REFIT Platform Opinion

Transcription

1 REFIT Platform Opinion Date of Adoption: 23/11/2017 REFIT Platform Opinion on the submissions by the Royal Norwegian Ministry of Trade, Industry and Fisheries on the 'Digital consent-based solution through public-private partnerships and the once only principle' The REFIT Platform has considered the submission made by the Norwegian Ministry of Trade, Industry and Fisheries on the re-use data for cutting and simplifying administrative procedures and requirements for businesses and citizens. The REFIT Platform considers that the Once-only principle has the potential of simplifying and streamlining the relationship between consumers and businesses with public administrations and should therefore be encouraged both at Commission and Member State level. The REFIT Platform recommends that the European Commission continues facilitating the uptake of the Once-only principle (OOP) in Member States, taking into account Tallinn Declaration of egovernment of 6 October 2017 and fully respecting EU data protection legislation. 1

2 Detailed Opinion Contents 1 Submission IV.6.a by the Royal Norwegian Ministry of Trade, Industry and Fisheries Policy context Opinion of the REFIT Platform Considerations of the REFIT Platform Stakeholder group Considerations of the REFIT Platform Government group

3 1 Submission IV.6.a by the Royal Norwegian Ministry of Trade, Industry and Fisheries The Norwegian government's aim is that public agencies share and reuse information that citizens and businesses have already provided. A collaborative on digital information exchange has been established between government agencies and the financial industry. Altinn is an Internet portal by appearance but Altinn's strength lies in the platform itself: A digital infrastructure that links together registers, public agencies, municipalities, enterprises and citizens. Altinn facilitates sharing and reusing data that the public sector has collected. Through the consent-based solution in Altinn, individuals and organizations give their voluntary and temporary consent to a third party, which can be a public agency or a private enterprise. This is a temporary right of access to a specific set of data previously obtained on them. This may include assessment data from the annual tax return and wage information. Altinn must record all consents given so that the user at all times has a list of all consents given, deleted and ceased. The user will have the opportunity to withdraw consents she has previously given, which stops the third party's right to access her data. We expect that other similar projects based on user-managed consent have the potential to save society of 4.5 billion euros over a ten-year period. This partnership is a central part of the Simplification project for the Business Sector in Norway. To give an example: Most banks provide some digital loan application method. When you think you are through with the application process, you often discover that you in addition have to submit a lot of paperwork on tax and income. With the user-managed consent-based solution, you will have the opportunity to give your consent, for example on your mobile phone, which allows the bank to collect these data in public registers within a specific time limit. To summarize, we would like to point out the importance of keeping the intention of the regulation in the forefront, when revising or drafting new regulation. This way, regulation will keep with the principle of technology neutrality, and will not hinder digitalization. 2 Policy context The sharing and re-use by public sector bodies of information provided by citizens and businesses with a view to reduce the administrative burden and increase the efficiency and effectiveness of public sector service delivery is indeed acknowledged as one of the key components of the egovernment Action Plan

4 The implementation of the so-called once-only principle (OOP), according to which public administrations should ensure that citizens and businesses supply the same information only once to a public administration, is one of the features of an egovernment policy that will contribute towards achieving the vision of the Action Plan: "By 2020, public administrations and public institutions in the European Union should be open, efficient and inclusive, providing borderless, personalised, user-friendly, end-to-end digital public services to all citizens and businesses in the EU". At the EU level, the Commission has assessed the possibility of applying the once-only principle for citizens in a cross-border context and has suggested, as part of the proposal for a Regulation on the Single Digital Gateway (COM(2017)256), to introduce the OOP at the EU level for the procedures set out in Annex 1 to the draft Regulation adopted on 2 May The proposal contains a provision on user consent as a prerequisite for the exchange of evidence between authorities. Furthermore, a large scale pilot funded by the Horizon 2020 programme is looking at developing technical OOP solutions with regards to 1) Cross-border e-services for Business Mobility 2) Updating Connected Company Data and (3) Online Ship and Crew Certificates. The TOOP pilot aims at connecting registries and egovernment architectures in 21 countries across Europe and it will run until June Moreover, the technical infrastructure will effectively provide the solution that will allow for the implementation of the Once Only principle within the framework of the Single Digital Gateway. More information about the project can be found on A stakeholder community funded by the Horizon 2020 programme is gathering practitioners, scientists and citizens to discuss the potential benefits and key challenges of the once-only principle at the European level, see for additional information. The Connecting Europe Facility (CEF) Programme supports Digital Service Infrastructures (DSIs) that makes the cross border service delivery possible. As an example, the edelivery building block allows European public administrations to send and receive data in an interoperable, secure, reliable and trusted way. eid, esignature and einvoicing are examples of other DSI Building Blocks supported by CEF which are essential for cross border Once Only solutions. At national level, a study from 2014 found that 70% of the analysed countries (26 EU Member States, 2 associated countries and 2 non EU countries) were implementing projects or programs related to the once only principle. Overall, national or federal institutions are always involved in applying the once only principle, whereas lower level governments are concerned to a lesser extent. In 50% of countries surveyed all the administrative levels (national, regional and local) are covered by the Once Only Principle. The Once Only Principle has a significant potential for reducing administrative burdens on businesses and public administrations and time savings for the citizens. Benefits for the public sector are both direct such as monetarized benefits arising from time savings, greater revenues, reduced number of transactions and errors, more efficient use of existing resources and infrastructures on the one hand, and indirect benefits such as better service delivery and enhancement of the decision-making process on the other hand. 4

5 The application of the Once-Only Principle is also relevant in other policy domains at the EU level. For instance, the long term vision of European public procurement reform aims at creating an e-procurement ecosystem, which facilitates the seamless interaction of businesses with public buyers. The once-only principle is one of the main guiding ideas of the reform. At the EU level, applying the Once Only Principle and the setting up of a "Once-Only" infrastructure for the Cross-border exchange of data, will provide Member States the opportunity to allow for the re-use of data by private companies, in due respect of the data protection legal framework. Infrastructures, like the one being developed by the TOOP project, will in due time form a collaborative digital information exchange system at the EU level. Lastly, the Tallinn Declaration on egovernment on 6 Oct 2017 confirmed the commitment of MS to accelerate the implementation of the Once Only Principle at national level, making the EU level easier to implement. 3 Opinion of the REFIT Platform 3.1 Considerations of the REFIT Platform Stakeholder group The Once-only principle has the potential of simplifying and streamlining the relationship between consumers and businesses with public administrations. Supplying diverse data only once, allowing then the public administrations to share it, has the potential of reducing the burden on citizens and at the same time of improving the cooperation among public administrations. The cooperation should be extended also cross-borders, in the spirit of contributing to the efficiency of the Digital Single Market. The respect of European Union data protection legislation in all steps of the data interchange would also allow for the required level of trust in the system. It would be also important that the data shared is presented to the user before the actual sharing for ensuring the correctness of all the information delivered. Given the considerations above, the Stakeholder group suggests applying the once-only principle (OOP) widely, taking in full account the current EU data protection legislation. Technology neutrality should be ensured, to foster a rapid uptake of the Digital Single Market. Given the considerations above, the Stakeholder group recommends to the European Commission to continue facilitating the adoption of the once only principle by Member States, through for example the financing of pilot projects in the Multi Annual Financial Framework. The Stakeholder group recommends in particular that the European Commission pays particular attention to the concerns on data protection expressed by the European Data 5

6 Protection Supervisor on 1 August Considerations of the REFIT Platform Government group The 18 Member States contributing to this Opinion support the recommendations of the Stakeholder group and confirmed their commitment to implement the Once only principle, as stated in the Tallinn Declaration of egovernment of 6 October Individual contributions from Member States Member State 1 acknowledges the goals which are set out in the memo, about increased efficiency, lower administrative burden, innovation and positive impact on the environment. MS1 also agrees with the view that we need to be able to exchange standardized, structured data to achieve these goals. Once-only reporting generally relies on centralised, government-led storage of data. MS1 uses the Standard Business Reporting methodology to achieve the same goals. Through standardization of data definitions, processes and technology, MS1 is able to drastically lower the efforts, costs and risks in information exchange, which allows for on-demand reporting (or report many). Member State 2 supports the «once-only» principle for public administrations and intends to introduce it at home. Member State 3 In many cases, implementation of the only-once principle has already demonstrated potential to increase efficiency of egovernment services for citizens and businesses. The sharing of citizen s data can be done under the condition that cybersecurity and electronic identity management risks are well considered and properly managed in each and every services solution. Expectations of citizens and business towards public administrations complying with EU-wide data privacy and personal data security requirements are absolute; no mistakes are tolerated in regard to unauthorised access to personal data kept by public administrations in base registries, databases and other systems. The level of citizens trust that public administration took all necessary steps to ensure (legally, organisationally and technically) a proper protection of their personal and sensitive data, directly influences their trust in digital services. At the national level, EU Member States gradually solve all interoperability aspects of their public administration information solutions. Same efforts are taking place at the cross-border level, supported by EU projects and financial instruments. In many cases, national public administrations implemented once-only principle at the 6

7 Government-to-Government level and various public administrations share citizens and company data to provide state-guaranteed services. Public-private partnership in relation to only-once principle implementation brings additional opportunities and challenges. All risks to personal data protection and potential misuse of data should be explicitly dealt with, including the proper user education initiatives being undertaken, to make it possible to adopt the once-only principle also in relation to private sector. Given the considerations above and in line with current Tallinn Declaration on egovernment and previous egovernment Action Plan for the period , MS3 recommends to continue efforts related to implementation of only-once principle respecting national and EU data protection legislation. MS3 sees as very useful sharing national public administration examples of good practices in regard to consent-based solutions through public-private partnerships as done by the Royal Norwegian Ministry of Trade, Industry and Fisheries. MS3 considers that the Once-only principle (OOP) represents the essential logic behind the progress of interoperable digitization of public services across the EU. The automated crossborder exchange of data between public administrations, which the OOP enables, facilitates an enormous potential to improve the structural conditions for the movement of goods, services, capital, and people across the Single Market. This is because the OOP can rationalize the establishment of an ever more interconnected cross-border infrastructure which provides efficient and transparent access of entrepreneurs and citizens to public services across the EU and reduces thus the constraining barriers for their activities on the (Digital) Single Market. By itself, the OPP cannot be fully utilized without an up-to-date technical infrastructure and a sustainable regulatory framework. Against this background, MS3 believes that the Single Digital Gateway represents the very first coherent approach which takes a full advantage of the OOP by bringing the infrastructural and legislative solutions together, including the solution for users to preview their personal data before they are exchanged between issuing and requesting public authorities. Taking the aforementioned into account, MS3 advises to promote a holistic application of the OOP, epitomized by the Single Digital Gateway, which strikes a right balance between its wide-ranging spill-over and its compliance with the regulatory sustainability and technical feasibility. In particular, MS3 suggests that the Commission and Member States further improve their mutual technical and policy cooperation in developing a coherent approach to the seamless proliferation of OOP across the EU. Member State 4 supports the considerations of the Stakeholder group. By applying the onceonly principle it is possible to reduce administrative burden on citizens and businesses and to improve cooperation among public administrations. MS4 has committed to implement the 7

8 Once only principle as it stated in Tallinn Declaration on egovernment on 6 October In addition, MS4 points out that the once-only principle (and other equivalent policies) has been one of the main policy objectives for streamlining the national government administration already for several years. As there is a lot of potential, it is important to continue the efforts in this field. Member State 5 supports the submission on sharing and reusing information that citizens and businesses have already provided. The adoption of the once only principle would considerably contribute to reduce administrative burden. However, the current EU data protection legislation should be fully taken into account. It shall be indicated that the once only principle has been addressed in the Communication from the Commission on the EU egovernment Action Plan Accelerating the digital transformation of government (COM (2016) 179). Member State 6 partially agrees with the submission. MS6 has agreed to the principles within the egovernment Action Plan and is a signatory to the Tallinn Ministerial Declaration on egovernment. MS6 also agrees with the views of the Stakeholder group that the Once Only principle has the potential of simplifying and streamlining the relationship between citizens, businesses and public administrations. However, the practical realisation will need to be proportionate and consider the differing legal landscape, policies, procedures and organisational structures across countries. MS6 understands that Member States are still concluding their cross-government consultations and forming positions on the Single Digital Gateway (SDG) proposal. It is important that within this, there is the flexibility to design online procedures to suit national user needs and legal systems. MS6 would welcome the production of a technical specification for the 'Once Only 'principle, potentially as a consequence of implementing acts under the SDG. Member State 7 supports the once-only principle and the concept of open borders with regard to secure and transparent information exchange. Its national egovernment strategy, published in July, sets out how it intends to achieve this. It should be noted however that MS7 currently has no legal provision for sharing of public data with bodies other than specified public sector entities. MS7 is therefore keen to use the ongoing dialogue to inform its position in this area. Member State 8 supports implementation of the Only-Once Principle and the development of tools for public - private sector partnership on reuse data policy. Member State 9 fully supports this proposal. MS9 sees the Once-only principle as a way to improve public administration s quality, cross-border cooperation and reduce administrative burden. This is in line with the Digital Single Market strategy. 8

9 Member State 10 in favour of opinion on the once only principle. Member State 11 supports the proposal, but would like to emphasise the importance of ensuring that the proposal does not hinder other types of use-cases, where a consent-based approach is not needed and where data can be sent back-end without the consent of the enduser. Any solution should ensure that unnecessary lockdown in technical solutions is avoided. Member State 12 supports the proposal. Taking into account conditions and practice in the MS12 in the field of administrative services, the proposal by substance is already reflected in the national legal framework. It should be noted, that as stated in the proposal itself, these objectives are already present in many European documents and initiatives and regarding that, MS12 believes that the future actions in this area should be in line with the mentioned documents. Member State 13 supports the stakeholder s suggestion. Member State 14 has established a digital platform to facilitate the exchange of information between government agencies and the financial industry, presumably this being the private sector. This same platform enables individuals and organisations to signal their consent albeit on a temporary basis for such records and documents to be made available to third parties. This means, according to MS14, that such consent for the use of data and documents can be withdrawn in an effective and easy manner by the data owner. The facilitation of the user managed consent combined with the availability of data and documents in a digital format which is machine-readable is the basis of this proposal. MS14 s opinion and previous recommendations on the local level was to introduce similar facilities at the national level through the MyData principles. Therefore MS14 supports such proposals. Moreover, it can also be said that as part of the implementation of the National Data Portal, the foundation layer in terms of the Authorisation and Representation data layer is already being put in place. It can also be said that as part of the authentication process that will be developed in the next few months for this portal, this will enable the Open Data pages which can be used without any registration and authentication while any user opting or being mandated to have an account and credential will be allowed into the section of the portal which will be identified as the My Data section. This is because the user will have access and will be allowed to view and update only those datasets and records to which such a user has been previously authorised via the role selected as part of the login process. The major justification rests with the fact that such a digital platform is also a prime enabler for the implementation of the Once-Only Principle (OOP). MS14 is working on the premise that the OOP can be implemented through the efficient and effective sharing and re-use of data which is not only sourced from the public administration 9

10 itself but also from the consumers themselves since such documents are an essential requirement and an integral part of the specific line-of-business process. Member State 15 considers the following: 1) The once-only principle (OOP) enhances efficiency within public procedures, as it reduces the burden on citizens and allows a better cooperation among public administrations. Consequently it contributes to the collective principle of free movement of goods, services, capital and people established by the Treaty of Rome. There are however, specific goods and services, that deals with sensitive citizen s information. 2) The General Data Protection Regulation (and also the current Directive on Data Protection) establishes special categories of personal data, which in principle are not allowed to be processed unless specific conditions under article 9.2 are met. 3) The Annex of the Proposed Regulation on the Single Digital Gateway (COM(2017) 256 final) recognizes Health services as those that could benefit from the OOP. Health services process sensitive data (those stablished by art. 9 GDPR as special due to its sensitivity). Consequently, this kind of sensitive data should have safeguards if the OOP is applied, specially having in mind that legal basis for the processing of this sensitive data, is not always based on the consent given by the patient, but on other legal grounds as the healthcare demand, or the public interest. 4) For all the aforementioned, when services (public or private) are dealing with special categories of personal data, there should be a specific implementation (from a legal, organizational and technological point of view) regarding the adoption of an OOP s system. Member State 16 recognizes the potential of the Once-only principle. Nevertheless, MS16 suggests taking in full account, not only the current EU data protection legislation, but also the current data protection legislation from each Member State. Member State 17 generally supports the principle of the Once Only, both at national and EU level and considers there will be major advantages in the compilation of data across EU countries. From MS17 s perspective the TOOP pilot project is the right European way for achieving this ambition. However, this is important to coordinate the initiatives, regulations and projects across the EU in this field, so that there is no unnecessary overlap. For example the draft on the Single Digital Gateway Regulation largely supports the principle of Once Only, and seeks to regulate the exchange of certain documents between Member States. MS 17 s experience with Once Only shows, that there is a great deal of work in developing and coordinating data semantics for such a project. It is a costly and complicated part of the project already at national level. Proposals should also take into account both the GDPR and the forthcoming Regulation on the free flow of non-personal data in the EU, and the Tallinn Declaration on egovernment and egovernment Action Plan. Member State 18 supports the opinion. 10