We all know the importance of creating an environment in which New Zealanders can interact safely with government online and in which their protected information can be safely and reliably handled, and that the government domain is fit for purpose. ‘Fit for purpose’ means it meets the following fundamental requirements:
- Its functionality and design supports users to easily complete the purpose for which the site or service is designed.
- It is usable regardless of device, technical ability, familiarity with the web, or knowledge of the structure of government.
- It is accessible to all users of the web including people with disabilities.
- It is technically secured against unauthorised access.
- It does not allow unauthorised access to protected information and preserves the privacy of users' information and data.
- All information is managed as an asset, and public information is open by default.
- It is compatible with other sites or services through adherence to relevant technical and data interoperability standards.
- It is pro-actively managed.
Other Presentations in This SeriesThis is one in a set of five presentations by the Digital Engagement team in Internal Affairs (DIA) on projects they are leading across government to improve how Government interacts with people online. The other four presentations are also available on the Web Toolkit:
- Digital Engagement Team Projects: An Introduction - Laura Sommer (Manager Digital Engagement) provides background information and an overview of the projects.
- Redevelopment of newzealand.govt.nz - Jared Gulian (Principal Advisor Digital Engagement) and Nathan Wall (Information Architect) review how the new website will provide all-of-government information based on users needs, with plain English content and features that are easy to understand.
- Redevelopment of .govt.nz Domain Name Service - Jason Kiss (Senior Advisor Digital Engagement) discusses how the Government DNS system works, and planned updates to the features and security of this critical infrastructure.
- Government Online Engagement Services (GOES) - Nadia Webster (Senior Advisor Digital Engagement), talks about GOES, which will establish an online engagement service to help agencies actively connect with the public, users and other agencies.
TranscriptOK, that picture may be familiar to some of you. It came out of the Rethink Online strategy a couple of years back, when we took half a dozen steps backwards, and thought about what the government domain should be like. And when you take enough steps backwards, that’s what it looks like. To me it looks like somebody sneezed all over the screen.
But that’s a screenshot of 500 different home pages across government. That’s a picture of the splendid diversity, if you like, of the government domain. It’s a picture of the diversity that we expect our users to become familiar with, and find their way through as they deal with government.
What it hides is diversity in some other ways, as well, a whole bunch of diversity in the platforms and skill sets behind the government domain that are required to maintain it. When you dig into it, there’s a whole bunch of diversity about what the word secure means. There’s a whole bunch of diversity about what the word accessible means, and different levels of understanding of those things, as well.
There’s a great deal of diversity in usability across the government domain. And the one that’s been in the news recently is a great deal of diversity around managing private data, people’s personal information. That has some less than splendid consequences.
[Image projected on screen: Screenshot of article from Computerworld.co.nz.]
That’s in the Computerworld recently. And the headline doesn’t say “Opinion — It’s a matter of trust”. It’s an opinion piece by Stephen Bell about whether you and I, as citizens, can trust government to deal with our personal information. It’s a bit of a sad commentary, really.
[Screenshot zooms in on a link in Computerworld.co.nz to an article with title “UPDATED: Ministry of Justice database access hole reported to Opposition MP”.] And before we go on, I just wanted to draw your attention to a complete coincidence. On that same page, how about that? Got a page questioning whether we can actually deal with people’s private information securely, and here we’ve got a story about a hole in a government website. That story wasn’t all it was made up to be. There was a bit of drama and politics going on there, as I understand it.
But moving right along, there is reason to ask those questions.
[Image projected on screen: Screenshot with logos of various NZ Government agencies. The agencies are ACC, Ministry for the Environment, Earthquake Commission, Immigration New Zealand, Inland Revenue, Ministry of Education, Ministry of Health, Ministry of Justice, Work and Income.]
This is not a name and shame. That’s already been done in the public domain by the media. These are all organisations that have had some incidents around management of personal data or security. And that’s in the last 12 months, or so. A bit unfortunate.
[Image projected on screen: Photo of armoured tank standing on it’s nose after coming down a steep embankment, with caption “Things don't always go as planned”.]
Now, that’s the truth, isn't it? I’m just going to take a wee digression here, and talk about procedures and processes that you put in place to maintain security and safety. The one I know about is the Air New Zealand 747. Anybody going to be to Fiji for their holiday soon?
That 747 lined up at the end of the runway. At some point they wind up those engines. They roll down the runway, and off they go. What is actually happening up at the front? Does anybody know what the two pilots at the front are doing all through that process?
They’re holding hands. This is safety procedure. The throttle levers on a 747 — most aircraft — sit between the two pilots at the front.
And from the time they line up the top of the runway, there’s two hands go on those throttle levers, one from each pilot, one on top the other. And all the way through that process, down the runway, through the checkpoints they go through down the runway until they leave the ground, those two hands are together. And that forces agreement between these two trained individuals all the way through that dangerous process.
Which is really reassuring when you’re down in back of the aircraft, because if you know any pilots, they actually go through the point no return before they’re actually capable of getting in the air. So it’s good to have two heads on the job.
[Image projected on screen: Photo of man in helmet on a quad bike in mid-air jump with the wheels falling off. Caption reads “There will always be surprises.”]
Helmet or no helmet, I know what’s going through this guy’s mind: “Oh, shit, the wheels fell off.” There always will be surprises.
The trick is, what do we do when we have a surprise. How do you respond? I had to respond to one yesterday.
It makes your heart rate go up quite a lot. How do you respond? Are we ready to respond? Are we going to be knee-jerk panic response, and are we going to make things worse with our response, rather than better?
Anybody got an idea what his response is at this particular moment? I think he’s going to be figuring it out upon impact. It’s all about maintenance. This is why you have your car maintained and serviced, and why you have warrant of fitness checks, and why you do stuff around your house to stop things catching fire or falling off or stopping working. It’s just pure maintenance. It’s what you do to things. It’s what we do in our lives.
Because I know for a fact there’s government websites out there that don’t have maintenance procedures, and [pointing to man on quad bike in photo on screen] that’s not a question of “if” — It’s “when” for those ones. That’s why we have maintenance procedures.
Domain integrity. We have Results 9 and 10 under way out there. And at the same time we have question marks about whether we can be trusted to deal with people’s personal information. Results 9 and 10 are about delivering more and more services online over the web.
And this is you and me, as individuals, as citizens, interacting with government, sharing our personal information with government. That ain’t going to happen if we can’t be trusted to manage that information securely. There’s going to be a lot of pushback against that if we can’t get our processes and procedures around safety sorted out.
At a very high level, that’s what the Domain Integrity Project looks like. We’re getting together working group to oversee what we do, and make sure that the deliverables we come up with — I’ll get to that in just a second — are actually fit for purpose. When you throw them to an agency, that agency is actually going to use them, understand them, and follow good practise.
We want to get some really early deliverables out the door. And these will be mainly checklists of things, particularly around accessibility and security and privacy, that would just alert you to any deeper problems you might have. There’s stuff that’s already published out there for accessibility that we can use. That’s a really easy one to do . And as you run through that, if you haven’t got a whole bunch of ticks in boxes, then you’ve probably got some deeper problems, and need to get in some expertise.
We’ll be producing some really early deliverables. It won’t be a guarantee of anything. It’ll just be a heads up for agencies.
And from then on we’re going to split up. And we’ll go on to different streams. Each one will be attached to a working group. So we’ll have working groups overseeing what we’re doing as we produce deliverables.
The one about accessibility is underway. We’ve already got a review of the government web standards in process. That’s been a process for quite some time. It makes sense to have some sort of guidance out there about what makes good usability as well, alongside that. Accessibility and usability are of two sides of the coin.
Down at the bottom, that’s the stream that we’re going to put a bit of pressure on. We need to get some sort of guidance out there for agencies on what constitutes good security practises, what constitutes good privacy practises. If I can talk about security for a second, it’s already out there. It’s already published. We’ve got the NZ Information Security Manual.
We’ve got Security in the Government Sector as documents. If you want to read 450 pages of documentation, you’ve got it sitting there at your fingertips. We’re going to be condensing some of that down and make it into more easily consumable for agencies.
Information and data management, that’s managing information like information, with all the proper record keeping and archiving processes that go around it, and managing data like data. Consideration as to formats and licencing and reuse and cost and contacts, and all that stuff that goes along with reusable data. And we want to have some form of governance over what we do on the web.
There are sites out there we have a habit of building and “fire and forget”. We put stuff out there, we’ve got a budget to build a website. We put it out there, and we walk away from it.
That’s not really the way the web works. And it doesn’t work very successfully when you do it that way. At the end of the day, we need some sort of mechanism out there so we know what the government domain looks like. We’ve come from a era where we just had no clue. We want to know what the government domain looks like, and where our exposures are, in terms of security or accessibility, and things like that, and weaknesses that we can patch up.
Principles that we’re working to, we want to use small working groups so that we can be flexible and fairly agile. We want the bring in specialist knowledge as and when we need it. And we want the stuff that we produce to be usable and consumable and easily understood by agencies. There is no reason to mask stuff in complexity, and therefore not ever get around to doing it.
We want to come up with high quality content, and it’s going to be pushed out on the web toolkit as a repository of good practice. We’re going to have some standardisation around what we produce. At the end of the day, in each of those areas we talked about, there will be some sort of requirement. It might end up becoming a standard.
It might end up becoming a profile, the kind of profile we want to achieve across government. Or it might become an expectation on government agencies. This is what we expect when we say the word secure.
Be that is may, doesn’t really matter what it is. We need to get some guidance out there on how you actually meet it. When we say that’s what secure means, how do you actually get there? Guidance, good practise examples, there’s always some value in good practise examples, what other people have done that has worked out well and can be shared, and some sort of framework for assessment and reporting.
Outcomes for agencies. We want to have a little bit more consistency. And it’ll make it a whole lot easier for us to manage their online stuff with that consistency in place, once we’re sharing the same language and understand the same terminology. Agencies will be better prepared to respond when things do go wrong.
When that guy’s wheels fall off, what do we do then? We’ll be better prepared to respond, because we’ve got a better handle on some of the stuff that we’re dealing with. And we’ll have an increased opportunity for sharing of knowledge and expertise across the government domain. We do have pockets of really good expertise across the government domain, and it’s not always shared well.
As I move on to the outcomes for people, you’ll notice the top one doesn’t change. What’s good for government, in terms of consistency, is good for us as users. And as we move more and more into the online space and delivery of services, as well as information online, we’ll hopefully engender a bit more confidence in the public that we actually know how to manage their private data.
And with that in place, there will be a greater willingness to shift to the digital channel overall. So that was the Domain Integrity Project. And we’ll be talking about that on the Web Toolkit as we go through.