Digitalization is in full swing in government. We see this reflected in digital actions such as changing personal data with electronic identifiers (eID), digital signatures and surveillance with smart cameras. The great advantage of these applications is that the government can operate more sustainably and efficiently and that citizens can be more involved in government initiatives. Along with benefits also come risks, forcing governments to obtain certainty about the future, or "future control," in digitization projects. What impact does digitization have on the government and how can the government shift its focus from past control to future control?
With the digitization of government, also known as digital transformation, the risks of cybercrime are increasing dramatically. We see this, among other things, in the Internet Organized Crime Threat Assessment (IOCTA, 2020) by Europol, the Cybersecurity Assessment (2020) of the National Cyber Security Center (NCSC) and in practical examples, such as the recent ransomware attacks at the Hof van Twente municipality.
In practice, we see these risks leading to caution, with governments shunning the use of privacy-sensitive information and missing out on digitization opportunities. Recently, a large municipality was fined by the Personal Data Authority for its use of WiFi tracking. Because improper use of wifi tracking had been made, it was possible to track individual visitors. This is not allowed under the AVG, so a fine was issued.
To still take advantage of digitization opportunities, it is important to shift the focus. Where previously the focus was on 'past control', in other words, assessing the past, in digitization projects it is important to have certainty about the future, in other words, 'future control'. This requires governments to take a new look when applying digitization projects, in which Privacy by Design and Security by Design are an essential part. The principles of these methods ensure that the design of an application takes into account the security of information and personal data. This does not mean that privacy and security requirements must be safeguarded only in the design phase. The example of the municipality shows that personal data security was considered in the design of WiFi tracking. Indeed, the tracked phones of visitors were pseudonymized, meaning that an algorithm replaced the identified data with encrypted data. However, during the use of WiFi tracking, the municipality did not change the pseudonymization method. This shows that continuous assurance of privacy and security requirements is also essential.
At the national level, support for the digitization of government is being provided in various ways. Various working groups from the Association of Netherlands Municipalities (VNG), among others, are working on digital themes in which handles and guidelines are given for digital vision creation and concrete implementation. On the basis of these, government organizations can deploy digitization at their own pace. All this is driven and directed from the national Digital Government Agenda.
In response to the increase in cyber risks, several organizations, including the National Cyber Security Center (NCSC), ICTU and Center for Information Security and Privacy Protection (CIP), have joined forces. The programs and projects created from this collaboration aim to increase the digital resilience of the government (and thus the Netherlands). An important achievement in this collaboration is the basic security levels for organizations. These basic security levels enforce a minimum number of security measures to reduce and control the risk of cyber incidents. Especially for new digital solutions and projects, it is necessary to determine the basic security level. In addition, from the collaboration between NCSC, ICTU and CIP, various quickscans, roadmaps and roadmaps have been developed to increase the digital resilience of governments.
In addition to government support, we see part of the solution in breaking up broad ideas and programs into separately defined projects. By outlining a clear business case for each project, a proper assessment of risks can be made and it is easier to understand which legal requirements apply. In this way it is possible to make a good, clear assessment of the extent to which an implementation is feasible and therefore possible.
The IT auditor can contribute by being involved in digitization projects from A to Z; from designing the business case to implementation and aftercare. In this way, the correct privacy and security aspects are guaranteed not only in the design phase, but also during the use of digital applications, and your organization will not be faced with any surprises afterwards. The result is a secure digital application and no negative impact on the project schedule.
