Digital public services and "e-PAs": the legal aspects.

In this blog post, the CITADEL project is approached in a slightly different way. Rather than detailing a specific part of the core development activities, as other blog posts will do, this post consideres the legal considerations and hurdles that a public administration (PA) might encounter when transforming itself into an ICT-driven more effective and inclusive “e-PA”. This post elaborates how CITADEL deals with this.

Scenario: CITADEL is a Horizon 2020 funded project aiming to explore, monitor and analyse the drivers, enablers, impact, risks and barriers of open, innovative and collaborative government across a diverse terrain of public administrations (PAs) through an open and scalable platform based on innovative ICTs in order to understand, transform and improve by proposing recommendations to enhance the PAs policies and processes with a view to deliver effective, inclusive and high quality public services across Europe.

CITADEL, which stands for “empowering citizens to transform European public administrations” builds on the realization that high quality public services are a necessary basis for citizens’ social welfare and essential to a region’s competitiveness and entrepreneurship. Therefore, the delivery of high quality public services is absolutely instrumental for a society and its economy to function, whether on the national, regional or local level. CITADEL tries to understand why citizens do or do not use a certain service, how existing services can be optimized and what is needed to create new and better public services. In order to do this, CITADEL will create an ecosystem of best practices, provide a co-creation methodology, provide specific (ICT) tools and formulate recommendations to transform PAs, enabling the provision of more efficient, inclusive and citizen-centric services through the use of ICTs.

The CITADEL ecosystem will be implemented and validated in three use cases/test scenarios in Latvia (national level of government), Italy (regional level of government), and Belgium (local level of government).

In a broad sense, CITADEL is aimed at facilitating the process of transforming a PA into an ICT-driven, more effective and inclusive “e-PA”, which brings many challenges in practice. Some of these challenges are of a legal nature or have a legal impact. Moreover, the solutions CITADEL proposes also need to be legally solid in order to be useful to a PA aiming to transform itself. It is those legal challenges that are discussed in this blog post.

Legal challenges: while the goals of the project are laudable, CITADEL brings with it many legal challenges, relating to the protection of personal data, profiling users, access management (i.a. e-identification), anonymization, pseudonymization, big data, secondary use of information, etc.

Many of these challenges relate to legal uncertainty with PAs, rather than legal uncertainty in the law itself. The law on electronic signatures for example, is rather clear, but it is often found in practice that a PA transforming their work flows will sometimes avoid electronic signatures because they are unsure on the legal value or because throughout the organization a perception exists that signatures on paper are more valid/safe than the electronic equivalent. Another example that has been encountered in practice is that sometimes electronic flows end up in a paper format nonetheless, e.g. an online subsidy application procedure that leads to a printable pdf document which has to be signed on paper and sent to the PA. There is often no good legal reason to do this, but it is unclarity at the PA’s side which causes these kind of phenomenons.

The same is true for other e-transformations processes, such as the move from physical archiving to digital (qualified) archiving.

Additionally, some of the legal challenges are also subject to some uncertainty as to the application of the law itself. Data protection law and the new general data protection regulation (GDPR) are a prime example here. Although the text of the GDPR is final, many uncertainties exist in the exact interpretation of the law, and PAs must deal with this as well. After all, whether electronically performed or on paper, the provision of government services will entail the processing of loads of personal data of the citizens and thus the new legislation must be implemented fully.Moreover, when moving into digital services or into online processes of co-creation, often additional personal data is gathered. Next to this, the use of ICT systems for the provision of government services brings with it not only many opportunities, but also challenges in terms of keeping the information safe and preventing non-intended and often far-reaching secondary use of personal data which was gathered for another purpose and for which no legal basis may exist.

Sometimes, it is not a perceived legal issue that prevents the move towards efficient and effective digitalization, but the knowledge that users will struggle with using the new technology, in the current form as presented by the PA. This has e.g. been encountered in trying to introduce online authentication on a PA’s platform through the use of a national e-ID, which required software to be installed prior to being able to access the platform, which turned out to be too challenging for many citizens. Issues like this can potentially be dealt with through co-creation activities (to find out where the issue lies exactly and how it can be addressed) and through providing tools for the PA to assess their service and their digital maturity (including a module for assessing GDPR maturity), providing recommendations on how to evolve and further transform.

CITADEL solutions: in order to deal with the legal challenges, legal partner time.lex will create a legal vademecum, answering some FAQs and providing much-needed guidance in a practical format. This will include an easy-to-use conceptual approach on how to deal with typical perceived and real legal issues and as well as practical instruments for a PA to use in order to deal with legal issues as they arise.

As an example, the privacy literacy test can be mentioned. This test will be part of the legal toolset offered by CITADEL and is an exercise which is aimed at testing the knowledge of GDPR concepts of civil servants, while at the same time explaining them and educating the civil servant taking the test. There are three versions planned, each one building on the previous one. The first version, which has been finalized and tested and is now fully operational, deals with the general concepts. A second and third versions will apply these concepts in two real-life extended scenarios, one dealing with a typical HR process, the other dealing with the information flow in a PA with regards to one or more life events (e.g. birth). The life event approach was inspired by the use cases.

Additional to the legal vademecum, all tools produced by the CITADEL project will have received input from and been validated by the legal partner.

In this way, the CITADEL project aims to address any legal worries a PA poised to use CITADEL to transform itself into an “e-PA” might have. While legal responsibility for the provision of public services and the use of tools of course rests with the PA in question, CITADEL aims to play a strong facilitating role in overcoming any (perceived) hurdles, providing a legal toolset that can be immediately applied in practice, irrespective of the level of government and the services concerned.