Trust, Privacy & Security in Dutch Govt “I-Strategy” 2012-2015

UPDATE 2017-12-19: the Dutch gov’t released (in Dutch) the successor to the I-Strategy 2012-2015, entitled “Strategische I-agenda Rijksdienst 2017”, which (loosely) translates to “Strategic I-Agenda Federal Government 2017”.

UPDATE 2012-03-06: according to the 2012 eGovernment report (.pdf) issued by the United Nations, the Dutch effort in eGovernment ranks #2 in the world. The Republic of Korea ranks #1.
UPDATE 2011-12-19: the Dutch Scientific Council for Government Policy (WRR) published an English translation of the famous iOverheid report. Here it is! 

On November 15th 2011, the Dutch government published (.pdf) their “I-Strategy” information strategy for 2012-2015. Below is my careful translation of the “Trust and Information Security” section. Any unnatural use of the English language is due to me translating as literal as possible, avoiding (mis)interpretation. Hyperlinks and parts between […] are mine.

Trust and Information Security
The Dutch cabinet wants citizens to be able to trust the way in which the Dutch government handles the storage and use of digital data. The government is responsible for reliability of the information that is used, and for diligent and legal use of data received from third parties. To accomplish this, permanent investment is needed in the government’s defensibility [Dutch: “weerbaarheid”] against (un)intentional breaches, in increasing the capacity to recover in case of unhoped-for successful breaches and in processes concerning the handling of privacy-sensitive data. Part of increasing the defensibility is having solid information security concepts. An important aspect of that is the investment in data security, in addition to device and network security. That enables device independent laboring (including bring or choose your own device). Wherever specific security requirements apply for classified information, the knowledge and expertise of the Dutch General Intelligence and Security Service (AIVD) will be used. Network security will be improved by reducing the number of internet connections that the government [Dutch: “rijksdienst”] has. That will be done through a government-level shared internet connection [Dutch: “Rijksinternetverbinding”]. This leads to simplified maintenance, higher quality, cost reduction and risk mitigation. A second aspect is the change from unconscious risk-aversion to conscious and responsible risk management. Employees should be able to, and want to, handle information safely. The desired use of self-selected means, combined with the enormously increased possibilities to communicate (social media), mean that a civil servant in 2011 must be more conscious than ever about the risks involved in the use of digital means, and thus also understand them. The government [Dutch: “Rijksdienst”] will support employees by providing adequate means and clear rules and advise. Also, the ensuring of common agreements about information security with internal and external parties needs to be strengthened. That will be, among others, realized by harmonizing the process and the elements of the oversight of compliance. As announcement in the letter about DigiNotar (26643, nr. 189), the Minister of Security and Justice will develop mandatory breach notification for IT incidents for organizations fulfilling crucial societal functions. Such a form of transparency increases the trust in the security of the government [Dutch: “Rijksdienst”]. An optimal capacity to recover is essential to quickly rehabilitate from the consequences of breaches of IT infrastructure. For that, additional instruments will be developed that enable the government to intervene sufficiently. Here too, framework and oversight are essential instruments. There will also be looked at further strengthening of research and expertise at the government, as has also been done in the [Dutch] National Cyber Security Strategy (NCSS) (.pdf).

In context of the Compact Government program [Dutch: “Compacte Rijksdienst”] will, under responsibility of the Minister of Security and Justice, be worked toward development of one government-wide [Dutch: “rijksbrede”] operational IT security function, that ensures scarce knowledge and expertise. To that end, the development of the National Cyber Security Center as announced in the NCSS will be joined.

Following the iGovernment report [Dutch: “iOverheid” (.pdf)] from the Dutch Scientific Counsil for Government Policy (WRR), the government decided to, as stated in the government response to WRR report (26 643, nr. 211), expand existing measures related to the governance of large IT projects with measures for the protection of privacy. The ministerial CIO’s play a central role in that. The expansion is planned as follows. The current requirements for the content of project plans for large IT projects (26 643, nr. 135) will be supplemented with the demand to state whether the project involves privacy-sensitive data and linkage or data enrichment. The project plan will state, with arguments, whether a Privacy Impact Assessment or a similar instrument applies. This information will be used in establishing a risk profile for the project, that will be done by the client and the departmental CIO. This risk profile partially determines whether the project will be reported to Parliament [Dutch: “de Kamer”] through the annual business report [Dutch: “Jaarrapportage bedrijfsvoering”] and the government’s IT dashboard (Rijks ICT-dashboard). If the risk profile results in the observation that the project is high-risk, the project will be included in this report and the dashboard.

The departmental CIO considers, as usual, all information from the project plan in his assessment at the beginning of a project, or during its execution. If this assessment relates to the use of privacy-sensitive data and linkage or data enrichments, the departmental CIO will seek advise from the data protection officer, that has been appointed in every Ministry and oversees the application and enforcement of the Dutch Data Protection Act. The IT project clients are obliged to report changes related to the use of privacy-sensitive data and linkage of data enrichments to the departmental CIO, who will decide whether a new assessment is needed. This expansion of the requirements related to the governance of IT projects will stimulate the diligent use of privacy-sensitive data, increase the involvement of the departmental CIO and ensure the information supply to the Parliament [Dutch: “de Kamer”].

The current Dutch administration seems to have well-informed attention for both security and privacy. The consistent use of the clause “privacy-sensitive data and linkage or data enrichment” (Dutch: “privacygevoelige gegevens en koppelingen of verrijking daarvan“) may characterize pending rules concerning privacy protection. The well-reasoned criticism against careless use of personal data expressed in the iOverheid report has apparently had significant impact. Personally, I’m very pleased with this section of the Dutch I-Strategy 2012-2015.

4 thoughts on “Trust, Privacy & Security in Dutch Govt “I-Strategy” 2012-2015

  1. Dank voor dit stuk!
    Ik heb het juridisch kader dat de NCTV meezond met het cyberbeeld wat verder uitgeplozen voor Misschien vind je dat ook wel interessant. De NCTV pleit daarin mi vooral van het verruimen van bestaande bevoegdheden van toezichthouders/autoriteiten bij aanpak cyberthreats. Dit kan uiteindelijk ook consequenties hebben voor privacy-issues..

  2. Hey Matthijs,

    thanks for the interesting read!

    Could you enlighten me why the iGovernment report is “famous”?
    I found it an inspiring read, but didn’t know it had any further real world / discursive impact.


    1. Hi Basanta,

      I think I mostly used that qualification because the iGovernment report was a basis for the iStrategy, which is the first-ever comprehensive information strategy of the Dutch government. So, looking back, it’s mostly ‘famous’ as in ‘famous relative to Dutch public administration’. My reality back then consisted mostly of wrapping up an anonymity-related dissertation and having observed a lack of attention for matters discussed in the iGovernment report. The report was timely and IMHO very necessary, but ‘famous’ was hyperbolic.

      The iGovernment report made explicit a lot of concerns that IMHO needed (and still need) attention; for instance the (real) possibility of systems that determine decisions about citizens without the latter being able to learn how and why a certain decision about them was made. A recent example from the private sector in the Netherlands was elicited by Dutch insurance/energy/telecom price comparison site PriceWise: it appears that the algorithms used by some car insurance companies involve indices bound to postal codes, and consumers who live in adjacent streets may have a rate that differs by factor 2.5 (!), so far without a proper explanation for that.

      A bit off-topic, but: the relative enthusiasm about Dutch gov’t strategy concerning privacy I expressed at the time of writing the post has, meanwhile, been weakened due to draft legislative proposals that include expansion of LE and intelligence powers regarding computers and the internet. See this post (about an upcoming cybercrime bill) and this post (about an upcoming intelligence bill).

      Best regards,

Leave a Reply

Your email address will not be published. Required fields are marked *