Being open by default
As part of the Wales Audit Office’s Cutting Edge Audit project, I am working on an Open Data prototype. During this work, colleagues told me that we could improve our approach to data. Not acquiring new data though – most colleagues said their biggest issue was better knowledge of, and access to, data that the office already held.
Our organisation has two specialist practices – financial audit and performance audit. This division facilitates specialism, so that we have colleagues with incredibly good knowledge in their fields of expertise. However, it also means that we have to work hard to break down organisational silos, sometimes reinforced by the systems we have in place.
Safeguarding data is an important feature of the way we have set up our information systems. Network folders are protected. Access is only available to specific teams and personnel, which means that the data within them is closed to others by default. Our SharePoint system is also set up in a similar way and the search functionality is not as good as it might be. All of this means that unless you know where the data is held, you’re unlikely to find it.
Learning from other audit offices
In my last post on the Queensland Audit Office’s work, I mentioned a well-travelled colleague called Tom Haslam. Tom has worked at the Office of the Auditor-General (OAG) in Wellington, New Zealand. And while there, the OAG identified similar problems with how they organised and held their data.
To address this, the OAG implemented a new SharePoint-based information system and complemented this with some pilot cross-office groups known as ‘iShare’. These groups were based around cross-cutting functional topics (for example the Transport iShare) with the aim of helping to break down organisational silos and promote a one-team approach across the office.
Adopting a new information system gave the OAG an opportunity to debate the relative merits of information systems being open or closed by default. This was discussed across the office through various channels.
The previous information systems had encouraged a mainly ‘closed until open’ approach. But the general feeling was that closed data might prevent the office from making the most of the information that they held. The natural tendency of all auditors is to be cautious, so under a ‘closed unless open’ approach, setting information as ‘open’ might be viewed as a risk best avoided, even if this approach wasn’t justified. On a practical level, having information closed off requires various permissions and access rights to be set up. This alone can be a barrier to sharing data.
The OAG structured its new information system so that information was ‘open unless closed’ with metadata to help staff find what they wanted. This approach facilitated sharing, encouraging staff to think about how they could add value by joining up information. A default setting of ‘open until closed’ made staff think more carefully about why they should want to close off access, for example material with national security implications or identifiable personal information.
On a technical level, a cleaner configuration of the IT system without endless permissions and restrictions made the system run more reliably. The improved reliability of the new SharePoint system led to time savings, and increased staff confidence and satisfaction with IT. The iShare pilots encouraged group members to look actively for opportunities to work jointly and share information.
As these pilots progressed and reported their successes to the wider office, they encouraged a more open outlook across teams – ‘look we shared stuff and worked together and it hasn’t all turned to custard’ as our kiwi cousins might say.
Tom also thought there was a trust dimension. Handling sensitive client information is part of an auditor’s day job. Therefore, opening up data was a clear signal that the OAG was a high trust environment.
However, change is a journey and the OAG report that its experience is no different. It continues to encourage and aim for an environment where information is open until closed. But it hasn’t always been plain sailing since introducing the new information system. Some staff have embraced the opportunity to openly share information. Others have been more hesitant in sharing information more or are yet to change what they have always done to be more open. The OAG has had to periodically promote and reinforce the new approach. It recognises that a change of this magnitude won’t happen overnight or without a sustained effort. But the end – using collective knowledge to influence improvement and improve accountability – justifies the effort.
How this fits with the work of the Good Practice Exchange
Our Good Practice Exchange work on effective data sharing shows that this relies on the principle of adopting proportionate steps when safeguarding data.
In a previous blog post on whether data sharing was a barrier to public service improvement, I included a quote from the Information Commissioner, which said ‘People want their personal data to work for them. They expect organisations to share their personal data where it’s necessary to provide them with the services they want. They expect society to use its information resources to stop crime and fraud and to keep citizens safe and secure.’ It’s also well worth watching Anne Jones, the Assistant Information Commissioner for Wales, outlining how data can be shared effectively.
The upcoming General Data Protection Regulation will ramp up the safeguarding of data a few notches, but it’s also an opportunity to reconsider how we can share data effectively. Particularly, how we make sure that auditors are confident enough to make the most of data collection and sharing.
Previously I have blogged about our staff trust event, where we heard that trust is essential if public services are to take well-managed risks, innovate and deliver public services that are truly fit for the 21st century.
Tom is leading on a separate project within the Wales Audit Office to look at how we’re using our information systems including SharePoint. One option we’re considering is the use of SharePoint Online, which would make it easier for us to develop an area that could be accessed by external bodies and partners – a portal. Leigh Dodds ‘s post provides a good overview of what a portal might contain.
A portal would allow us to share data with audited bodies and partners more effectively. We’re testing this concept with a SharePoint based prototype portal for some of our health colleagues. Learning from this will feed back into Tom’s project. And if working on the Cutting Edge Audit project has taught me anything, it’s that joined up and collaborative approaches are the best way to ensure we add real value to the work that we’re doing.