Base Requirements and Threat Model for the Once-Only Policy
Author: Naeha Rashid, Fellow, Ash Center for Democratic Governance and Innovation, Harvard Kennedy School
Editor’s Note: This article has been adapted and extracted from the first three chapters of a larger work, “Deploying the Once-Only Policy: A Privacy-Enhancing Guide for Policymakers and Civil Society Actors”. A more detailed discussion of the various topics introduced here can be found in the final guide.
The COVID-19 pandemic has revealed to many countries the inadequacies of their existing digital infrastructure. In a world where face-to-face contact is dangerous and severely curtailed, the need for more and better digital government services provided at low cost has never been clearer. One policy that is both a source of public value and government cost-cutting and can act as a potential gateway to next-generation government services is the once-only policy (OOP). Under OOP, users (citizens, residents, and businesses) only have to provide diverse data one time when they interact with public administrations. After the initial data transfer, different parts of the government can internally share and reuse this data to better serve users.
OOP is in place in the Netherlands, where it allows citizens to apply for government certificates, benefits, and other services at the push of a button simply by using their national ID. Similarly, in Estonia, as a result of OOP, residents, their doctors, and appointed representatives can access the entirety of their health history by logging into the e-Patient portal using their digital ID.
Though OOP provides great value, it also has the potential to concentrate power in the hands of the state to the detriment of its citizenry’s privacy and freedoms. Here, OOP is examined through a privacy lens to identify how countries can harness the benefits of the policy while minimizing the risks. In this article, we will discuss the potential benefits and risks of once-only, sketch out the privacy threat model that is impacted by OOP, and highlight some preconditions to widespread implementation.
The Potential Benefits of Once-Only
OOP’s explicit goal is to reduce the administrative burden for both users and governments. When the policy is in place, users are disburdened as they only have to communicate diverse fields of data once, instead of being forced to repeatedly provide the same information to multiple actors. Governments are disburdened as it is easier and cheaper for departments to exchange data that has already been collected, instead of making multiple requests for the same data and storing that data over and over in various silos.
Beyond these administrative benefits, OOP has the potential to fundamentally transform government operations. This is because OOP implementation requires governments to develop and use two key underlying elements — identification and data-sharing mechanisms — across multiple layers of operation. Subsequently, governments can leverage these elements for any number of additional purposes. Thus, OOP is not a standalone policy; rather, it fits into the broader conversation about next-generation government digitization, including the government-as-a-platform approach.
While there is no universally accepted definition of government-as-a-platform, we like the working definition proposed by Richard Pope, which describes the approach as: “Reorganizing the work of government around a network of shared APIs and components, open-standards and canonical data sets, so that civil servants, businesses and others can deliver radically better services to the public, more safely, efficiently and accountably.”
With OOP and its underlying elements in place, we see several government-as-a-platform goals being realized, especially in the following areas:
1. Service delivery
OOP is fundamentally about user-centricity. It can transform government service delivery by aligning supply of services with users’ demand for those services both in terms of method (how services are accessed and delivered) and form (the type of services offered).
2. Data and information
The data-related requirements of OOP mean that reliable data would be more accessible to government servants, making data-driven decisions much easier.
3. Platform governance
OOP creates a technical basis for advanced interoperability and the development of platform services across governments.
4. Government modernization
With a successful OOP deployment in place, it will become easier to push governments toward becoming more digital, adaptable, and transparent.
A Major Risk: How can OOP Implementation Impact Privacy?
Despite the benefits of OOP, if improperly implemented this policy has the potential to concentrate and enhance state power to the detriment of a citizen’s privacy, freedom, and capacity to dissent. OOP and its underlying elements create new privacy and security risks related to government use of people’s personal data, making data easily accessible, and keeping institutions accountable. OOP gives governments the ability to stitch together sensitive information about an individual and conclusively link it to a single profile, thus making users permanently visible to and trackable by the government. At an aggregate level, such enhanced state capabilities can be used to influence and control entire populations. This is deeply concerning in the case of nations that have poor accountability track records and creates new risks for even relatively responsible regimes.
While the risks are significant, OOP is not inherently harmful. Rather, the power that OOP grants the state must be circumscribed by enshrining appropriate protections throughout the design of all interlinked policies and systems, and by giving civil society actors the knowledge they need to advocate for “good” privacy-enhancing design.
To understand how a country can implement OOP in a privacy-enhancing way, we must first understand the threats to privacy associated with the use of personal data by the government. Poor OOP implementation is likely to significantly exacerbate these threats. Below, we have broadly defined five primary threats to privacy and briefly explained how failure to secure personal data against each threat could impact trust in service delivery and government in general. Note that the five threats do not constitute a comprehensive list and that the urgency of each of these risks may vary from country to country.
1. Protect individuals’ privacy against the state itself
This threat refers to protecting residents’ data from the government itself, and/or protecting data against misuse by government agents. Significant examples include government employees accessing information that they are not authorized to see (e.g., a librarian seeing a police report). If the government cannot adequately protect against this threat, the consequences may range from some erosion of trust in government to complete decimation of trust but low impact on service delivery.
2. Protect individuals’ privacy against actors contracted by the state
This threat refers to protecting resident data from third-party government contractors who may have been given access to sensitive information. An example of this would be an app developer contracted by the health department to enhance the government’s COVID track-and-trace response. Failure to protect against this threat will likely result in some erosion of trust in government and low to medium impact on service delivery.
3. Protect individuals’ privacy against foreign state actors
Here we are concerned with protecting resident data from military-level incursions by other malicious states. This challenge is likely to grow as we move towards an increasingly digital world. If this threat comes to pass, it may result in lowered trust in government and will likely cause a significant impact on service delivery. The worst-case scenario would be a debilitating and devastating attack on a nation’s government and its residents.
4. Protect individuals’ privacy against non-state actors
The idea here is to protect resident data from individuals and organizations (e.g. businesses, political parties, and cybercriminals) that seek to benefit from this data. It is unclear what impact failure to do this will have when it comes to citizen trust in government (the consequences will likely range from erosion of trust in government to an unlawful and insidious influencing of people’s democratic choices) but the impact on service delivery is likely to be low.
5. Protect individuals’ privacy from people they know
This last threat refers to protecting individuals’ data from their family and friends who are not authorized to access certain types of information. The clearest example that comes to mind is a child accessing their parent’s medical data without the parent’s consent. It is unclear what the impact on trust in government and service delivery would be from such actions.
Conclusion: Preconditions to OOP Implementation
OOP implementation is not without risks, but it has the potential to propel governments into the next phase of digitization. Despite the advances some countries have made in this space, each nation will face its own set of challenges, especially vis-à-vis privacy. Consequently, those seeking to implement OOP for the first time will have to carefully consider the privacy risks and proceed accordingly.
Perhaps most importantly, ultimately a successful all-of-government OOP deployment is contingent on trust in government. Here, we identify and briefly describe three proxies for trust in government that are assumed preconditions for OOP:
1. Strong rule of law
Enforcement of laws is unrelated to the relative power of affected parties and is formulated, interpreted, and enforced in standard ways.
2. Low risk of new and unanticipated power asymmetries
There is little asymmetry of power, and the risk of these asymmetries being exacerbated if OOP were to be implemented is similarly low.
3. Strong counterpower of civil society
Strong civil society organizations provide non-institutional oversight to government schemes by helping raise the voices of users and creating pressure on the government to address areas of concern.
In the absence of these preconditions, it is both difficult and inadvisable for a country to proceed with widespread OOP implementation.
