Last November, I visited the Danish government. This was a follow-up to my interview three years ago before the start of OCES II [11]. The person I met was Charlotte from the Danish Ministry of Finance, the same person as last time.
As always, the Danish government's approach is very instructive. The spiral process of trying things out, fixing the flaws, and trying things out again is working very well. The current OCES II also has many problems, but I'm sure they will be fixed in the next cycle.
This visit prompted me to start thinking about how we would go about redesigning e-government in Japan today.
In my opinion, the requirements for e-government are as follows:
- Dramatically reduce administrative costs (direct, indirect, time)
- By promoting the division of labor and exchange, it will serve as a catalyst for improving productivity (= economic growth) throughout the economy.[2]
- Don’t crowd out the private sector
As a result, the following eight measures are currently in mind:
- Measure 1: Establishment of a privacy and trust framework
- Measure 2: Integration of the Resident Registration Network and introduction of national-level identity management
- Measure 3: Introduction of a registered account system
- Measure 4: Introduction of an electronic contact registration system
- Measure 5: Abolish the (current) public personal authentication system and introduce an electronic credential registration system
- Measure 6: Introduction of an electronic mailbox system
- Measure 7: System for inputting structured data of submitted documents, etc.
- Measure 8: Periodic review system
I should be discussing each of these measures, including the current situation, the outline of the measures, and the benefits of their introduction, but this would take time since I would be doing it in my spare time, and the blog would be too long to write about. So I'll just write a few lines about each of them here. I'll probably write the details in an e-book at some point.
Measure 1: Introduction of Privacy Trust Framework
When introducing new systems or institutions, consideration of privacy is unavoidable in a liberal society. Even when considering the My Number system, the Supreme Court ruling on the Resident Registration Network was a cause for concern from the start, and as a result, a third-party organization was established to carry out PIA. However, the scope of this organization is narrow, and it is not powerful enough to implement the bold measures described above. In order to overcome the Supreme Court ruling and aim for economic development through the personal data economy, a privacy trust framework centered on a stronger third-party organization is necessary.
In the current state of cyberspace, most stakeholders handle all authentication, authorization, personal information management, and service provision themselves, and data exchange between services is extremely limited. This is a primitive state where division of labor has not progressed and no data exchange is occurring. It goes without saying that if we could achieve a division of labor in accordance with the principle of comparative advantage[3], we could expect significant economic growth. However, this will require the transfer and utilization of personal data as needed. To achieve this,
- The source of transfer will only transfer the minimum amount of personal data necessary.
- The recipient will only request the minimum amount of personal data necessary.
- The company has established a safety management system that meets or exceeds a certain standard (Level of Protection, LoP).
- The recipient gives the individual a certain level of control over their personal data (Level of Control, LoC).
It is necessary that the following conditions are met. Of course, without any certification, individuals will not know what level each company or organization is at. The mechanism for certification and suspension of certification, or the Trust Framework, allows this to be known.
Specifically, certification bodies issue certification guidelines based on requirements that comply with internationally agreed levels, assessors conduct assessments based on those guidelines, and the certification body issues its certification using the assessment results. If it is discovered that the certification standards are not being met, the certification will be suspended immediately. This ensures a certain level of privacy as long as the flow of personal data between certified institutions is closed.
Without this, it would be impossible to release personal data held by the government to companies. As a prerequisite for introducing the following measures, the Privacy Trust Framework must first be introduced.
Measure 2: Introduction of national identity management
Identity management (registration, updating, storage, deletion, etc.) is the foundation of modern systems. However, Japan does not have a satisfactory system. The Resident Registration Network is the next best solution, but it is still struggling with the aftereffects of the Resident Registration Network lawsuit, making it difficult to expand. It is also architecturally outdated and expensive. In fact,House of Representatives minutesSo, the following numbers are listed:
- Total annual expenses: Approximately 190 yen (excluding system costs on the part of the local government)
It seems like too much for a system that manages only 4 million people's worth of information, including "four pieces of information (name, date of birth, gender, and address), plus resident registration code and change information." The reason for this is likely due to the old architecture that tightly couples systems distributed across 1800 local governments across the country with dedicated lines and communication servers.
If you switch to a modern cloud-based, loosely coupled system or a Web API-based system,
- Costs will be lower
- Easier to scale
You should be able to enjoy benefits such as:
The following is an example of what the post-integration image could look like:
- Introduction of IdM Framework (e.g. ISO 24760-1)
- Ensuring proper information quality: (e.g. ISO 29115)
- Implementing appropriate identity verification processes: (e.g. New Zealand Government Evidence of Identity standard)
- Introduction of core number (invisible universal immutable number)
- Use the core number to manage the following information:
- Name at birth
- Current name
- Date of Birth
- Place of birth
- Sex
- Create separate subsystems to handle:
- Residence
- Registered Account
- Electronic Contact
- Electronic Credentials
- Electronic mailbox
- Face photo
- A REST API will be defined to allow for free system development. The API will be protected by OAuth 2.0.
- The network is the Internet, but mutual authentication and encryption are performed (mutual authentication follows ISO 29115).
This would allow for dramatically cheaper and more importantly more "flexible" systems to be built.
As part of this development, we will also be moving forward with a system of registering facial photographs. Currently, there is no data linking resident registration or family register data to a person's physical body. To do this, some form of biometric information needs to be recorded in a database, but if it is to be used rapidly in times of disaster, for example, facial photographs would appear to be the easiest to use. However, this registration will not be completed overnight. Initial registration is an easy target for identity theft. This needs to be carried out as a 10-year project, with reference to New Zealand's identity verification standards, etc.
Measure 3: Introduction of a registered account system
Denmark and other Nordic countries have introduced a registered account system. Tax refunds and various other benefits are deposited into this account. Currently in Japan, it is necessary to ask citizens for their bank account information and set up a bank account for each system, which imposes a huge cost (direct, indirect, and time) on both civil servants and citizens. By introducing a registered account system, these costs can be dramatically reduced.
Another advantage of this system is that banks will promote it on their own without the government having to do anything. Such educational and outreach activities cannot be overlooked. In that sense, the registered account system is of great value.
Measure 4: Introduction of an electronic contact registration system
When the Basic Resident Register was created, the postal address was the primary contact point. That's why "addresses" are recorded. But that's no longer the case. Internet addresses (email, SMS, etc.) have now taken over as the primary contact point. These are not necessarily capable of receiving large amounts of data, but are of course acceptable for notifications. This can replace the current administrative notification procedures. This will make it possible to send notifications extremely cheaply and quickly. The electronic post office box described below also uses this notification system.
Measure 5: Abolish the (current) public personal authentication system and introduce an electronic credential registration system
The current public personal authentication system is a triple whammy: the hurdles of acquisition, use, and the quality of the certificate. If we were to do something like this, we should do something equivalent to the European Qualified Certificate, but in Japan, there are several issues that make it difficult: (1) identity verification standards have not been established, (2) the quality of the underlying database is low (much of the data is based on self-application), and (3) there is no way to link data with the body. In addition, the probability that an individual would carry out work that requires such a high level of credentials is low, so it would not be cost-effective.
Therefore, the current public personal authentication service will be abolished for the time being [4], and credentials such as those from banks will be made available for e-government access as well.
In addition, a trust framework will be introduced to ensure the quality of credentials (Level of Assurance, LoA).
As multiple credential providers compete with each other, improvements in services are expected.
When registering, the electronic contact information in Measure 4 will be used.
Measure 6: Introduction of an electronic mailbox system
In the context of document digitization and e-government, "PDF" is often thought of as digitization. However, while this is better than nothing, it is far from the desired state. Ideally, data should be distributed in a structured, reusable form.
An electronic post office box system will be introduced as a mechanism to provide storage of this structured data.
The electronic mailbox here is a structured storage provided to each individual, allowing various data to be extracted at the individual's discretion.
The electronic post office box itself will be provided by multiple (private) providers, and various applications provided by third parties will access the standardized API to provide value-added services. This is truly the core of the personal data economy. Since multiple providers provide it, competition will occur, and continuous service improvement will be expected, while the cost to the country will be reduced.
In addition, this system will be a catalyst for a five-year transition period to completely eliminate paper documents issued by government offices. All will be digitized. Measures against digital de-bytes will include certifying private services (writing, printing and delivering, etc.) and providing subsidies if necessary.
Measure 7: System for inputting structured data of submitted documents, etc.
Currently, Japan's 1800 local governments have their own formats for many of the employee-related documents they require companies to submit. This forces companies to submit documents in different formats for each recipient, which is inefficient. If these documents were converted into structured data and sent to the national government in bulk for distribution to local governments as appropriate, the burden on companies would be significantly reduced. This would also contribute to economic growth through increased efficiency.
Furthermore, if we take this opportunity to standardize and structure receipts and other documents so that they can be issued electronically, it will have a tremendous effect.
Measure 8: Periodic review system
No matter how well-thought-out a system or institution is, there will always be issues and it will become obsolete due to technological advances. Therefore, rather than relying on past examples and precedents as golden rules, we need a system that allows for rapid change every 3 to 5 years or so. This is probably the area where bureaucratic organizations are weakest. If that is the case, then this system itself must be institutionalized. And then we must create a system that rapidly turns the PDCA cycle.
Conclusion
The eight policies this time have not included the commonly-mentioned "pre-printing tax returns." This is because this is an application service, and is merely one of the applications built on the "platform" that the seven policies above will realize. [5] Such application services will likely begin to be offered in large numbers once the platform is in place. The rise of Facebook applications and Apple's App Store are evidence of this.
Japan's e-government is now being asked to shift from application-based to platform-based. This is what they call Gov 2.0.
[1] An electronic signature and authentication initiative by the Danish government. OCES I was launched in 2003. According to an interview with the Danish Ministry of Finance on November 2012, 11, OCES II is currently being offered through banks as Nem ID/Nem Login (easy ID/easy login), with 22 million of the 16 million citizens aged 450 and over being active users, 400% awareness, and 100% of users being satisfied.
[2] In this regard,Matt Ridley's "When Ideas have Sex"is very suggestive.
[3] If you don't understand, see [1]"When ideas intersect"Please take a look at this. You will be able to understand this in just 10 minutes, even without reading an economics book.
[4] Abolish the system that requires public personal authentication to access e-government. In addition, we must discard the fiction that the current public personal authentication is LoA4, and in light of the reality that it is at best LoA2, we must restart it as a long-term project aiming for LoA3 or 4. To do this, we must first establish identity verification standards and distribute LoA4 certificates to civil servants. In addition, to create such a system efficiently, we must create a chain of trust by leveraging the employment relationship (civil servant → manager → employee → family) for company employees and the relationship (civil servant → teacher → student) for schools, and register identity and distribute credentials. By doing so, we must ensure reliability and coverage, otherwise services that use it will be double investments with no ROI, and they will end up not introducing it, and individuals will not see the benefits of using it because there will be fewer places where it can be used. If it is distributed well, we should be able to increase coverage significantly in three to five years, so we should make a plan and move forward with a coverage of 70% for now. (Added 2014/8/26 to clarify the meaning of "current")
[5] This system compiles legal forms submitted by companies and electronic receipts obtained by individuals, deposits them in individuals’ electronic mailboxes, and notifies their electronic contacts. It can be built inexpensively with the above platform.