UPDATE 2012-03-06: according to the 2012 eGovernment report (.pdf) issued by the United Nations, the Dutch effort in eGovernment ranks #2 in the world. The Republic of Korea ranks #1.
UPDATE 2011-12-19: the Dutch Scientific Council for Government Policy (WRR) published an English translation of the famous iOverheid report. Here it is!
On November 15th 2011, the Dutch government published (.pdf) their “I-Strategy” information strategy for 2012-2015. Below is my careful translation of the “Trust and Information Security” section. Any unnatural use of the English language is due to me translating as literal as possible, avoiding (mis)interpretation. Hyperlinks and parts between […] are mine.
Trust and Information Security
The Dutch cabinet wants citizens to be able to trust the way in which the Dutch government handles the storage and use of digital data. The government is responsible for reliability of the information that is used, and for diligent and legal use of data received from third parties. To accomplish this, permanent investment is needed in the government’s defensibility [Dutch: “weerbaarheid”] against (un)intentional breaches, in increasing the capacity to recover in case of unhoped-for successful breaches and in processes concerning the handling of privacy-sensitive data. Part of increasing the defensibility is having solid information security concepts. An important aspect of that is the investment in data security, in addition to device and network security. That enables device independent laboring (including bring or choose your own device). Wherever specific security requirements apply for classified information, the knowledge and expertise of the Dutch General Intelligence and Security Service (AIVD) will be used. Network security will be improved by reducing the number of internet connections that the government [Dutch: “rijksdienst”] has. That will be done through a government-level shared internet connection [Dutch: “Rijksinternetverbinding”]. This leads to simplified maintenance, higher quality, cost reduction and risk mitigation. A second aspect is the change from unconscious risk-aversion to conscious and responsible risk management. Employees should be able to, and want to, handle information safely. The desired use of self-selected means, combined with the enormously increased possibilities to communicate (social media), mean that a civil servant in 2011 must be more conscious than ever about the risks involved in the use of digital means, and thus also understand them. The government [Dutch: “Rijksdienst”] will support employees by providing adequate means and clear rules and advise. Also, the ensuring of common agreements about information security with internal and external parties needs to be strengthened. That will be, among others, realized by harmonizing the process and the elements of the oversight of compliance. As announcement in the letter about DigiNotar (26643, nr. 189), the Minister of Security and Justice will develop mandatory breach notification for IT incidents for organizations fulfilling crucial societal functions. Such a form of transparency increases the trust in the security of the government [Dutch: “Rijksdienst”]. An optimal capacity to recover is essential to quickly rehabilitate from the consequences of breaches of IT infrastructure. For that, additional instruments will be developed that enable the government to intervene sufficiently. Here too, framework and oversight are essential instruments. There will also be looked at further strengthening of research and expertise at the government, as has also been done in the [Dutch] National Cyber Security Strategy (NCSS) (.pdf).
In context of the Compact Government program [Dutch: “Compacte Rijksdienst”] will, under responsibility of the Minister of Security and Justice, be worked toward development of one government-wide [Dutch: “rijksbrede”] operational IT security function, that ensures scarce knowledge and expertise. To that end, the development of the National Cyber Security Center as announced in the NCSS will be joined.
Following the iGovernment report [Dutch: “iOverheid” (.pdf)] from the Dutch Scientific Counsil for Government Policy (WRR), the government decided to, as stated in the government response to WRR report (26 643, nr. 211), expand existing measures related to the governance of large IT projects with measures for the protection of privacy. The ministerial CIO’s play a central role in that. The expansion is planned as follows. The current requirements for the content of project plans for large IT projects (26 643, nr. 135) will be supplemented with the demand to state whether the project involves privacy-sensitive data and linkage or data enrichment. The project plan will state, with arguments, whether a Privacy Impact Assessment or a similar instrument applies. This information will be used in establishing a risk profile for the project, that will be done by the client and the departmental CIO. This risk profile partially determines whether the project will be reported to Parliament [Dutch: “de Kamer”] through the annual business report [Dutch: “Jaarrapportage bedrijfsvoering”] and the government’s IT dashboard (Rijks ICT-dashboard). If the risk profile results in the observation that the project is high-risk, the project will be included in this report and the dashboard.
The departmental CIO considers, as usual, all information from the project plan in his assessment at the beginning of a project, or during its execution. If this assessment relates to the use of privacy-sensitive data and linkage or data enrichments, the departmental CIO will seek advise from the data protection officer, that has been appointed in every Ministry and oversees the application and enforcement of the Dutch Data Protection Act. The IT project clients are obliged to report changes related to the use of privacy-sensitive data and linkage of data enrichments to the departmental CIO, who will decide whether a new assessment is needed. This expansion of the requirements related to the governance of IT projects will stimulate the diligent use of privacy-sensitive data, increase the involvement of the departmental CIO and ensure the information supply to the Parliament [Dutch: “de Kamer”].
The current Dutch administration seems to have well-informed attention for both security and privacy. The consistent use of the clause “privacy-sensitive data and linkage or data enrichment” (Dutch: “privacygevoelige gegevens en koppelingen of verrijking daarvan“) may characterize pending rules concerning privacy protection. The well-reasoned criticism against careless use of personal data expressed in the iOverheid report has apparently had significant impact. Personally, I’m very pleased with this section of the Dutch I-Strategy 2012-2015.