On November 13, the Open Government Partnership (OGP) wrote to the Australian Government
“This letter is to inform you that, the Government of Australia has now acted contrary to the OGP process for three consecutive action plan cycles (2014, 2015 and 2016).”
Australia is now at the final stages of preparing an action plan. It’s been a long road and we’re only just now really getting started. Let’s hope that we do a better job with our finalised action plan.
“As you are aware, the OGP Articles of Governance state that all participating countries are expected to: Make concrete commitments, as part of a country action plan, that are ambitious and go beyond a country’s current practice.“
The Open Government Partnership is a partnership between civil society and government to work towards open government, reducing corruption, improving transparency and improving participation.
In this letter the OGP clearly reminds the government that the action plan needs to be ambitious in these areas. The Australian government needs to go beyond our current practice here, beyond business as usual.
So, let’s take a deeper look how the draft action plan measures up according to those criteria.
“Make concrete commitments”
There are a number of examples where the national action plan makes vague statements of intent that have little specific outcome.
The Open Government Partnership Anti-Corruption Working Group points out our failure to be specific in this area:
“Overall, Australia’s anti-corruption commitments within the nation action plan are considered to be consistent with strategic areas identified at international events and have the potential to be transformative in the long run. However, most commitments are composed of milestones that stop short of catalysing institutional, policy or behavioural change against corruption. It is our belief that Australia can and should be able to include additional milestones that will ensure meaningful steps forward in the fight against corruption.”
In the current draft national action plan, reform on Beneficial Ownership transparency says “We will consult with the corporate sector, non-government organisations and the public on a beneficial ownership register for companies.”
Promising to “consult” is not a concrete commitment. It is an intent to follow a process that could very easily end up with no beneficial ownership register at all. Yet by this measure it would have “succeeded”.
A concrete commitment with a measurable outcome would say:
“We will establish a beneficial ownership register. We will work with civil society, the corporate sector and the public to do this and we will make the register publicly available.”
For Open Contracting the draft says “We will undertake a public review of the Australian Government’s compliance with the Open Contracting Data Standard.”
Again, this is not a concrete commitment. It’s a fluffy promise to have a look at something. To be a firm commitment, this should instead read:
“We will make Australian Government publishing of tender contracts compliant with the Open Contracting Data Standard”
The Australian Open Government Partnership Network’s review of the Action Plan contains more examples where promises to consult are stated over promises of action.
“That are ambitious and go beyond a country’s current practice”
The National Action Plan in its current form is largely comprised of commitments that have already been made outside the Open Government Partnership, before any “co-creation” took place with “civil society”. The OGP process can add value to these if they stretch the ambition of the existing commitment, and if civil society has a concrete way to hold government to account for their implementation documented in the milestones.
If government isn’t at least little uncomfortable, then this plan isn’t ambitious enough.
There is little evidence of substantial new reform in this action plan that the government didn’t already have other reasons for committing to.The Interim Working Group should clearly identify if and how goals have been “stretched” by connecting them to the OGP process.
Civil society have a strong desire to make commitments concrete and ambitious. Since t the OGP refresh after the federal election, the government, did create an Interim Working Group. Government then talks about a spirit of genuine collaboration. It’s true that there are reform commitments in integrity that were not being considered previously. However the whole action plan creation methodology has a way to go before you could really call it co-created by government and civil society.
And that’s ok. Kinda. For now.
A Deeper Dive: Genuine Participation and Concrete Change?
The idea behind commitment 2.2 “Build and maintain public trust to address concerns about data sharing” seems to be that the general public has a problem trusting government and that the general public’s trust need “fixing”. Government characterises the problem being simply about their concerns with personal data being held by government & being shared within government. There’s no recognition that the public might have good reason be concerned, or that these issues should be addressed.
This is a stark example of missing the point of engagement entirely. In the commitment on building trust, the language used communicates government’s needs and position, as though government is right, and people are wrong. How can you have a dialogue with people if you think you know better and your job is to convince them they are mistaken?
How absurd and condescending is it, when there are very real problems in government systems, to state this matter as a trust problem, and then to outlaw practises that could help find real problems.
We’ll dive into this reform commitment in a bit more detail to unpick some of these criticisms with the current draft.
The Australian people have every right to be suspicious and wary of government’s ability to secure its data. The government has a duty-of-care to ensure that people’s privacy is maintained. This complex issue needs constant attention and continuous improvement.
However, there is nothing in this commitment that indicates that government acknowledges that any of these concerns are warranted. Let’s for a moment look at a small selection of data breaches in recent years in Australia.
- Changes to the retention of names and addresses in the 2016 census caused widespread concerns amongst privacy advocates and the general public. These were largely dismissed by the ABS by saying that “little had changed”.
- During the same census the online system failed during what should have been its peak use. This exposed the lack of technical competency of the ABS staff and its inability to manage and vet the vendors that actually carried out the work.
- In September 2016, university of Melbourne academics discovered that it was possible to reidentify doctor ID numbers in published Medicare Benefits Schedule (MBS) data. http://www.huffingtonpost.com.au/2016/09/28/privacy-commissioner-to-investigate-medicare-data-breach/. Government responded by proposing to make it illegal to de-anonymise data.
- In October 2016, the personal details of over half a million Australians who donated blood through the Red Cross was accidently posted online. As well as names and addresses this information included whether the individual had taken drugs or engaged in risky sexual activity.
- In December 2013 it was discovered that the information of over 600,000 users of Public Transport Victoria’s website was accessible online
- In 2014, the personal details of almost 10,000 adults and children held in detention centres was inadvertently released by the Department of Immigration and Border Protection.
- In November 2015 it was revealed that a security problem in myGov exposed taxpayer records
This list is enough to make a simple point. There have been a number of very serious data breaches in recent years.
However, this is not a blame game. Securing people’s information is genuinely difficult. The government will only get better at this stuff if it takes a proactive and honest approach. It needs to understand its own failures, not point fingers at a few “bad apples” or blame something on “human error” and it can’t cover up its own failings with legislation.
And of course it’s important for the general public to trust government with its information. However, the only way to truly build trust is to be honest and open – that includes with failures. Every time a data breach happens and the government says “just trust us. It won’t happen again” it’s not surprising that people don’t believe them.
So, we recommend that this draft commitment is amended to include detail and associated milestones that:
- Introduce and enforce, the long awaited Mandatory Serious Data Breach Notification Legislation, show this as a requirement in the milestones.
- Organise a multistakeholder forum to track success of implementing Serious Data Breach Notifications, including identifying and oversight by relevant civil society
- Communicate open and honestly in the event of data breaches and:
- Be open and honest about what happened. (No cover ups, no sugar coating, no whitewashing, just the facts – saying “human error” is not good enough) – Explain without embellishment what set of circumstances and actions led to the outcome
- Explain what the root causes of the problem were (Saying a human made a mistake is not good enough) – what are the systemic problem or problems?
- Explain what you are doing in the long term to ensure it doesn’t happen in the future. (e.g. We are standing up a new team to automate the website publishing process so that any private information is automatically processed and doesn’t require staff to manually handle it – this will take six months)
- Explain what you are going to do in the short term to ensure it doesn’t happen soon. (e.g. Until the long term solution is in place any person publishing content to the website needs to get approval from the security team)
- Outline timeline and milestones to report on how Government improves, when dealing with and talking about breaches
- Offer incentives to people to report security problems (bug bounties, etc..) –
- Not punish people who report problems. Specifically, not introduce legislation to criminalise the de-anonymising of published data.
- Criminalising de-anonymising data punishes the good guys not the bad guys. Bad guys will never get caught because they won’t tell the government what they’ve done and the government will have no way to find out what they’ve done. The only people that can ever get punished are the good guys that might tell the government about data that has not been properly de-anonymised. So, it effectively silences anyone who might help the government get better at its job. This is not the way to do security and it’s not the way to incentivise the correct behaviour.
A Few Words About Participation
We’ve highlighted specific opportunities in the Commitment on Building Trust to work with civil society on implementing important reform.
What supports our ability to make effective decisions at a national level is a robust democracy with the rights, protections, and infrastructure that help us deal with them. The OGP hands us a powerful platform, with citizen needs at the heart of decision making, implementation and oversight. That’s where they need to be to put these difficult issues on the table and help fix them.
The government already has a comprehensive set of concrete tools to help frame this work appropriately.
In 5.2 “Enhance public participation in government decision making”, the milestones should be amended so that the development of a “whole-of-government framework” is preceded by the development of prototypes in collaboration with the Digital Transformation Agency (DTA) in accordance with the Digital Service Standard (DSS). At the core of this process is criterion 1 of the DSS – Understand user needs – to improve public participation in government decision making by properly understanding what citizens need in talking to government about issues they care about.
The “whole-of-government framework” should only be written after completing user research and all the things have been learned from developing prototypes that were tested on real users.
We’ve highlighted a small number of problems. This is a fraction of the detail we should and could be analyzing in a National Action Plan, with more robust support for civil society’s role in future Open Government Partnership National Action Plans.
The scorecard is A for effort! That’s for everyone government and not government alike for plunging into the clear and magnifying waters of the Open Government Partnership. Taking part in a spirit of collaboration, with all the challenges and sideways thinking that requires.
Everyone can forgive a first action plan for large amounts of govspeak, for weasel words and a big dollop of business as usual?
Why? Because we’ve started, and that’s what’s truly important.
By Matthew Landauer and Katherine Szuminska, on behalf of the OpenAustralia Foundation