Electronic government sounds attractive, with its promise of convenience, reduced costs, and enhanced data quality. But horror stories of leakages of personal information from government networks do not engender trust, which is the very thing required for citizens and business to switch to online channels.
In an ideal world, all organizations would take a holistic approach to risk management. They would weigh costs and benefits while keeping an eye on legal obligations. We know this does not happen; some aspects of public administration seem to escape the glare of risk analysis altogether. One suspects that this is particularly the case with website development and maintenance.
Many governments have enacted information privacy laws with a view to protecting personal information, much of which is acquired from the population under compulsion. If government agencies adhere to privacy laws while developing e-government solutions, then it is likely that their citizenry will increase its reliance on online government resources, safe in the knowledge that their data has been protected.
Victoria, an Australian state, enacted an Information Privacy Act in 2000, which has ten Information Privacy Principles (IPPs) based on the Organisation for Economic Co-operation and Development (OECD) model. The principles cover a broad range of factors, with IPP3 (Data Quality) and IPP4 (Data Security) being at the forefront of website considerations. Privacy Victoria gives prominence to the IPPs in all its publications, which are available at www.privacy.vic.gov.au.
One important function of the privacy commissioner is auditing how personal information is handled by government agencies. An initial audit of 100 websites was conducted in 2003 using a combination of automated analysis through Watchfire® WebXM™ and manual analysis of privacy statements. The overall results were fairly disappointing. While the majority had privacy statements, few were sufficiently helpful to visitors wanting to know how their privacy rights were protected.
The automated tool also revealed more serious deficiencies:
- Unsecured transactions, with personal information not protected by any form of encryption.
- Few explanations of the risks inherent in using the Internet.
One reason for focusing on websites is that they are freely available public resources. Hence, they can be readily tested for compliance with a government’s own privacy laws. Also, if agencies cannot protect privacy on their own websites, then what are the chances that they will get it right for electronic voting and smartcard-based services?
However, perhaps these negative findings can be blamed on the entire website culture:
- Websites have been around for a long time now (well over a decade), and do not excite management as they once did.
- They began life as simple information-based sites, with more sophisticated and privacy-sensitive transactions and applications added over time. Evolution rarely excites as much interest as revolution.
- Publishing and managing websites is often not the responsibility of IT departments, but rather, corporate communications or marketing. These organizations are not as knowledgeable about security as information technology groups.
Where there is a history of website publishing being conducted with little regard for IT security measures, then it is likely that inadequate risk assessment has been done. Encryption methods such as Secure Sockets Layer (SSL) are cheap and easy, but the audit found that they were rarely used.
A follow-up audit was conducted in 2005, with many of the same websites revisited. The Privacy Commissioner was heartened by the overall improvement, partly because this indicated that agencies were responding to the audit findings (“the stick”), but also because they were absorbing the message about building trust (“the carrot”). Some that demonstrated a commitment to secure e-government were singled out for commendation.
While most categories saw a marked improvement, it was still disappointing to find that most transactions involving personal information remained unsecured and that there were still poor performers, some of which fared worse than in the previous audit. This was unacceptable and somewhat puzzling given that solutions are so straightforward.
One problem might be that the website privacy audits have not applied punitive measures to date. Although the Privacy Commissioner can order organizations to comply if serious breaches of the IPPs are found, this is rarely done. Instead, Privacy Victoria uses a variety of techniques to make compliance easier. Among our many publications is a guide for conducting Privacy Impact Assessments (PIAs). A PIA, a risk assessment used when personal information is involved, can be conducted separately or as part of an overall risk assessment plan. Whatever path is chosen, it can reduce an organization’s exposure to formal privacy complaints.
Another way to increase compliance with privacy guidelines is the “court of public opinion.” If the public, supported by media interest, finds that e-government is unsecured and intrusive, then they will avoid the online channels on offer. Counter staff and mail rooms will remain the busiest hubs and operational costs will stay high.
As governments become increasingly serious moving to online channels, they must do so without compromising the privacy of citizens. If they cannot get it right with websites, what faith will the public have in major undertakings like identity cards embedded with biometrics?