/towns) and when applying

for a confirmation of residence or income tax card (each

for around 60 municipalities/towns).

The front office system will be connected to an administrationfacility equipped with document management andcollaboration systems, Schfer says. Citizen and enterprisewill benefit from faster and simpler service. ID cards will be

used for e-government services as bank cards are used todayto get financial services. Furthermore, One-Stop-Europeportals will be interconnected with trusted channels, makingpan-European services easier to provide and to apply for.

All this has serious security implications, however. Werenow entering a new era of protection technologies based

on encryption, such as the digital signatures used forsigning e-documents for example, electronic ID cardsand encryption of communication by line encryption ortransaction encryption, he says.

Schfer goes on to point out that additional conceptsare emerging, too. They include the use of data poolscontaining encrypted personal data where the citizenallows authorities limited access through digitalcertificates (the ELENA concept in Germany).

The main obstacle Schfer highlights is the complexitycaused by the difficult handling of digital signatures ande-ID cards. ser friendliness is very limited, he says, andthe citizens cannot understand what business they are reallydoing with their e-ID cards and their digital signatures.

BADEN-WRTTEMBERGS MYSERVICE-BW CITIENS PORTAL


8/208

1. WY OLD DATA ON CITIENS?

Theres nothing new about governments holding informationon citizens, says K Justice Minister Michael Wills. Whatschanged is the technology and at a huge pace. This iswhere both the challenges and opportunities lie.

Governments everywhere are seeking to emulate thecustomer relationship management (CRM) techniques of thecorporate world. Phrases such as customer service andeven customer experience hardly the traditional jargonof the public sector are now becoming commonplace inmany government departments. Although their motives may

be different, large private sector organisations have longargued that they are able to establish a more intelligentand informed dialogue with customers and so provide abetter service when armed with comprehensive personaldata. In the public sector, this can translate into, forexample, allowing senior citizens to stay in their own homeslonger through advanced online monitoring procedures.When it comes to citizen support call centres, a swifter andmore appropriate response is enabled when the agent canaccess the callers profile or history of interaction. Evenonline services require the user to confirm their identity inorder to be presented with the relevant information, andefficiencies are not the only advantage.

Recent years have seen a significant push by Europeangovernments to increase the provision of electronic servicesin order to offer citizens greater choice and to create moreefficient public services. From online tax declarations todigital patient records, the number of electronic interactionsthat citizens now make with government has increasedsubstantially. But some argue that these systems have onlyserved to reduce the kind of personal interaction requiredto resolve complex issues.

National schemes for identity cards, for example, have

been tabled in a number of European countries. Theseoften arouse considerable hostility but they do make iteasier to do business with the government. Objectorsargue that the risks are high and complex. Although onemay trust the present government, the next administrationspriorities may be quite different. And authorities thatbecome reliant on identity cards may well stop goingthrough the more traditional checks on establishingidentity. By contrast, governments themselves generallyare in favour, believing that identity cards can curb theflow of illegal immigrants, reduce the risk of terrorism andprevent illegal working.


9/209

This pressure on government to deliver more, and morequickly, to their populations is exacerbated by eroding

national boundaries, evolving social norms and increasinglife expectancy. In all, governments are facing a highlychallenging and fast-changing environment. One of theways they can meet these challenges is to ensure thatthey streamline the provision of public services as much aspossible. Crucially, too, governments need to cut their owncosts and raise efficiencies internally by having the publicinteract with them online. This is especially important inthe current economic climate and in the face of futuredemographic changes that will strain present services tothe limit. Governments have no choice they will have to

change their public service model, says Graham Colclough,VP, Global Public Sector at consultancy Capgemini. Thepresent model simply cannot be sustained by the tax-payerin the future.

In many cases, this means the collection, sharing andstorage of data on citizens to ensure that relevant servicescan be delivered as efficiently as possible. The savings thatcan be made by delivering a service online are substantialon the operational side. Mr Colclough makes the roughestimate that each face-to-face interaction with a governmentdepartment costs about 10, compared with 2 by phoneand 0.10 via the web. This estimate, however, excludes thecapital investments required for the underlying technologyand process change, which is often significant. owever ifnot made, the real risk is being left behind, he says.

And collecting or converting personal data to electronicformat is also not always seen as the right solution.Conversion can be expensive, especially when scanningdocuments for digital storage, or trying to locate specific

information in complex medical records. Mr Leoni, from theLondon Borough of Wandsworth, makes a strong point infavour of looking to both solutions: If a paper record is fitfor purpose, why, given the cost, invest in making it digitalfor little more than just the sake of e-enabling the record?President-elect of the S-based Document Security Alliance,Peyton Old, points out that paper records tend to be lessexpensive to maintain than their digital counterparts.

The Ks National ealth Service (NS), for example,holds sensitive personal information both on paper and

on a computer system that is being developed to cover theentire country. Indeed, expert opinion holds that Europeangovernments still keep more citizen information on paperthan they do in a digital format.

Thedownside:anecessaryevil?

While there is growing pressure on governments to improveand co-ordinate services, there is growing criticism of theextent of personal data collection and practices aroundprotecting it. The Ks ome Affairs committee has urgedthe government to stop creating large databases on citizenswithout first proving they are necessary. In its reportentitled A Surveillance Society from June 2008, planshave been revealed to make a database of all phone callsand emails in the K. The committee calls on governmentto adopt a principle of data minimisation and only holddata as long as is necessary.

There are also accountability and transparency issues. Itis certainly still difficult for a citizen to see who has access

to their data. And while, in theory, citizens can demand tosee data held on them, they cannot be certain as to howtheir data will be used and handled or even whether itis accurate. In some cases, it is impossible to tell anywayhow the data will be used. For example, it is inconceivableto expect a government to say whether it plans to sharepersonal details with security agencies, should anindividual become a terrorist suspect.

Countries across Europe take markedly different approachesto the privacy of data. Theres a lot more divergence

[between different national approaches] than youd imaginewhen it comes to data privacy, although all 27 states have toimplement E laws, says Nick Graham, a partner in DentonWilde Sapte, a K-based international law firm.


10/2010

While they are often at least one step behind technologicaldevelopments, data protection laws are available to

support governments privacy efforts. Generally nosingle law is used as a legal framework in Europeangovernments. Sweden, for instance, uses the E Directive95/46/EC for protecting personal data as well as theCouncil of Europe Convention on Data Protection. Thesedirectives are implemented locally via the SwedishPersonal Data Act 1998. The principle of public access toinformation is, on the other hand, protected in the SwedishConstitution, explains Martin Valfridsson of the SwedishMinistry of Justice. Among other things, this includes inprinciple the right to full access to all official documents,

including those containing personal data. (Access to anofficial document can be denied if the competent authorityfinds that secrecy applies to information in the documentaccording to one of the provisions laid down in theSwedish Secrecy Act 1980.)

Though there are other states with a similar system, it isntuncommon that their legislation stipulates secrecy as thegeneral rule, says Mr Valfridsson. [It] specifies certainsituations when access to information might be given. InSweden the rules work the other way around: access topublic documents is the general rule. Staggering to someother cultures, Swedes tax returns can be viewed publiclyonline, demonstrating the strength of cultural influenceon data privacy. In the country,Allemansrtt, or the rightof public access, gives anyone the right to roam throughprivate property (barring gardens) for recreation. AsMr Colclough says, Perception [of data privacy] variesdramatically from country to country.

But regardless of cultural differences, experts are divided

as to whether data held on paper is more secure thanon digital media. Clearly citizens records held on papercannot be hacked into or sent round the planet in thesame way as digital records, as Nick Graham points out.There is also far greater scope for large numbers of digitalrecords getting into the wrong hands. Mr Graham believesthat paper is neither intrinsically more or less secure. Thereis less risk of sharing paper documents unlawfully theyare likely to have to be photocopied or faxed to be shared but then print-outs can be left in bins, on scanners,printers and photocopiers.

More importantly, Mr Graham says that in the case of dataheld on computer it is harder to prove legally that theftis criminal, than with a paper document. The Document

Security Alliances Peyton Old highlights the fact that paperrecords are also much harder to alter than electronic ones

in which theres no true way of knowing [they have] beenchanged. In court, the government department may needto go back to refer to the original, he says.

igh-profile data losses have caused substantial publicalarm in some European countries about the security ofpersonal data. The intended or unintended consequencesof such loss could potentially be catastrophic for thousandsor even millions of people, should their information fallinto the hands of those with malicious intent.

More recently, the explosion of public surveillance forprotection against crime and terrorism has been a growingcause of concern. According to some commentators, theterrorist threat has been used to justify ever-greater citizenscrutiny. Peter Schaar, Germanys Federal Commissioner forData Protection and Freedom of Information, is concernedabout the increasing exchange of information betweenpolice and intelligence services. Threats posed by terrorismand organised crime must not inevitably lead to centralisingand merging all kinds of law enforcement authorities withcompletely different tasks and competences, he says.Instead he believes in the separation of powers, which isof vital importance in connection with the rule of law.


11/2011

A more intractable problem facing governments is thatlegacy systems were not built to meet todays privacydemands. Ten years ago, there was nowhere near theconnectivity we have today, says Mr Schmidt of theInformation Security Forum. In the meantime data hasbecome the gold, silver and diamonds of the world we livein. Keeping governments motivated to catch up is not easy,although Mr Schmidt says some agencies, especially indefence, are more diligent. In the K again, on top of thebreaches already recorded, a report came out in March2009, named emotively Database State, which claimed

that of the 46 flagship databases it reviewed, only six wereeffective, proportionate and necessary.

Toomuchfortoolong:ismoredatareallybetter?

Some commentators have concluded that the assumptionthat it is necessary to have more data is fundamentallyflawed. Its not necessary to get more information oncitizens, says Mr Wills. Its more a case of using theinformation youve already got more efficiently. Othersargue otherwise, but only to an extent. Do we need tohave more information on people to give a better service?

asks Bernard Benhamou, head of the French governmentsInternet delegation. Probably, yes but not if the risksare too high.

The momentum towards more personal data, however,is powerful. In Germany, Georg Schfer, head of ITdevelopment for the German state of Baden-Wrttemberg,believes the effective use of personal data will increaseexponentially in the coming years. One major driver is thepromotion of e-government in the internal E market, he says.In France, around 900 public sector tele-proceduresare today available online, ranging from declarationsof workplace accidents to payments for social securitycontributions. More are being developed. Digital

technologies make it possible to provide unified access topublic services and to adapt them to the needs of usersthroughout their personal and professional lives, saysFranois-Daniel Migeon, Frances general manager ofdirectorate responsible for the modernisation of the state.The aim is to evolve from e-government to online publicservices, he says. This second phase he describes asuser-centric, providing personalised services.

So, if the inevitability of holding personal data is not onlygaining momentum but extending its reach in terms of the

number of people involved and the extent of data held,the question is how to achieve this at the same time asminimising the potential negative effects on private citizens.


12/2012

2. SERVING CITIENS: WAT DATA ISREALLY NEEDED AND BY WOM?

At the forefront of the personal data systems debate isthe issue of sharing information. But what information? Withwhom? And how? ltimately, the vision is for joined-upgovernment, a perhaps utopian view of seamless customer-centric public service and administration.

Numerous schemes are afoot in Western Europe to pave theway to the objective of customer-centricity. In Belgium, forinstance, the previously complex administrative hurdles for adisabled person to use their public support funds to receive

home-help have been relieved through a new policy wherebyall their personal information is kept online. These individualsare now assigned a budget to employ a home-helper, so thatin effect he or she becomes an employer. The individual hasto follow all the rules of being an employer, such as declaringthe employee, paying social security, getting insurance andso on. But rather than having to manage the complex set ofsubmission processes with a variety of bodies, the schemeforwards all the information through a single portal. Not onlydoes the process reduce stress for the citizen but governmentsavings in the range of 5m per 5,000 participants areexpected. This will come from a reduction in the need forface-to-face meetings and the saving of administrative coststhrough economies of scale.

In difficult personal situations, more efficient governmentadministration is welcomed. When there is a death in thefamily, for example, grieving relatives could avoid having toinform five or more departments or authorities by contactinga single source. And such a co-ordinated approachfacilitates more everyday tasks, such as renewing car

registration, which can be done online in a few minuteswith personal data linked up between departments.

A lack of integration has been heavily criticised on numerousoccasions. Poor sharing of data on terrorist suspects betweenS state departments came under severe criticism following9/11. Although sharing basic information for things such asmoving house, and sharing critical information for urgentsituations such as when a doctor needs access to medicalinformation, are not usually met with resistance.

In fact, failure to apply the right sharing processes canhave grave consequences. An enquiry into the death of a17-month-old baby in August 2007 in north London, foundto have more than 50 injuries at the time of death, criticisedlocal government and health authorities for neglecting todetect the abuse of Baby P, citing a failure to share medicalrecords as an important factor.

Even if there are sound mechanisms for exchange ofinformation on printed documents between different publicsector organisations, experts warn of the risks that occur ifdifferent security procedures, for example role-based access,are in place in one, but not the other. Shared informationon paper documents today must be included as a keyarea within audits of private data handling within publicsector organisations. To help overcome the risks associatedwith data sharing, such as faxes getting intercepted,Mr Old believes the information on citizens recordsshould be segmented so that not all of it is sent at once.


13/2013

A great deal of debate has also been triggered by thepresent drive towards increased sharing of electronic data

on citizens between departments and authorities. Wereat a crossroads now [for data protection], says WilliamDutton, a professor at the niversity of Oxford and directorof the Oxford Internet Institute. Traditionally, citizens datahas been kept in government silos. Now there is a push forsharing data to use it more effectively. Its at odds with theprevious ways of doing things across Europe.

Often when people provide their data or enter the systemfor one reason, they do not even know how that data willbe shared. The risks of unwarranted information sharing

are substantial. For example, people might well objectif personal information is shared without contextualunderstanding about how the information was originallycollected and how it will be used. There have been caseswhere individuals have unfairly been refused employmentbecause they had a criminal record, which furtherinvestigation showed to be for minor offences committedup to 20 years previously.

The Data Sharing Review report1, which was commissionedby the K Ministry of Justice to provide recommendationson how data-sharing policy should be developed in the K,points out that, while there is nothing inherently wrong withdata sharing across departments and authorities, it raisesserious questions:

Data sharing in and of itself is neither good nor bad.

There are symmetrical risks associated with data sharing

in some circumstances it may cause harm to share data,

but in other circumstances harm may be caused by a

failure to share data. Data sharing needs to be examined

in specific terms. The key question is: Is the sharing ofparticular elements of personal information for a defined

purpose, in a precise fashion, likely to bring benefits that

outweigh significantly any potential harm that might be

associated with the sharing?

The combining of all data on an individual in a single placeoften meets with a hostile reaction from the public. WalterGora, a professor at the Institute of Electronic Business inBerlin, believes Germans are aware of the potential ofe-government but are reluctant to give data on themselves

that will be synchronised or shared.

When it comes to data sharing, France takes a firm line.The core principle is to keep data separately dividedbetween departments, says Bernard Benhamou, head of theFrench governments Internet delegation. Exchanging filesacross administrations is forbidden, unless there is an explicitorder from the government for example, for nationalsecurity purposes or a criminal enquiry.

While it may be useful to be able to renew car tax online,many citizens worry that the information can also be shownto police and motorists can then find themselves being finedfor late payment, for example. People dont mind about[their] government having information thats relevant, saysMr Colclough. What they mind about is that the data couldbe taken out of context.

This is a major problem when it comes to data sharing

across administrations. Individuals arent told at the outsetthat their information could be displayed in another context,says Mr Graham of Denton Wilde Sapte. What is more,when the data arrive from a different department, they tendto be regarded as the responsibility of someone else. Thedepartment that receives the data therefore feels it hasless accountability for its safe-keeping.

If the public wants to strike a balance in favour of privacy, asopposed to the benefits of data sharing, then of course that iswhat must happen, says Mr Wills. It will always be a matter

for the public to choose but the public will only make the rightdecision if they are given the right information.

1Data Sharing Review, Richard Thomas and Mark Walport, 11 July 2008


14/2014

DATA REPRESENTATION

One emerging approach could help to reassure citizensabout the collection and storage of data. Rather than collectdata and store it in a central database, some commentatorsadvocate an approach whereby data is gathered fromdifferent databases for specific tasks only. The assembledinformation is not kept in a combined format in a databasebut is only used for specific tasks. Governments think theyhave to construct huge databases, says Mr Colclough.With this system, backend data stays where it is, but canbe merged in real time creating a kind of mash-up onscreen for the required information.

This gets round concerns about the security of highlydetailed information on an individual being stored in asingle place, as well as potential misuse. Provided itis kept in a decent repository, each segment of data isnot a privacy problem in itself, says Mr Schmidt of theInformation Security Forum. Its when its combined [thatthe problems start]. do elmbrecht, president of theGerman Federal Office for Information Security (BSI),advocates minimising the use of personal data accordingto requirements and says the approach in Germany is

not to create central databases but to move to storingpersonal data on electronic cards held by citizens.

This concept of representation could help to ease publicfears that combined personal details will be used out ofcontext. It could also lessen frustration at having to interactwith several different departments to solve a single issue.Departments need to re-think what personal data theyreally need, says Mr Dutton, one of a growing number ofexperts who support the data snatching idea. From thesecurity standpoint, this approach also eases citizens

concerns about data on themselves being held in acentralised way, since records remain distributed acrossseveral sites.

This approach is not without its problems, however.More thinking is needed in minimisation of data so thatonly relevant data is kept, says Mr Graham. One thornyissue is that the process of keeping data at source andbringing it together only for a specific purpose is veryhard to adhere to.


15/2015

3. PROTECTING CITIENS:CAN IT BE DONE?

There are different kinds of data and not all have thesame value. Potentially, for instance, the state couldcollect information on anything from a persons family oreconomic circumstances, right through to their politicalor religious convictions . In the past decade, the extent ofsecurity data has expanded exponentially: CCTV camerasline the streets of most major European urban centres; therehave been moves to record and keep records of phonecalls and emails; and biometric data are beginning tobecome common place in DNA databases and customs

procedures.

So while personal data are important, do they have to beall things to all people? Is it legitimate to store the range anddepth of data that many governments are hoping to capture?The central issue is simply put but complex: what are theright systems technical or paper-based, procedural andlegal or regulatory to ensure that personal data remainconfidential and governments accountable?

People generally have a blind spot when it comes to securityon IT systems. For example, they are often prepared to givetheir password away at relatively minor prompting, or toplace it on a sticker near their PC. Executives can be equallylackadaisical, routinely exposing sensitive data on theirlaptop screens in public places such as airport lounges.A former CIA chief was once found using a non-securehome PC to store highly classified data. Even battle planshave been known to be left on a laptop in a car and stolen.When literally left to their own devices people cannot betrusted to manage digital data safely. There has to be a

cultural change, says Mr Wills. Theres a huge problemdriven by technology growing more rapidly than securityand protection. Cost is not the main issue. Theres been alag, with managerial practices failing to catch up with theopportunity of the technology.

The urgency for cultural change was highlighted by AngelaSasse, head of Information Security Research niversityCollege London, who recently told the K ouse of LordsConstitution Committee, that civil servants endemic attitudeposes a major risk:

The key problem is really that our ability to assess risks

associated with information technology with electronic

data has not kept up. The people who are handling the

data, because they are in contact with them

every day, are utterly blas about the risks and the

value, and they have no understanding about the

impact that the disclosure or leaking of those data

has on the lives of the individuals affected. Given that

it is government handling their own citizens data, this is

something that has to change. The government has a duty

of care.

Today, a single member of staff handling citizens recordscan now walk off with a whole government agencysdataset on a memory stick and, as has been amplydemonstrated, lose it. While the paper-based system issusceptible to such leaks there are numerous examplesof breaches, such as patients records being left on displayin hospital beds and in car parks the extent of the lossis typically much less. The risk in the end is human, saysdo elmbrecht, president of the German Federal Officefor Information Security (BSI).

Flaws in the system were revealed dramatically in October2007 when two computer disks holding the personaldetails of 25 million people in the K went missing. The K


16/2016

chancellor said junior officials at the taxation department,MRC, had ignored security procedures when they sent

information to the National Audit Office (NAO).

Nor are instances by any means confined to Europe: in oneof the more brazen break-ins into government-held privatedata, computer hackers on one occasion took informationon more than 33,000 active-duty S Air Force officers heldin an online career management programme, with date ofbirth, social security number and other personal data.

The problem is the litany of data breaches. Were not reallythere yet with data protection, says Mr Dutton. Alarmingly,

he believes most government departments in Europe currentlyhave ad-hoc procedures for data protection that will takebetween five and 10 years to become fully effective.

Protectingpaper-basedrecords

Governments have meanwhile had several decades to thinkthrough procedures for protecting paper documentation.Often a classification scheme of five or six levels of secrecyis used for physical documents. Denton Wilde Saptes MrGraham says there should be access control doors andrules on locking filing cabinets so they remain inaccessibleeven to cleaning staff.

Governance is all, says Douglas Miles, Europeanmanaging director of the Association for Information and

Image Management (AIIM). This covers disciplines forhandling paper documents, policy and workflows. ebelieves, however, that for electronic records it is easierto think through who can print off so that access levelscan be locked and that organisations are better able toput in restraints for electronic systems. e adds that AIIMhas found that when electronic filing is introduced, usersbecome more cavalier about physical data filing.

Fire or flooding can pose greater risks for paper-helddocuments. Warehouses can burn down, as Mr Miles

says. While electronic records can be deleted far moreeasily, they are also easier to back up and store off-sitein more than one location. If protecting paper documentsfrom fire, there are products designed to maintain the innertemperature of storage units below the temperature thatwould cause damage to the contents. In the case of paper,this is about 175 degrees Celsius (compared with around52 degrees for magnetic media). The most basic level forfire protection for paper is in compliance with the Germanstandard DIN 4102. ere, a double-walled container isfilled with fire resistant insulation material and typicallyable to resist fires for up to 30 minutes.


17/2017

Mr Schmidt of the Information Security Forum believes thatgovernment organisations with sensitive information on their

citizens held on paper need, in effect, to work backwardsand apply the same levels of protection to printed materialas they now afford to electronic documents. Mr Leoni,from the London Borough of Wandsworth, points out toothat electronic systems provide more granularity for accessrights: they enable, for example, specific and definedrights over records, such as read-only or access to specifiedfields. In addition to the general day-to-day handling andprocessing of paper-based documentation, the storage,archiving and eventual disposal is often overlooked, MrSchmidt has found. After all, the first place a criminal will

look is in the rubbish bins and landfills.

Technology for the paper itself is evolving, making documentsharder to fake, for example adding the word VOID tophotocopies of an original document, or using microtextencoded algorithms. Though, as Mr Old says, You canttrain a dishonest person to be honest. Staff educationin procedures for handling physical documents with dataprivacy must be maintained, yet training for digitiseddocuments grabs most attention. People assume theimportant stuff is happening in digital [records storage], butthere are significant risks with paper, says Mr Graham.

Many on the front lines of government service deliverybelieve that audits should be carried out regularly into theorganisations handling of private information in particularits functions and the records or information needed tosupport those functions, says Mr Leoni. Once audits arecompleted, gaps or matters of non-compliance need to beaddressed, especially those relating to classification andhandling, security, rules for storage (and eventual archival

or disposal), legal implications and permissions accessrights for each record set need to be established.

The audit should highlight deficiencies in policies andprocedures, he says. Though standards (such as ISO15489) that help implement sound processes for documenthandling are available, they can be onerous for anorganisation to implement fully and should be used withdiscretion. Equally, Mr Graham warns that too much focuson macro procedures may overlook a significant part of thepublic processes and record keeping issues at the micro

level. Regardless, experts agree that paper-based personalrecords will remain central to government services forthe foreseeable future.

The London Borough of Merton is tackling the security ofpaper records from a variety of angles, though recordsmanager Cerys Ledger says, Were trying to moveaway from paper working as much as possible, throughimplementation of an EDRMS [Electronic Documentand Records Management System]. Crucially, she hasrecently carried out a paper audit of the entire council.From this we now know what paper records we areholding, where they are and who is responsible for them.

Most information security advice, procedures and policiesin the council include mention of paper records, withinformation about the best way of transporting themand so on. To improve physical access security, theBoroughs facilities department has recently installed anew security card system. When fully implemented eachperson will have to swipe in and out of every door, andthe possibility of tailgating others through doors will beeliminated. The most sensitive paper records socialcare and legal are also held in very secure areas,which only specified people can access unless escorted,

Ms Ledger says.

Storage facilities for old, archived paper records havephysical access controls. Access has to be signed offbeforehand and a log is made of who has visited. Twopeople always have to visit together. The most sensitivepaper records are stored in locked rooms and are onlyavailable to those who need access. FurthermoreMs Ledger says systems have been established to monitorthe whereabouts of paper records. Both our storagefacilities have a system for recording what records are

held there and what has been destroyed, she says. Otherteams have systems for monitoring who has taken whatpaper file, when it was taken and when it was returned.

AVOIDING A PAPER CASEIN LOCAL GOVERNMENT


18/2018

Puttingpoliciesinplace

As is often the case with security breaches in commercialorganisations, it takes a dramatic incident for management tofocus on tightening its systems. It is understood that MRC hastrained 90,000 staff in data protection measures in responseto the 2007 incident. But internal measures are not enough.

Governments can face equally embarrassing data lossescaused by contractors poor data protection procedures.As Mr Graham says, You bear the risk if you outsource.

To minimise the risk of data losses, government agenciesshould not only develop a policy that governs the use

of data, but ensure that it is effectively communicatedto employees and third parties. If there is no policy, itdoesnt work, says Mr Schmidt. If [security] is violated byemployees and it has not been made clear what the policysays, they feel there are no consequences.

Any individual that falls within the remit of these proceduresshould adopt them as part of their day-to-day practice. Thereshould also be consequences of failing to follow the policy for example, each time a junior member of staff is foundto have sent confidential private records to an unattended

printer and no action is taken, the culture of recklessnesssimply strengthens. We need to make sure violation is takenseriously as an offence, says Mr Wills.

Care should be taken to develop policies that are relevantfor and workable by employees working in the field. Itsdoubtful how much on the ground knowledge there is inthe heads of some of those writing them, says Mr Leoni.If policies are developed in isolation of field workers, thereis a clear danger that they can become unworkable andultimately ignored.

Policies should also be straightforward, providing clearinstructions on how to handle data and outlining what isexpected of employees. Training has a role to play, but careshould be taken to ensure that this is not excessively frequentor heavy-handed, as the audience will simply become numbto the messages. Instead, organisations could use newsletters,the intranet and even informal canteen meetings with seniorsecurity/data protection staff to provide up-to-date information.

Communication between departments is also important.Mr Graham has found that in governments where dataprivacy is working well the right people are talking to eachother for instance, the data protection officers, informationsecurity and more senior staff in the organisations. Theresmuch more scope for a collegiate approach, he says.

What has tended to happen as in the commercial world is that discussion of new systems takes place between ITand business staff, with privacy staff and R only broughtin later. They need to sit down together and come up with

scenarios, says Mr Schmidt. For example, how will mobileapplications be used by constituents? They need to engagewith those who are delivering the service.

The French government is creating the first portal inEurope for delivering public services on mobile devices.Named Proxima Mobile, around 50 services should beavailable via the portal by the end of 2009 accordingto Bernard Benhamou, head of the French governmentsInternet delegation. e sees the project, which willinclude several geo-localised features, as a drivingforce for new services. It will be developed to covera range of services that include not only access toe-administration for functions such as for job seeking

and local community activities, but also informationon potential side-effects of the contents of food andmedication on users allergies. sing barcodes and,in the second phase, RFID technologies, users will beable to scan products with their mobile devices to getinformation and receive warnings of contents.

Naturally, sending and receiving personal informationvia mobile devices poses new data privacy threats.We must develop the services in a safe way forcitizens or there could be a backlash that will be verydetrimental for the industry as a whole, says MrBenhamou. A range of issues needs to be addressedhe says, not least of which is preventing informationbeing taken from an RFID chip or a mobile devicewithout consent. The silence of the chips must bepreserved as a fundamental right of citizens, he says.

Generic Privacy Enhancing Technologies will allow usersto protect the privacy of their personal information togive them increased control and to minimise the personal

data collected and used. We will need to be sure thatmachine-to-machine connection is done in a proper way,and that data is not kept that could endanger privacy,says Mr Benhamou.

FRENC GOVERNMENT PTS PBLICSERVICES ON MOBILE DEVICES


19/2019

Mr Schmidt highlights the importance of having separatelevels of authorisation for viewing and handling data

according to the level of detail the individual needs to see.Authorisation need not tie the government department upthrough overly regulated access: a so-called master usercan create lower-level identities within the organisation andauthorise them to act on his/her behalf, or for trusted sourcesoutside the organisation.

Because online crime and espionage are increasing,it is important to improve protective measures and raisethe awareness of the Internet users, says Germanys Mrelmbrecht. Online use of private information demands a

network infrastructure with sophisticated cyber-defencesfor intrusion detection and prevention, and safeguardsagainst malware. Furthermore, the German governmentis testing the use of biometric authentication and digitalsignature for online transactions with citizens, he says.

Riskmanagementandaccountability

Data protection experts highlight the need for stronger riskmanagement processes in the public sector. Its not moredata protection rules that are required, but risk managementin individual departments that needs to be established,says Mr Graham. Personal data need to be treated likeany other risk, such as health and safety. As part of this,several governments across the world, including the S,K, Canada and ong Kong, now advise that officialPrivacy Impact Assessments should be undertaken in theearly stages of any policy implementation where IT andsystems are being developed for information-gathering orprocessing. In Germany, government departments underthe IT Baseline Protection scheme of the BSI can be auditedand receive a certificate for their IT risk management and

security measures, including their treatment of private data,according to Mr elmbrecht.

Crucially, too, accountability has to come from the highestlevels in a department or arm of government. As part ofthe cultural change in the Ks Ministry of Justice, Mr Willsis notified of every breach of security, and very seniorofficials are appointed for data security and protection.Mr Schmidt agrees that the culture has got to come fromthe top down but warns against an over-zealous approach.

One of the barriers to greater accountability is thedisaggregation of risk management approaches. Amongthe Ks approximately 400 local authorities, there is a wide

variation in management of information. This managementoften depends on an individual authoritys drivers and

incentives to implement change in information handlingpractices, says Mr Leoni.

Risk management harmonisation could go a long way tocut down protection failures and build both governmentaccountability and public trust.

The thicket of security and data privacy issuesthat blocks the path to better digital government

services for the future at times seems impenetrable.But there are urgent pressures to clear the way among them firm E directives, public demand forbetter CRM-type service and the imperative to usetechnology to cut costs. Still more of a challenge isthat new opportunities and obstacles keep emerging.Governments have no option other than to presson. The technology will go on changing, theres nodoubt about that, says Mr Wills. Weve got to moveforward, enhancing public confidence. We have toimprove delivery and to empower the citizen directly.

Effective measures are available to give sufficientbasis for public trust in future services. These includechanging culture through education to ensure thatcivil servants and contactors know the value of theinformation they are handling and the consequencesof abusing it; better engagement of privacy andsecurity staff at the early stages of projects; andusing the technique of grabbing only the personalinformation needed for the interaction, then returning

it to source. All this will take time, persistence and skillto develop. Although it is demanding, bearing inmind recent data losses, the electorate will have togive some latitude during this trial-and-error period,and governments will need urgently to find betterways of protecting personal data and convincingthe public they are doing so while developing betterdigital services.

CONCLSION


20/20

2009 Hewlett Packard Deelopent Copany, .P. he inforation contained herein is suject to chane without notice. he only warrantiesfor HP products and serices are set forth in the express warranty stateents accoanayin such product and serices. othin herein should econstrued as constitutin and additional warranty. HP shall not e liale for technical or editorial errors or oissions contained herein.

m 2010

Date post:	08-Apr-2018
Category:	Documents
Upload:	ispit
View:	215 times
Download:	0 times

Data-Enabled Government How Well is Our Personal Information Used and Protected (White Paper)

Documents