Governments around the world are actively pursuing digital strategies that improve citizens’ experiences. In Canada, though, CIOs – government and otherwise – indicated in the 2019 Gartner CIO Agenda that they are not as far along in their digital journey compared with their global peers. Add in limited resources and the need to balance citizen privacy on top of such endeavours and the challenge to achieve digital overhauls becomes that much more.
By 2023, 65 per cent of the world’s population will have its personal data covered under modern privacy regulations, up from 10 per cent today. Public-private partnerships (P3s) can help alleviate some of the pressure that government CIOs are facing in this arena. While P3s have historically focused on infrastructure-type projects, for instance transportation initiatives, they are increasingly being sought for funding digital transformations, like smart city projects. In Canada, for example, the privacy issues surrounding P3s have been thrust into the spotlight with projects like Sidewalk Labs’ Quayside development, which was only recently given limited approval after two years of debate.
An important consideration in a P3 is the varying privacy landscape in which governments and private sector organizations operate. To that end, accountability for citizens’ personal information is not always clear. Citizens often lack visibility and control when P3s process personal information on their behalf. When things go wrong, citizens turn to their governments first, as they hold public-sector institutions to a higher standard. After all, the choices available to citizens in the private sector do not necessarily exist in the public sector.
In order to bring more transparency to public-private partnerships, government CIOs must pioneer the ethical processing of personal information in P3 projects among internal stakeholders and private-sector partners. Follow these three best practices to build trust in P3 projects and ensure a positive privacy user experience (privacy UX) among all parties.
Complete a Privacy Impact Assessment
While privacy responsibilities in government may reside with the privacy office or other program areas, that does not mean CIOs should not be involved. CIOs lead, or are key partners with, the functions that manage technologies used to process data or oversee similar activities performed by private-sector organizations.
A best practice – and a consistent recommendation by Canadian regulators – is the completion of a privacy impact assessment (PIA) or, where appropriate, a data protection impact assessment (DPIA). These assessments identify and treat privacy risks early as well as consistently and, in the case of DPIAs, are mandated under the EU’s GDPR. Where CIOs can truly exert influence and insist one be completed is through the project management life cycle: CIOs must demand that any P3 project that processes personal information cannot begin until there is agreement about the completion and subsequent maintenance of a privacy impact assessment. Completed assessments should be revisited on an ongoing basis to catch and mitigate potential new risks.
Establish Standards and Controls When Processing Personal information
Ensuring governance and accountability is of utmost important when dealing with personal information, but it’s not always straightforward. As an example, consider the parties involved in building a toll highway. There will be one organization involved in constructing it, another one who is responsible for maintaining it, and a third one who ensures tolls are collected and processed. If toll collection is done via transponders instead of cash, the personal information involved would reside only with organization #3. If, however, these companies want to engage in a project to install 5G signal towers to support autonomous vehicles, which involve the transmission of vast amounts of data, the personal information becomes identifiable and therefore regulated. The question becomes who will own the ethical processing of that data and be accountable for using and protecting it.
In such scenarios, the conversation about data processing in P3 projects starts with a contract that all parties agree to, but it does not end there. Ongoing dialogue to discuss new developments and subsequent actions is required. This is why privacy considerations in P3 projects must be actively managed by CIOs who can implement standards and controls that relate to the purpose(s) for processing personal information. The International Standards Organization (ISO) and National Institute of Standards and Technology (NIST) are two frameworks that serve as resources for CIOs in their ongoing management of privacy.
Invest in a Comprehensive Privacy User Experience
Since CIOs have control over the digital interfaces between the government and its citizens, they can take an active role in ensuring a strong UX. CIOs can examine these touchpoints and ensure that appropriate measures have been built to provide transparency to citizens with respect to how their data is processed and a means for citizens to exercise control over how their data can be processed (where appropriate).
Privacy UX encompasses the interfaces between institutions and individuals with respect to transparency, consent and preference management (CPM) and subject rights request (SRR) management in personal information. Establish a baseline standard that requires appropriate notice be presented everywhere the government collects personal information from citizens. Take the leap to build a comprehensive CPM system to accompany government transparency. Ultimately, the CIOs’ target should be a self-service portal for citizens to manage their access and use of services provided by governments and partners.
This topic and others within privacy are becoming increasingly important as privacy regulations evolve worldwide. Modern privacy legislation has significantly broadened the definition of personal information, yet current government practices for managing privacy risks tend to be overly simplistic. Implementing the aforementioned best practices will ensure privacy risks are managed throughout the data life cycle and equip CIOs with the proper mindset and tools when things go wrong.
About the Analyst
Bernard Woo is an Ontario-based Senior Research Director at Gartner with a focus on data protection/privacy risk management and compliance programs. Throughout his career in privacy-related roles, Mr. Woo has excelled at working with stakeholders from various functions (e.g. IT, legal, marketing, security, HR) to devise innovative, efficient solutions that enable organizations to grow and achieve their objectives, while ensuring the protection of personal information and individual privacy rights. Join Gartner analysts onsite at the Gartner IT Symposium/Xpo global conferences in 2020.