Rachel Finn and Tally Hatzakis of Trilateral Research discuss the future of securing citizens’ privacy by public institutions.
Following the signing of the Tallinn Declaration on 6 October 2017, speeding up the implementation of a Digital Europe has gained a new momentum, paying special attention to the openness, transparency and citizen-centricity of digital, public services. It recognises the need for citizen participation in the design and delivery of eGovernment solutions and, thus, for a set of measures and tools that encourage citizens’ buy-in. These should include:
- user-friendly interfaces, attractive to citizens;
- responsive organisational processes, indicating the governments’ consideration and commitment to citizens’ feedback;
- tools that allow for two-way interactions, such as web forums, discussion spaces, social media, and innovation platforms;
- transparent mechanisms of processing citizen input and feedback that demonstrate how their voices have been considered;
- use of both offline and online channels of communication, to ensure equal opportunities for those with no digital access; and
- citizen engagement modes ranging from anonymous to fully authenticated, to manage security and privacy risks.
These are some of the next steps in the transition to Open eGovernment, documented in the H2020, EC-funded CLARITY project Blueprint (see https://clarity-csa.eu). The CLARITY Blueprint sets aims that will support citizen understanding of eGovernment tools, their purpose and the ways in which their information is processed in order to consent to and engage with the process.
No matter what the future of Digital Europe holds, securing citizens’ privacy will play a key role in their acceptance of new eGovernment practices. Given the sinister implications of privacy harms, securing the privacy of citizens is a must both now and in the future. Aside from a wide range of practical implications (such as loss of assets, denials of service, discriminatory pricing, etc.), privacy infringements can violate individuals’ fundamental needs for self-definition and autonomy, their ability to regulate personal relationships and their social image. These violations of fundamental civil rights are detrimental to society and the relationship between society and governments. Hence, cybersecurity attacks and even negligence or institutional malpractice can compromise governments’ ability to regain and maintain trust in public institutions.
Regulation and recommendations
A number of regulations and standards will contribute to better privacy protections. The prioritisation of EU’s Regulation [N°910/2014] on eIDAS (electronic Identification, Authentication and Security) for electronic transactions in the internal market; the imminent General Data Protection Regulation (GDPR) [2016/679] as of May 2018; and the development of ISO standard [27001] which will provide practical guidelines for practitioners with regard to the management of personal data, are just few examples. In this policy context, the implementation of the once-only principle, the re-use of the Digital Service Infrastructure building blocks, the interoperability of API’s and open data are core to ensuring easier re-use and scaling of solutions across cities and countries.
Rachel Finn of Trilateral Research, and CLARITY’s project co-ordinator, said: “While regulations and solutions go some way towards ensuring data privacy and boosting cybersecurity, protecting citizens’ personal data will always depend on institutional practices. Governments need to tackle the challenges new technologies are posing while modernising their services. The call of the Tallinn Declaration for more co-ordination across countries and for greater adoption of new cybersecurity and privacy solutions indicates just how much remains to be done.”
The extensive research undertaken in the two-year CLARITY project recommends that solutions to this problem should be tackled from multiple angles.
A fraud-free future
On the one hand, government officials responsible for deploying applications should remain at the forefront of cybersecurity to ensure that government applications are reliable and tamper-proof. Advanced authentication mechanisms should be put in place to ‘catch out’ identity thieves and prevent them from infiltrating public services. The use of citizen eIDs can make cybersecurity issues easier to deal with. For example, the Austrian Chipkarte is an e-card system that connects patients, providers, hospitals, and pharmacies. Similar cards in Belgium and France enable direct settlement of certain medical costs or reimbursement. Reliable and accurate recovery of lost data and cross-checking information will also play an important role in mitigating negative impacts of cybersecurity incidents.
Moreover, solution providers need tools that address protection and prevention as well as detection and response. “So far, both institutional and technical solutions have traded-off privacy for security, where security is guaranteed via more monitoring of citizen’s behaviour and transactions. We need to move towards new solutions that reconcile privacy and security to ensure trust in public institutions. This is reflected in one of the key principles of the recent European Agenda on Security. It is a fundamental key step towards rebuilding trust in the competence and care of public institutions” says Tally Hatzakis, CLARITY project manager. Systemic institutional solutions should be developed. To this end, the EU will invest up to €450m of H2020 funding between 2017-2020 to pursue cybersecurity research and innovation. Only full-service cybersecurity tools can adequately cover the privacy, data protection and cybersecurity requirements of applications providing essential government services. This is especially true for services catering for vulnerable members of the community.
Finally, adopting new cybersecurity and privacy management tools requires a mindset change in the public sector. Privacy-by-design should apply not only to technological solutions but to the redesign of end-to-end processes of service provision. Governments need to review information management processes at the operational level across the value ecosystem to better understand challenges and safeguard the privacy and security of citizens’ information by civil servants and staff in outsourcing companies. It also requires a closer look at cybersecurity requirements during use case development to better understand the risks arising from citizens’ direct interaction with applications and systems. This will require making cybersecurity and privacy everyone’s business with implications for application design, employee training, intelligence gathering, emergency responses and internal policies, to effect the required behavioural changes.
The CLARITY project is funded by the European Commission’s Horizon 2020 framework – Grant Agreement number: 693881. Cybersecurity, privacy and other emerging solutions relating to the digital transition of the public sector are captured in CLARITY’s blueprint now open for public consultation. To leave your comments, visit: http://clarity.oeg-upm.net/blueprint/
Rachel Finn
CLARITY Project Coordinator
Practice Manager
Trilateral Research Ltd.
Tally Hatzakis
CLARITY Project Manager
Senior Research Analyst
Trilateral Research Ltd.
https://clarity-csa.eu/
https://trilateralresearch.co.uk/
This article will appear in Pan European Networks: Government 24, which will be published in January, 2018.