As the government pushes more on service delivery through electronic means. There is a need to have a relook at security, seamlessness and integrity of systems so designed. While departments are autonomous in managing their system, there is a need of an overarching body which can exercise review and influence department to carry out delivery of digital services in more acceptable norms.
Some common grounds that makes oversight of implementation important are outlined as below:
- Creating a centralized Database System: While having a single centralized database system has many advantages such as single source of truth, simpler manageability and lesser demands on resources, it also raises concern when for technical reasons essential services are denied to citizens or businesses.
- Centralized Decision making: Government department owning the e-governance facility when left on its own for all decision making without sufficient transparency in processes, and without sufficient power in any other body to oversee program execution may lead to non-accountability.
- No laid-out process for de-duplication: As assumptions may have it, departments believe that certain records are unique and are not faked by service users. The tall claim may need to be examined on periodic basis though a well laid-out mechanism to ensure that integrity of data is not compromised.
- Not ensuring control and owner ship of source code: The independent audit and control of data/ software by department becomes even more critical when some offered services are classified in nature.
- Engaging with foreign contractors: When data is classified, it becomes necessary to sufficiently think before department engages with a foreign contractor wherein data could be collected, used, stored or transferred. The track record of all vendors being engaged in project may need to be scrutinized to see whether they are not involved in any unlawful activity. National or international companies are also subject to business dynamics of merger and acquisition. In such cases, sufficient control may be incorporated in contract.
- Compromising public data in hands of private vendors: Often departments are not equipped to rollout services on massive scale. To manage reach and velocity, departments engage private vendors in an incentive based manner. The higher the throughput from the vendors, the greater the cash flow from department to them. To maximize business gains, some private vendor may compromise integrity by malpractices such as racking-in incorrect details to department, giving scope to data theft, corruption and bribery.
- No-paper services for confidential data: As per recent rulings, the services to citizens or businesses may not be denied if the digital system is not running. Many a times, when the system is not robust enough to deliver services for some or the other reason to a genuine requestor, government departments make arrangement for alternate means which may involve physical presence or paper submission. There is a high likelihood that in such inconvenient cases, security and confidentiality of data may be compromised by intermediary party which gets its hand on confidential records or information.
- Non-compliance with data processing and storing standards: In this regard, significant institutional commitment needs to come from departments collecting, authenticating, analyzing or disseminating public data.
“Building a rigid institution with opaque processes, no encouragement to risk assessment and unwillingness to adapt will likely fail the e-governance systems”
Some of the measures that may be adopted to address the above risks at the institutional level are mentioned as below:
- Engaging with independent threat analyzing agency. Additionally, independent researchers and reporters may be encouraged who uncover flaws thereby helping department improve its e-governance program.
- Having a Chief Information Officer assisted by Chief Data Officer & Chief Information Security Officer.
- Following a defined SOP in case of data leakages or threats.
- Legislative power and regulatory mechanism to take action against private parties stealing, storing and misusing data.
- With whichever organization is data, the holding party to be made liable for ensuring data secrecy and confidentiality
- In case other parties are engaged in collecting data on behalf of department, additional oversight & regulatory ability may be given to department to carry out audit and enforcing accountability on the other party.
- Having a robust, transparent and responsive mechanism for dispute resolution.