In a time when governments increasingly digitise public services, the handling of citizens’ personal data has become a point of discussion. The sheer scale of e-governance solutions is rapidly increasing around the world, as more and more governments bring their public services into the digital world. In 2016, 90 countries provided at least one form or portal of public service in digital form, up from 45 countries in 2003 (UN 2016). While e-governance and digitisation of public services have the potential to be of great public benefit as they reduce bureaucracy and corruption, and help to provide more efficient public budget distribution, the digitisation may present some risks namely because of the centralisation of citizens’ personal and sensitive data. The inherent risk of cyber attacks combined with the fact that public administration is not always fit to ensure the technical safety of their systems oftentimes results in outsourcing of this service to private companies or the creation of public-private initiatives. This in return raises a range of ethical dilemmas and questions of accountability, should personal data be lost, leaked, sold, traded away or otherwise misused. When sampling research articles and press material on the topic of ‘public administration and privacy’ and ‘e-government’, two sub-categories appear as dominant, namely digitisation of medical services on the one hand, and online identification systems, eID, on the other.
Although the healthcare industry is considered one of the least secure industries in terms of cybersecurity, medical data is rapidly digitised around the world - at a risk for patients. Notably, a study from 2015 found that the healthcare industry is 340% more likely to be subject to cyber attacks than most other industries, and 74% more likely to be subjected to phishing schemes (Raytheon I Websense, 2015). Public health care often relies on outdated software that is easy to break into, as hospitals do not always have the budgetary means or expertise to update their security measures despite it being imperative that they do so. The additional ethical dilemma regarding whether a hospital should invest in new medical equipment or spend available resources on security measures for their networks becomes relevant. Yet, the failure to prioritise cybersecurity comes with its inherent moral questions of accountability in cases where patients data comes at risk. For example, in May 2017, the WannaCry ransomware attack severely affected 87 of 260 of the UK’s National Health Service (NHS) trusts, as the cyber security infrastructure had indeed been underfunded and neglected over time. Research done on the NHS’ protocols found that NHS trusts treating 2 million UK citizens had not spent anything on cybersecurity infrastructure in 2015, and it had become so fragile that even some NHS trusts’ passwords and usernames were publicly available through search engines (Murgia and Neville, 2017).
This lack of effective security measures and awareness around this problem is troublesome, and the percentage of health care organisations that have been reporting cyber attack rise from 20% in 2009 to 40% from 2013 (Humer and Finkle 2014). Moreover, in a time where medical data is considered extremely valuable, national health care operators may be tempted to sell or trade medical data. Since public health care providers not always seem fit to adequately protect medical records from cyber attacks and might fall for the temptation to trade it away, it might be questioned to which extent public health services can and should be trusted with personal data, and how citizens are able to keep authorities accountable.
So why should we be concerned about who has access to our medical data? Part of the reason is that on the black market, your medical information is worth 10 times more than your credit card number (Ibid). Medical records contain names, birth dates, policy numbers, diagnosis codes and billing information that can be used for example to file fabricated insurance claims in your name, or to create fake IDs to purchase services and equipments. This makes it an attractive target for hackers and fraudsters, especially as medical identity theft often takes significantly longer to notice as opposed to the highly secured credit card industry. The US healthcare industry is especially lucrative; in 2014 was estimated to be worth 3 trillion dollars (Humer and Finkle 2014).
So what indications do we have that represent the sheer scale of the cyberattack threat level against the healthcare industry? The examples are manifold. For example, in August 2014 the US company Community Health Systems Inc. lost 4.5 million patient files to hackers, and in December 2016, 35000 medical files were leaked from a Mumbai diagnostic laboratory, also by hackers. In the latter case, the laboratory disclaimed liability and was not held accountable (Prasad 2016). In June 2017, the Petya attack affected the US drug firm Merck and as a corollary, all the prescription files stored in the company’s databases (Withers 2017).
But not only do health care providers lose information due to hostile tacks; they may also simply be tempted to trade or sell medical information for monetary gains or services. For example, in 2015, the London-based Royal Free London NHS Trust freely traded 1.6 million medical records to Google, for its use in Google’s AI company DeepMind (Powles 2017). This information contained everything from HIV diagnosis, mental health history and abortions, and both Google and Apple have a keen interest in getting hold of this information for huge financial turnovers, in the name of medical advancement (Withers 2017). In Europe, Swiss-based Sophia Genetics has in a similar manner partnered up with 330 hospitals who trade their patients’ DNA in return for the company’s genome research and access to its data mining systems. (Withers 2017). The case can be made that by trading and coordinating medical data, health care providers may potentially contribute to significant progress in research on medical conditions etc., which for example created a controversy in France as the government sought to create a “système national des données de santé” (SNDS), a national system that stores medical data of all French citizens in order to advance medical research (CNIL, 2017). This open-access database, enabled by law n° 2016-41, came online on the 10th of April 2017 allows citizens who do not wish for their medical data to be used for research purposes to reserve themselves from this (Legifrance 2016). However, in this case it is not possible to be excluded from research databases in matters of national security, for instance during serious epidemics (Ibid).
The emergence of a broad range of online public platforms increasingly centralises personal data in online identification systems. In 2016, 98 countries required their citizens to utilise a digital ID to access various public services (UN 2016:2). This digital identification or eID works as an online security measure that ensures who citizens are online - in other words, to make sure that they are who they claim to be online. Though, just like fake ID-papers can be fabricated in real life, how can we ensure that our most personal information and then per se our identity as a whole is secured when behind a screen?
Certain controversial instances of privacy violations involving eID solutions highlight such security breaches. For example, in India, a 12-digit number was introduced for identification linking to the person's bank account, mobile phone(s), fingerprints and/or iris scan. The system, called Aadhaar and introduced in 2010, was seen as a big improvement in a country where many had no proof of identity (The Economist 2017). The digital identification number is used by over 1.1 billion Indians, and allows them to access numerous governmental services, inter alia, receiving ration cards in remote areas, applying for and receiving subsidies and filing legal documents. (Strielkowski 2017).
The social and financial benefits of this effectivisation are considerable; however, concerns are being raised regarding the potential data misuse, especially as this initially ‘voluntary’ solution has become, in reality, compulsory. Here, China's comprehensive point-system could could be mentioned, where chinese citizens receive points in order to how trustworthy they are seen in the eyes of the state (Denyer 2016). Concerns of the extensive tools governments are suddenly capable of using, thanks to the increasingly extensive e-governance, are also raised in India. Citizens in India are now obliged to link their Aadhaar numbers to their tax number, and are requested to use it for certain government services. (Ibid) The Supreme Court of India declared privacy a constitutional right on the 24th of August 2017 (Guruswamy 2017). India has experienced several serious data breaches including the recent ‘Reliance Jio database breach’ of personal data of over 100 million customers. Due to this, a great concern in India is whether their 12-digit Aadhaar number was stolen as many users had registered with Reliance Jio with the number (Bora 2017). There is further fear of whether the Aadhaar number could be misused to pressure minorities or citizens with dissenting political opinions, as their personal behaviour is increasingly digitalised (Guruswamy 2017).
The tendency of governments to outsource the eID systems and operations to foreign countries and private companies adds an additional ethical question and layer of risk to private data. For example, the Nordic-based payment service provider Nets Group provides the majority of all money transactions in Denmark, Sweden, Norway, Finland and Estonia through BankID, Avtalegiro and BankAxept, as well as a range of governmental ID systems including the Dankort, Betalingsservice and the national eID in Denmark, the NemID. (NemID) In 2014, Nets was acquired by two US global private investors, Advent International and Bain Capital & ATP, and in September 2017 it was acquired by the American hedge fund Hellman & Friedman LLC for 5.3 billion (Dummett 2017). Previously owned by an ensemble of monetary institutions and national banks in Scandinavia, this international, corporate acquisition of Scandinavia’s vital digital infrastructure raised controversy across all countries affected. The mistrust towards Nets was sparked shortly after the privatisation, as it was revealed that an employee from an IBM sub-supplier of the Nets Group had leaked debit transfer histories of famous people to journalists over several years. The incident was both named the Se&Hør-scandal and the Nets-scandal (Hansen 2014). This scandal resulted in Nets’ investment in additional security measures, as the incident raised concerns regarding surveillance in general - several political parties strongly opposed the privatisation and civic society actors collected signatures - showcasing that many people are increasingly concerned about the accountability pertaining to the ownership of their online identity.
On a positive note, there are several success-stories as to when e-governance works as it should and works well. For example, Estonia is the country that is said to have the most developed e-government system to date, with about 3000 governmental services available in a digital version (Strielkowski et al. 2017). Estonians have had compulsory digital ID cards since 2002 which - together with two PIN codes - enable them to digitally sign documents and identify them in online transactions. This double PIN system is deemed to be secure and enables citizens to use nearly all public services online, including internet voting (used by 1/3 of Estonians), online medical prescriptions and electronic tax filing (used by 99%) (Strielkowski et al. 2017). So how can we establish whether this highly digitalised e-government can be deemed a success in terms of its security measures? One answer is that when the global WannaCry attack in May 2017 affected 150 countries around the world, Estonia stood clear of the attack (Thompson et al. 2017). As such, governments around the world are currently looking to Estonia for inspiration of efficient and secure e-governance (Herlihy 2013; Jaffe 2016).
Interestingly to note, the public opinion regarding the outsourcing of government services seem to converge with the geographical localisation of servers or national ownership of the service provider. For example, the selected cases of eID and e-healthcare management, tend to centre on matters of trust or mistrust to the holder of the data and privacy concerns for the users. Though, depending on the national context, (mis)trust seems to be related to the physical - the geographic location of servers.
In the Nets case, this is shown as public concern was immediately raised when their data fell into the ownership of a US firm (Advent International 2014). This was also the case when Swedish citizens’ sensitive information was accidentally leaked after their national transportation services had been outsourced to IBM, who had their services run and stored the data on servers in Serbia and elsewhere in Eastern Europe (The Guardian, 2017).
Trust levels additionally seem to hinge on a public-private distinction, for instance when the government provided Indian Aadhaar system was questioned in the political context of a Hindi-nationalist leadership. In Scandinavia, on the contrary, concerns were raised when their governmental services came into private ownership, indicating that governmental ownership might be preferred in the public’s eyes.
Transparency by governments should be taken into account in this regard. Currently, 113 countries have personal data protection laws accessible online (UN 2016:8), yet trust in the the ruling government and dependency on e-government services might might go hand in hand. Thus, if something goes wrong - as cases mentioned - who should then be held legally accountable: the government providing the service or the private companies the government have outsourced their data services to?
All of the above taken together points to the necessity of finding a balance between reliance on e-government solutions on the one hand, and the public's’ management of the citizens personal data on the other. It may as such be both in the interest of citizens and governments to partake in the technological progress as it comes with significant benefits, if the systems prove reliable and able to cope with technological progress - on the software and hardware side. Although Europe is the region in the world that ranked highest according to the UN’s E-government index from 2016 (Moe 2017 :60), we have seen several cases where the systems adapted were subjected to cyberattacks or simply fraudulent behaviour by contracted companies. Data breach in public platforms is a risk for any country.
As e-governance is a relatively new concept we might also question whether the range and multitude of consequences have yet been adequately studied in contemporary research. A recent study of big data research makes this point as it calls for more research to be done on data management and practices of particular governments (Moreno et al. 2016). Moreover, as e-governance is a rather recent phenomenon, little is known regarding the relationship between trust in government and trust in e-government, which is a key research gap that will require more scholarly attention as the world continues to digitise (Horsburgh et al., 2011).
Advent International. (2014). “Nets to be acquired by Advent International, ATP and Bain Capital”. Published online 24 March 2017. Copenhagen: Advent International.
Bora, K. (2017). “Sweden's national security at risk after huge leak of confidential data: Why it's a wake-up call for India”. Published 25 July 2017. International Business Times.
CNIL (2017) “SNDS : Système National des Données de Santé”. Published online on April 18th 2017.
Denyer, S. (2016). “China wants to give all of its citizens a score – and their rating could affect every area of their lives”. Published 22 October 2016. UK: The Independent.
Dummett, B. (2017). ”Nets A/S sold to private equity for $5.3 billion”. Published 25 September 2017. Market Watch.
Guruswamy, M. (2017). India's judges rule for freedom, September 10, 2017, The New York Times.
Hansen, J. S. (2014). ”Exclusive: Danish magazine's surveillance scandal creates new uproar over data privacy” Occupy.com.
Herlihy, P. (2013). “Government as a data model' : what I learned in Estonia”. Online article published 31 October 2013. Gov.uk.
Horsburgh, S; Goldfinch, S and Gauld, R. (2011) “Is Public Trust in Government Associated With Trust in E-Government?” Social Science Computer Review.
Humer, C. and Finkle, J. (2014). ”Your medical record is worth more to hackers than your credit card”. Published online 24 September 2014. Reuters.
Legifrance. LOI n° 2016-41 du 26 janvier 2016 de modernisation de notre système de santé
Jaffe, E. (2016). “How Estonia became a global model for e-government” Published 20 April 2016. Side Walk Talk.
Moe, C. (2017). “Editorial for EJEG Volume 15 Issue 2” The Electronic Journal of e-Government Volume 15(2):57-58.
Moreno, J., Serrano, M. And Fernández-Medina. (2016). “Main Issues in Big Data Security” . Future Internet 8(44):2-16.
Murgia, M and Neville, S. (2017). “NHS was an easy target in global hacking attack” Published online 13 May 2017. Financial Times.
Powles, J. (2017). “Why are we giving away our most sensitive health data to Google?” Published online 5 July 2017. UK: The Guardian.
Prasad, S. K. (2016). Digitisation of Health / Medical Records: Is the law keeping up? Published online 7 December 2016. Delhi: Legally India.
Raytheon I Websense (2015) 2015 Industry Drill-Down Report: Healthcare. Raytheon Company. Retreived online 22 October 2017.
Strielkowski, W.; Gryshova, I.; Kalyugina, S. (2017). Modern Technologies in Public Administration Management: A Comparison of Estonia, India and United Kingdom. Administratie si Management Public, (28): 174-185.
The Economist. (2017). “India’s biometric identity scheme should not be compulsory”. Leader published 15 April 2017. London: The Economist.
The Guardian. (2017) “The Guardian view on a Swedish scandal: the precedence of privacy.” Editorial published 31 July 2017. London: The Guardian.
Thompson, M. and Jethro, M. (2017). “World’s biggest cyberattack sends countries into ‘disaster recovery mode’” Published online 14 May 2017. Washington: CNN.
Tolbert, C. J. and Mossberger, K. (2006). “The Effects of E-Government on Trust and Confidence in Government”. Public Administration Review 66(3): 354-369.
United Nations. (2016). “United Nations E-Government survey 2016”. New York: United Nations.
Withers, I. (2017). ”The big data revolution: the high price of a force for good”. Published online 16 September 2017. UK: The Telegraph.