How data leaks can bring down governments

Swedish Parliament building

By Steven McGinty

In July 2017, the Swedish Government faced a political crisis after admitting a huge data leak that affected almost all of its citizens.

The leak, which dates back to a 2015 outsourcing contract between the Swedish Transport Agency and IBM Sweden, occurred when IT contractors from Eastern Europe were allowed access to confidential data without proper security clearance. Media reports suggested that the exposed data included information about vehicles used by the armed forces and the police, as well as the identities of some security and military personnel.

The political fallout was huge for Sweden’s minority government. Infrastructure Minister Anna Johansson and Interior Minister Anders Ygeman both lost their positions, whilst the former head of the transport agency, Maria Ågren, was found to have been in breach of the country’s privacy and data protection laws when she waived the security clearance of foreign IT workers. In addition, the far-right Sweden Democrats were calling for an early election and Prime Minister Stefan Löfven faced a vote of no-confidence in parliament (although he easily survived).

However, it’s not just Sweden where data leaks have become political. Last year, the UK saw several high-profile incidents.

Government Digital Service (GDS)

The UK Government’s main data site incorrectly published the email addresses and “hashed passwords” of its users. There was no evidence that data had been misused, but the GDS recommended that users change their password as a precaution. And although users did not suffer any losses, it’s certainly embarrassing for the agency responsible for setting the UK’s digital agenda.

Scottish Government

Official documents revealed that Scottish Government agencies experienced “four significant data security incidents” in 2016-17. Three out of four of these cases breached data protection legislation.

Disclosure Scotland, a body which often deals with highly sensitive information through its work vetting individuals’, was one organisation that suffered a data leak. This involved a member of staff sending a mass email, in which email addresses could be viewed by all the recipients (a breach of the Data Protection Act).

Murdo Fraser, MSP for the Scottish Conservatives, criticised the data breaches, warning:

These mistakes are entirely the fault of the Scottish government and, worryingly, may signal security weaknesses that hackers may find enticing.”

Hacking parliaments

In the summer of 2017, the UK parliament suffered a ‘brute force’ attack, resulting in 90 email accounts with weak passwords being hacked and part of the parliamentary email system being taken offline. A few months later, the Scottish Parliament experienced a similar sustained attack on parliamentary email accounts. MPs have suggested Russia or North Korea could be to be blame for both attacks.

MPs sharing passwords

In December 2017, the Information Commissioner warned MPs over sharing passwords. This came after a number of Conservative MPs admitted they shared passwords with staff. Conservative MP Nadine Dorries explained:

My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes.”

Their remarks were an attempt to defend the former First Secretary of State, Damian Green, over allegations he watched pornography in his parliamentary office.

Final thoughts

The Swedish data leak shows the political consequences of failing to protect data. The UK’s data leaks have not led to the same level of political scrutiny, but it’s important that UK politicians stay vigilant and ensure data protection is a key priority. Failure to protect citizen data may not only have financial consequences for citizens, but could also erode confidence in public institutions and threaten national security.


The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

Government Transformation Strategy 2017 to 2020: has it been worth the wait?

Whitehall, London

By Steven McGinty

On 9 Feb 2017, and after over a year of delays, the UK Government finally published the Government Transformation Strategy 2017 to 2020.

It’s been a long time since the Government Digital Strategy was published in 2012. Therefore, it’s understandable that politicians, industry leaders and media commentators have been frustrated by the lack of a new strategy in 2016.

In January 2017, Iain Wright MP, chairman of the Business, Energy and Industrial Strategy Committee (BEIS) warned that the UK risked being left behind and losing its competitive advantage in the digital economy because of its ‘absence of clarity and strategic focus’.

Similarly, Stephen Metcalfe, chairman of the Science and Technology Committee, wrote a letter to digital minister Matt Hancock highlighting his disappointment at the lack of a government digital strategy.

However, now that the Government Transformation Strategy is here, what does it say and will it have a lasting impact?

A brief overview

According to Ben Gummer, Minister for the Cabinet Office and Paymaster General, the Government Transformation Strategy is:

“The most ambitious programme of change of any government anywhere in the world, by a government that has already done more to transform itself than any other.”

It sets out the government’s aim to build on the success of the 2012 strategy, and to not only focus on improving the citizen experience but to change the way services are delivered. The strategy states that the government will achieve this by transforming:

  • Whole citizen-facing services – ensuring an improved experience for citizens, businesses and users within the public sector
  • Full government departments – enabling organisations to deliver policy objectives more flexibly, improving citizen experience, and working more efficiently
  • Internal government – supporting the collaboration of government departments and delivering digitally-enabled change more effectively

However, the majority of the strategy is structured around five main objectives:

Business transformation

Government departments have made significant progress over recent years.  The strategy explains that lessons have been learned through this service transformation process, and that there is now cross-government agreement on the key areas that transformation must focus on. These include bringing policy development and service design closer together and recognising that government services are delivered through a variety of channels (online, telephone and face-to-face).

Grow the right people, skills and culture

Since 2012, government departments have been recruiting digital, data and technology specialists to improve their digital capability. However, the strategy accepts that the public sector is working in a competitive market and that recruiting and retaining staff is likely to remain a challenge. Embedding a new culture is also identified as an important enabler of change, with several goals highlighted, including increasing civil servants’ knowledge of digital and improving digital experts’ understanding of government.

The Digital Academy, which was formed in 2014 by the Department for Work and Pensions (DWP), will be transferred (by the end of 2017) to the Government Digital Service (GDS) to create nationwide training opportunities for civil servants.

Build better tools, processes and governance for civil servants

Civil servants vary widely in how they work, including the digital technologies they use and their approach to policy development. The new strategy explains that the government will create a better working environment by developing common and interoperable technologies that can be shared across government and adopt a more agile working environment.

Make better use of data

Data is vital for providing services that meet the needs of citizens. However, the strategy emphasises that the government must earn the public’s trust in managing data safely, securely, and ethically.

Create shared platforms, components and reusable business capabilities

The government has already had some success in introducing shared platforms, such as GOV.UK – a publishing platform which brought together over 300 government agencies’ and arm’s length bodies’ websites within 15 months. The strategy outlines the steps to be taken to encourage the development of new technologies, including leaving large single contracts with IT firms – a practice which is deemed a barrier to providing better technologies for civil servants – and purchasing from a wider variety of suppliers, such as SMEs.

From digital to transformation

It’s important to note that the strategy’s title has changed: from a digital strategy to a transformation strategy.

Jane Roberts, strategy director at Kable, suggests that this reflects the government’s realisation that digitisation is not a process with a defined end date, but a ‘constant dynamic ongoing process.’ Government, says Roberts, now understands that digitisation involves more than just moving services online, and that whole scale change is needed, from encouraging civil servants to work more collaboratively (including sharing cross-governmental data), to digitising back office processes.

In addition, Roberts also highlights the need for digital services to be designed to cope with this dynamic process. This includes supporting the integration of new technologies – particularly those related to the Internet of Things (the use of internet technology to connect everyday items) – and responding to increased citizen demand for greater control over their personal data.

What does it mean for local government?

The Government Transformation Strategy makes no comment on the challenges facing local government. However, London Borough of Camden councillor, Theo Blackwell, suggests that the strategy leaves scope for a ‘digital settlement’ to be developed between central and local government. He observes that the strategy:

leaves the door open for this discussion to be starting and concluded in short order, kickstarted by elected mayors and combined authorities in May 2017, and building on the groundwork of the last two years”.

Mr Blackwell also sets out what needs to be done to achieve this digital settlement:

  • Support the ‘coalition of the willing’, as well as improvement – encouraging local councils who have already made progress with digital transformation to work together, as well as helping struggling councils to improve;
  • Open platforms and a new market for start-ups – enabling the development of platforms and smaller start-up companies;
  • Shared Resource – developing partnerships between local councils and central government, which fund digital initiatives jointly.

Missed opportunity

The strategy has also received a significant amount of criticism for its lack of detail and limited commitments. Independent digital analyst, Jos Creese, has described the strategy as:

“…a mix of re-packaged principles and refreshed ‘transformational government’ themes, coupled with some new but not revolutionary ideas.

Creese argues that there is a general lack of pace with government programmes, such as with GOV.UK Verify – an identity assurance platform that allows people to prove who they are when using government services. And – unlike Theo Blackwell – Creese believes that the lack of collaboration between central government and the wider public sector is a missed opportunity (particularly as 80% of public services are outside central government). In his view, the strategy should have addressed some of the fundamental challenges facing local services, such as healthcare and crime prevention.

Final thoughts

Although the Government Transformation Strategy has received a mixed response since it was first published, there are certainly positives which provide hope for the future. Firstly, it was important that the strategy was finally published to provide a clearer indication of the government’s future direction.  Secondly, in the coming months, the government will have the opportunity to provide greater clarity, and set out how they intend to achieve the praiseworthy objectives of the strategy and realise the full potential of digital transformation.


Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you found this article interesting, you may also like to read our other digital articles

Government as a Platform: a new way of thinking about digital transformation

Multi-coloured blocks on the table, with a green dinosaur

By Steven McGinty

The term ‘Government as a Platform’ (GaaP) was coined by Tim O’Reilly, a technology entrepreneur and advocate.

The Government Digital Service (GDS), the body responsible for UK Government digital transformation, has started to introduce ‘platform thinking’ to government services. However, according to a survey carried out in February, three-quarters of civil servants hadn’t heard of or didn’t understand ‘Government as a Platform’. This may be concerning for government, whose efficiency programme greatly relies on successful digital transformation.

On the blog today, I’m going to reflect on the concept of ‘Government as a Platform’, as well as outlining its adoption in the UK.

The ‘gubbins’ of government

Mark Foden, an organisational change strategist, explains the platform-based view of government in a simple (and humorous) video.

In his view, government has traditionally been made up of independent departments, providing services such as benefits, pensions, and tax. These services use bespoke technology provided by large technology companies, over long contracts.

However, the platform based-view is different. He illustrates this by splitting a government department into three sections:

  • Levers and dials – the part of the service the user interacts with (e.g. websites and mobile apps)
  • ‘Gubbins’ – in simple terms, it’s the common capabilities (e.g. checking identity) and the bespoke services (e.g. calculating tax) that government services need to function
  • Machinery – the fundamentals of technology (e.g. mainframe computers, storage, and databases)

Foden explains that a key element to platform thinking is the ‘gubbins’ section. Advances in technology now make it possible to untangle these ‘gubbins’ government services, without affecting others. In practice, this means that common capabilities used by government, such as making payments or checking identity can be developed and used across departments. Websites can also be shared to create consistency across government digital services – a sort of ‘brand government’. This approach limits the number of bespoke services developed in ‘silos’ (or within departments).

Additionally, having this separation between common capabilities and bespoke services also presents opportunities to involve a greater number of suppliers.

Potentially, this approach could be worth £35 billion in savings across government.

Organising Government as a Platform

Mark Thompson, senior lecturer in information systems at Cambridge Judge Business School, suggests three principles to enable Government as a Platform to succeed:

  • gradually moving towards more common capabilities and reducing departmental bespoke services
  • developing common capabilities across the public sector must be a priority for digital transformation
  • optimising the relationship between common capabilities and bespoke services within government departments

The UK approach  

GDS

A widely used definition by the GDS is that digital government should include:

 “a common core infrastructure of shared digital systems, technology and processes on which it’s easy to build brilliant, user-centric government services.”

GOV.UK was the first attempt to transform how the UK does government. Launching in 2012, the publishing platform brought together over 300 government agencies and arm’s length bodies’ websites within 15 months. Replacing DirectGov and Business Link alone saved more than £60m a year. Early testing also showed GOV.UK was simpler for users, with 61% completing tasks on the new Business Link section; compared to 46% on the old website.

GOV.UK Verify has also been introduced – an identity assurance platform which allows people to prove who they are when using government services. The common service is the first of its kind and is being used by organisations such as HM Revenue & Customs (HMRC) and the Department for Environment, Food & Rural Affairs (DEFRA) to build new services.

More recently, GOV.UK Notify, a service which sends text messages, emails or letters, has sent notifications to its first users. GOV.UK Pay also just secured compliance with the Payment Card Industry (PCI) Data Security Standard.

NHS

Although the GDS have taken the lead on platform thinking, the NHS launched NHS Jobs, a shared recruitment service, in 2003. The service has been remarkably successfully, generating over £1 billion in savings.

Mark Thompson suggests this is because of its platform approach. The Department of Health (DoH), working alongside Methods Consulting, convinced over 500 NHS employers to give up their own recruitment services and to make use of this common capability. The website is the biggest single employer recruitment site in Europe, with one unique visit every two seconds. The service has also become a valuable commodity with suppliers willing to provide the service at near cost, and compete on providing innovative services. The creation of this high quality recruitment service has therefore become a spur for innovation – something which is at the heart of Tim O’Reilly’s work on Government as a Platform.

Local government

Adur and Worthing council have recently taken a platform approach to their digital transformation. Paul Brewer, digital lead for the council, notes that it was struggling on several fronts, including IT outages and systems replicating inefficient paper-based processes.

To solve this problem, the council went through a capability mapping exercise. They identified departments which had common functions, such as undertaking case management, taking payments and booking appointments for customers. With this roadmap, they developed a CRM system to manage customer interactions (including social media), and purchased a platform which supports the creation a range of new IT products. The new approach enabled the council’s waste management service to support full mobile and remote working. Within a year, the department saved £20,000 on software and the equivalent of 1.5 staff members.

Interestingly, the council did not built their own platform, on the GDS model. Nor did they purchase an inflexible technology. Instead, they chose a third way by purchasing the building blocks of capability, and controlling where the capability was slotted in.

Final thoughts

The lack of knowledge about Government as a Platform within the civil service is somewhat disheartening. However, the GDS has introduced many new approaches to government and shown practically how they can work. Projects such as GOV.UK and GOV.UK Verify have been well received and countries such as New Zealand have looked towards the UK for their own digital transformation.

In August, the UK was ranked as global leader for e-participation on the United Nations E-Government Survey, ahead of Australia and South Korea.


Follow us on Twitter to see what developments in public and social policy are interesting our research team. If you found this article interesting, you may also like to read our other digital articles. 

Is the Freedom of Information Act ‘working effectively’?

Wall with the words 'Freedom Street'

Image by Kevan via Creative Commons

 

By Steven McGinty

In July, Parliamentary Secretary for the Cabinet Office, Lord Bridges, announced that there would be an independent cross-party review on Freedom of Information (FOI).

The UK’s FOI Act was introduced in 2000 (in Scotland, FOI legislation came into force in 2005). The Act requires public bodies to publish certain information about their activities and to respond to requests for information from the public.

Since its introduction, the FOI Act has facilitated the release of information from across government. The most high profile releases have involved MPs’ expenses and correspondence between British diplomats ridiculing the notion of a widespread increase in migration from Poland to the UK, once they joined the EU.

Lord Bridges explained that the review would focus on three main issues:

  • whether there is an appropriate balance between having a transparent and accountable government and the need for sensitive information to be protected;
  • whether the Act adequately recognises the need to have a ‘safe space’ for policy development and implementation;
  • whether there is an appropriate balance between the need for public access to information and the burden on public bodies of providing this.

However, is this review really necessary?

Over recent years, a number of public figures have voiced their concerns over the Act. Even the man who introduced it, former Prime Minister Tony Blair, has stated that he was a “naive foolish, irresponsible nincompoop” to introduce it. He also suggested that it undermined “sensible government”.

Similarly, the former head of the Civil Service, Lord O’Donnell has argued that the requirement to release Cabinet minutes risked preventing “real discussions” between ministers.

There has also been discontent from local government, struggling to shoulder the financial cost of the Act. For instance, Ken Thornber, leader of Hampshire County Council, stated that:

We spent £365,000 in 2010 answering freedom of information requests. What else could I do with that money? More social workers, more school inspectors, more spent on road maintenance.”

Although clearly frustrated by the Act, he doesn’t suggest withdrawing it. Instead, he proposes the idea of a £25 charge. His hope is that this would deter individuals from making ‘frivolous requests’.

In the 2010, University College London’s (UCL) Constitution Unit estimated that the cost of FOI requests for local government was £31.6 million. It also highlighted that civil servants spent 1.2m hours responding to nearly 200,000 requests.

Safeguards already exist

However, the review also has its opponents. For example, Sir Tim Berners-Lee, founder of the World Wide Web, has attacked the government’s decision. In particular, he criticises the UK Government for using its position at the top of the World Wide Web Foundation’s Open Data Barometer (annual worldwide survey of open government) to justify the review.

Anne Jellema, Chief Executive of the World Wide Web Foundation, has also added her disapproval. She explains that the UK’s position at the top of the Open Data Barometer should not be an excuse to undo the progress that has been made. In addition, she claims that the government is behind European countries on other transparency and accountability issues, such as state surveillance and freedom of the press.

The Campaign for Freedom of Information has raised concerns over the review panel. It highlights that there are no panel members with a proven commitment to transparency. Currently, the five person committee consists of high profile political figures, such as former Conservative Home Secretary Michael Howard and former Labour Foreign Secretary Jack Straw.

The Act has been praised for holding public bodies to account. For instance, the Daily Telegraph discovered that local authorities spent £2m on hotel bills over just 3 years, including stays at the Four Seasons in New York.

There are also those who maintain that safeguards are already in place. For example, section 35 of the Act provides a qualified exemption, which limits the release of information to the public. This safeguard is explicitly aimed at protecting the policy-making process.

A key challenge for any state is to strike the appropriate balance between effective governance and public accountability. Yet, with so many differing views, universal agreement is unlikely.  Therefore, no matter the outcome of the review, it’s likely that this debate will continue.


Further reading: