As EU leaders further solidify their approach to enforcing data protection standards, regulatory bodies must continue to focus on promoting vendor transparency. This principle is all the more significant in the context of the public sector, where clarity in the way in which government protects citizen data and sensitive public information—including through the services of third-party providers—is of paramount importance. Such ex-post regulatory action should also be paired with more forward-looking, preventative action to improve data protection in the public sector and ensure that providers can prove they are meeting the terms and conditions of their contracts.
European government agencies, like their American counterparts, are increasingly employing Internet services and cloud providers to store, protect, and manage government and constituent information. While these services provide many advantages for citizens and government—including improved efficiency and information sharing—the expanding use of practices like data mining, coupled with a lack of vendor transparency, may be infringing on the protections afforded to European citizens by existing law. Updated legislation, which will solidify and expand existing data protection regulations, is expected to be implemented across the EU by the end of 2015.
To date, regulatory action in the EU has focused on the implications of Google’s practices for consumers, but EU data protection leaders should also be mindful of the ways in which the actions of providers might affect public sector entities. Specifically, these leaders should look to optimize trust between government entities, EU citizens, and Internet service providers.
Continued, ex-post regulatory action is part of the solution. But, to improve data protection in the public sector, government agencies must pursue more proactive action in coordination with Internet and cloud services providers. As EU member states implement new data protection legislation, government agencies should look to codify data protection standards and templates for service agreements that clearly define expected practices for government services providers in terms of data protection. These standards and templates should focus on capabilities, not necessarily the technology used to implement them.
Government agencies should also employ third-party providers to validate the fulfillment of these standards and service agreements. Third-party assessments should be performed periodically through the duration of a contract, as recommended in the Organizational Risk Management Framework proposed by experts at SafeGov.org. These assessments would ensure that companies are meeting the new terms and conditions of the contracts and statutes required to service EU public sector entities.
Internet and cloud services can enable tremendous advances for government agencies, but without proper consideration of risk, along with robust enforcement policies, EU public sector entities may be jeopardizing their ability to ensure the protection of citizen and sensitive data.
–Commentary by SafeGov expert Julie Anderson, Managing Director, Civitas Group. This piece first appeared on Public Service Europe.safegoveu