Trusting government with our information

Read time 10min 10sec

Social media platforms contain a dizzying amount of personal information about us, but we have some choice on which services to use and what information to set free into that sphere.

Generally, one can use a social media service without first supplying information useful for identity theft to its faceless provider. In this arena, the service user has some idea of how much to trust a social media brand such as Facebook or Google+ with personal information, given media outcries over security breaches and the provider's privacy policy.

This is not so with government at national, provincial and local level, and the services supplied. Often, the user has no choice of provider. Government holds the expected monopoly over many services - gathering taxes, registering businesses, as well as supplying education, healthcare and social grants for the majority of South Africans.

The service user also has no choice in what personal information to supply, much of it tailor-made for fraud, should it fall into the wrong hands. There is usually no simple way a citizen can tell what security measures government and public bodies as well as their private contractors have implemented around the informed consent, gathering, updating, sharing, further processing and destruction of their personal information.

However, there are a few things citizens can be sure about. Firstly, SA is losing international trade and job opportunities as long as we speak of the Protection of Personal Information (POPI) Bill but don't enact it and comply with it. Yet, protecting personal information has been on the local agenda since 1996 in the drafting of the Open Democracy Bill. Call centres and business process outsourcing go to countries such as India, which comply better with international privacy legislation such as the European Union's (EU).

The EU has had its Data Protection Directive in place since 1995, a time when mobile Internet and social media did not yet exist. A few months ago, an EU framework document proposed amendments to take recent technology developments into account. One good thing about POPI being so late is the opportunity to learn from both EU and US legislation, before enactment.

Inadequate controls

Secondly, many government services can be managed far more efficiently using appropriate IT, and providing Internet access to citizens and departmental offices. SARS is the prime example. However, the information security around such a service needs to be top-notch, or else the departments' systems become sitting ducks for fraudsters.

Thirdly, each person in this country lives with their confidential personal information spread over many government systems: for taxes at SARS, on RICA and FICA registration systems, at Home Affairs for fingerprints, passports and identity documents, at provincial and local government for driver and vehicle licences and utility bills, just for starters. Worse, many government systems consist mostly of paper, whole warehouses full, in some cases.

A recent example of yet another government system demanding personal information is the Gauteng highway e-tolling system. To register for an e-tag, one needs to supply home address, identity number, phone number, bank account number and a host of other information.

Fourthly, the Auditor General reported in January that the vast majority of government departments and public bodies have problems implementing adequate general information security, in its 'General report on national audit outcomes 2010-2011'.

Specifically, the report notes that 'Information security controls aimed at the prevention of unauthorised access to the networks, operating systems and application systems that prepare financial information were inadequate at 81% of the departments'. For public bodies, 92% had inadequate controls.

Fifthly, government in all its facets will be answerable, as is private industry, to the principles in the POPI Bill as soon as it is enacted and its expected grace period for compliance expires, probably sometime in 2013.

The Bill provides for an Information Regulator, along the lines of the Public Protector, and will be the first piece of legislation in SA to make information security a legal requirement. The Bill covers information about people and businesses, and processing of personal information in paper and electronic formats.

While government can apply for exclusions from POPI, an easy way out is unlikely.

"Public bodies may apply for exemptions, but this will likely only relate to specific provisions of the Bill and not apply as wholesale exemption from compliance with the law in its entirety," says Preeta Bhagattjee, national practice head at DLA Cliffe Decker Hofmeyr, via e-mail.

"Further, an application for exemption can only be granted if it satisfies certain requirements, including that the public interest in processing to a substantial degree outweighs the interference in the privacy of the data subjects in question."

Examples of public interest trumping personal protection would include the prevention, detection and prosecution of offences, she says, or economic and financial interests of a public body. But where public bodies process 'special personal information' and information about children, different standards apply.

How ready?

There is a big compliance burden created by other legislation already. Private industry, much better placed than government to implement compliance, will still find POPI an expensive and complex exercise.

All of which begs the question: how ready is government, the biggest service provider in the country, to earn trust from potential global trading partners and its own citizens by demonstrating its POPI compliance?

"POPI compliance will be a huge mountain [for government] to climb," says Jan Bouwer, an MD at Accenture's South African health and public service operating group.

"Outside SARS, government at national, provincial and local level is generally not doing well. They just do not have the capacity or capability to carry out this protection at this stage. It is going to be very problematic. At the lowest level of government, over 200 municipalities have minute IT budgets, a lot of what they do is manual, and the skills are not at the level needed to plan compliance."

Adds Bhagattjee: "As most public bodies would deal extensively with personal information, it is likely that most will have to look to amending their respective business processes, engagement mechanisms with citizens or subjects and will need to implement policies and procedures and train their staff in regard to compliance with this law."

All the personal information that government in its many guises holds on to is vulnerable to systemic IT problems. But enacting the Protection of Personal Information Bill, and then complying with it so information is secure, up to date, and only used for rightful purposes, will place a huge burden on government at every level. Turning all of government IT into a 'trusted with information' brand will take some doing.

Quiet progress

For government to enact and comply with POPI, its systemic weakness in information security will have to be addressed. There are some signs that government IT ability is improving slowly.

Make a plan

In a nutshell, says Preeta Bhagattjee, national practice head at DLA Cliffe Decker Hofmeyr, public bodies should be:
1. Getting prepared for the POPI Bill.
2. Ensuring they have budget to implement programmes to achieve compliance with the Bill.
3. Carrying out a due diligence in all areas within their responsibility which is impacted by the Bill, and preparing a plan with steps needed to achieve compliance.
4. Considering the process for engaging with citizens and implementing changes, including changes to consent forms.
5. Preparing privacy policies.
6. Preparing retention and destruction policies.
7. Adopting security protocol standards to apply when using and processing personal information.
8. Implementing processes to ensure that databases containing personal information are updated in accordance with the provisions of the Bill.

Information security skills in government are improving because vendors provide training. And the vendors themselves have better skills available locally nowadays, says Rajesh Maharaj, CA Security for public sector at CA Technologies. He reckons both SITA and government departments evaluate technologies better than before.

In his previous capacity as CIO at Home Affairs, Maharaj drove the department's IT turnaround for a year from 2008 to 2009. He delivered improved business process management, data quality and reduced processing times for identity books and passports.

"Government has struggled in the past to get the right people within the budget they had," continues Maharaj.

"Now they are being very strategic about the people they use. Most of all, they are getting people who have a background in security and enterprise architecture, changes in technology, as well as implementation and sustaining it afterwards. It's not like they just put out tenders, take on a new technology and it flops. They are really going through each with a fine-tooth comb to see if this is the correct technology, what the interoperability is like, and how they will be able to sustain it."

But the good work being done today will only be seen by the public in the medium term, he says.

"Technologies can be put in [a public sector organisation] within six months. But assuring that the people working in that environment adhere to proper governance will take time. The public will see [the improvements] in five years' time.

"We see yo ung people in government who are much more IT-friendly, but ultimately, it's still about the private sector assisting the public sector. The frameworks and governance models adopted in the public sector are very different. The quicker the private sector appreciates government's wide enterprise architecture and processes, and start working with them, the better. We see that happening now, slowly but surely."

One man, one database entry

The POPI Bill's requirements pull together privacy, security and e-government in a way that exacerbates existing IT challenges for government. Specifically, principle five about information quality requires reasonable steps to ensure that information is complete, accurate, not misleading, and up to date. But how can that happen when one person's information is duplicated in so many government systems?

"Our biggest problem is we haven't started identifying the needed core data about a person," says Bouwer.

"The population register system records all people, from birth to death. All of government needs to access that information, and must make sure it is pure. On the back of that you could then pay your taxes, get your grants, and apply for a licence or an ID."

Bouwer acted as client executive when Accenture was contracted to implement customer relationship management applications for SARS. Among other things, the project introduced a modern electronic filing and payment system at the department.

What's needed is a strategy across government, continues Bouwer, saying what data elements are needed and who will own what data. For example, in this data-sharing scenario, Home Affairs would own citizen information and the South African Social Security Agency information about social grants.

"But that information-sharing is not happening. We've got departments building their own silos, their own little databases, accumulating information about citizens on their own. That is where the risk will be for the POPI Bill. Because they're not going to implement the best security and firewalls, they don't have the capacity. As long as we have all this personal information duplicated across government, there is the risk that those agencies will expose themselves to POPI non-compliance."

Specifically, meeting POPI principle five, which calls for information to be up-to-date and accurate, becomes almost impossible to achieve, he says. And because effort will be duplicated, implementation will be very expensive.

Which leads one to the conclusion that POPI compliance may only be possible for government once information is consolidated and shared in significant ways between departments, which is a stupendously complex and costly project to undertake.

Such a project would also make e-government more user-friendly. Bouwer says it makes more sense to log into South African government systems in just one way.

"As a citizen, if you sign onto SARS, you want to use the same type of authentication and identity management when you sign in for Home Affairs to apply for an identity document and passport, or sign in to local government to find out what your utility bill looks like."

Login with