Govt needs a more dominant digital czar
Our Government has been recognised as one of the most digitally advanced in the world, but it has some very real issues to consider about the efficacy and security of its online services and data collection, writes Peter Dunne.
The controversy swirling around the Ministry for Culture and Heritage in the wake of revelations that the privacy of more than 300 people has been breached by the inadvertent release of a number of their personal details raises much bigger questions about the way in which the Government is managing the vast amount of personal data that it is collecting.
The Ministry of Culture and Heritage breach is not an isolated incident.
Sadly, there have been many similar breaches over recent years in a number of different government agencies, suggesting that the issue is a deep seated and systemic one, rather than isolated to those individual agencies. While the current incident will be undoubtedly be thoroughly investigated and appropriate findings made in due course, that process of itself gives little assurance there will not be similar incidents elsewhere in the future.
The last decade has seen a revolution in the collection of and use by governments of citizens’ personal data, and the rapid expansion of the use of digital platforms to deliver a range of government and other public services.
New Zealand has been at the forefront of these developments. We were one of the five countries (along with Britain, Estonia, Israel and South Korea) that established the D5 group of the world’s leading digital governments in 2014, and have played a strong role within the group (now expanded to be the D9 – including Canada, Mexico, Portugal and Uruguay) since then.
In 2017, the prestigious Fletcher Business School at Tufts University rated New Zealand at the top of the list of digitally advanced governments in the world.
There is little doubt that the development of online government services has made the interaction between citizen and government so much easier in recent years. Now, transactions like tax returns, passport renewals, social assistance services, to name but a few, can be carried out online at a time and in a manner convenient to the citizen, with a minimum of fuss.
Overall, more than 70 percent of government services are being delivered online, and that number will grow steadily.
However, its continued success relies on the implicit co-operation and trust of individual citizens.
In a free society, data collection can only work when citizens have confidence that their personal data is being collected to enable government services to be tailored to their specific needs, and when they have trust that the data so provided will be both respected and secured by the Government and not used for any purposes other than that for which it was provided.
In essence, they are giving over their personal data to the Government to use beneficially on their behalf, not to become part of a wider Government data pool to be accessed by the Government for other purposes without the expressed consent of the individual.
The relationship between the Government and the individual in these circumstances is an extremely delicate one. It exists primarily on the basis of the individual’s consent. If that is disrupted in any way, and continued individual consent threatened, the whole system could collapse dramatically.
While the advantages of digital service provision, and the general march of technology elsewhere make that unlikely, incidents like the Ministry of Culture and Heritage case pose very real threats to ongoing public confidence in the data collection and storage process.
Aside from the specific investigations now underway, there are some very real issues for the Government and its ongoing role in ensuring the efficacy and security of its online services and data collection.
The government official with primary responsibility in this area is the Government Chief Digital Officer (formerly the Government Chief Information Officer), a role held in tandem with that of chief executive of the Department of Internal Affairs.
The GCDO is responsible for setting digital policy and standards; improving investments; establishing and managing services; developing capability; and, system assurance.
The emphasis in the role to date has been more in the digital policy and standards space, than on the establishment and management and services, which has been left more to individual agencies to carry out, consistent with overall policy and standards.
... the Government Chief Digital Officer role ... must be brought out of the operational shadows, and more into the mainstream of government business.
Over the years, many agencies have developed their own digital services approaches, often with little direct input, other than general advisory services, from the GCDO or his predecessor. This is simply because of the way in which government agencies have functioned to date, where they have enjoyed a large measure of operational autonomy, and is not a reflection on the GCDO or the GCIO before him.
A classic example is the massive IT restructuring project going on within the Inland Revenue Department since 2012, which has been primarily carried out and overseen by that Department itself, with limited oversight from the GCDO, consistent with the Cabinet mandate of the time. Yet is the biggest government information technology restructuring of recent times.
However, it may now be time for a change. The magnitude and prevalence of government online services here and abroad are exploding rapidly, and the risk that consequentially there may be more incidents like the Ministry for Culture and Heritage affair to erode public confidence in and co-operation with the emerging system.
There will need to be a greater emphasis on the GCDO’s function of establishing and managing services, to require both that all government online services meet security and data collection standards set by the GCDO, and that agencies currently lagging in the provision of online services – Police and Corrections would be good examples – are brought quickly and efficiently into the fold.
Overall, the GCDO’s role needs to become more obvious and dominant. It must be brought out of the operational shadows, and more into the mainstream of government business.
Assuring the security of individual data, and the capacity of the system to guarantee that has to be a priority, and there needs to be a regular reporting process to provide that public reassurance.
Similarly, where proposed government actions in one area have a potential to restrict online actions in another, the GCDO needs to be in a position to point that out. For example, attempts by a government department to use anonymised data for unrelated policy development work, as was attempted infamously in the past, need to be able to be called out as a breach of the trust and consent of those who provided that data in the first place. As it should when agencies seek to obtain more information than is actually required “just to be on the safe side”, or information that is already held elsewhere in the government system.
Those directly affected by the Ministry for Culture and Heritage breach have every right to expect redress and a formal official apology. But the matter cannot end there. New Zealand’s credibility as one of the most digitally advanced nations in the world is on the line.
Just as we like to front up to the world on issues like the “Christchurch Call”, which we see as positive initiatives, maintaining our credibility as one of the world’s leading digital nations, we also have to be prepared to front up the same way when the Government’s own systems fail to protect our citizens, and to be prepared to take the tough decisions necessary to secure and maintain public confidence.