Archive for the ‘Arab open government and open data’ Category

In a brief interview for Computer Weekly, Tahseen Consulting’s Wes Schwalje talks about the future of IoT and the need for regional stakeholders to get a lot more serious about personal data privacy and connected device security.

Computer Weekly: Which GCC sectors could benefit most from IoT – and why?

Schwalje: Due to the concentration of economic activity in the GCC in a handful of sectors such as the extractive industries, manufacturing, government services, construction, and utilities we will likely see a concerted effort to disrupt and digitally transform these traditional industries with IoT. Specific sub sectors of focus will likely be oil and gas, petrochemicals, aviation, and, pharmaceuticals as well as government services such as healthcare, education, and utilities. In these traditional sectors, industry incumbents will either take on new roles or be displaced by new industry structures due to digital disruption. A good example of this adaptation in the private sector to avoid digital disruption is Mashreq Bank’s recent announcement about its new digital only spin-off unit. In terms of government services, several GCC governments are deploying IoT as part of smart city initiatives to enhance government service provision, we are seeing interesting connected healthcare pilots emerging like telehealth systems in Saudi Arabia, and there is a significant push to leverage IoT to address transport challenges regionally. At the same time, increasing economic diversification in the GCC, driven primarily by growth in the services sector, is likely to lead to innovative IoT applications in emerging services sectors such as transport and logistics, telecommunications, financial services, and tourism. In the very near future, IoT will become a key aspect of GCC economic diversification strategies and ultimately global and regional competitiveness.

Computer Weekly: How might life in the GCC look different in ten years, due to IoT technology?

Schwalje: The data gained from IoT is the foundation for a range of emerging technologies such as machine learning, robotics, automation, 3D printing, artificial intelligence, and augmented. For this reason, we will see a significant uptake of IoT over the next decade. Data is quickly becoming vital to the profitability and success of GCC businesses as well as enhanced efficiency and effectiveness of government service delivery. In terms of specific applications of IoT, we are likely to see smart asset monitoring, employee tracking, energy consumption monitoring, product usage and monitoring, business process automation, smart security, and wide area control systems. While the potential of IoT in the GCC is promising, more effective, consumer-oriented laws and regulations on data in the GCC and throughout the Arab World are needed to address how data can be obtained and used, how long data can be kept, and limits on access by third or other government related-parties. A modern, harmonized GCC data protection framework is a critical requirement to maximize the benefits of the IoT.

In his recent paper Open Data: A Paradigm Shift in the Heart of Government Ali M. Al-Khouri, Director General of the Emirates Identity Authority, cited Tahseen Consulting’s work on how social media technologies can be used to increase transparency and openness of Arab governments.

Al-Khouri cites Tahseen Consulting’s white paper An Arab Open Government Maturity Model for Social Media Engagement in explaining the need for governments to reflect joined up policy by reducing data silos. Tahseen Consulting’s social media maturity model challenges previous models of e-government and open government maturity based on the experiences of Western countries by offering region-specific guidance that accounts for the unique governance tradition of Arab public sector entities.

Our Arab government social media maturity model has been cited as a potential model for Korean public sector entities, highlighted by the World Bank as a valuable approach in communicating with Arab youth, and referenced in the World Wide Web Foundation’s Open Data Barometer.

You trust financial institutions to look after your money, but can you trust them to safeguard your personal financial information? By reviewing the data privacy practices of several of the major banks in the UAE, we investigate how UAE personal financial data privacy policies can be improved to offer consumers more control over their personal data.

As the internet continues to expand as a convenient way for UAE consumers to shop for financial services, we focused on understanding the personal financial data privacy practices of 14 of the UAE’s domestic and foreign banks from their websites. Nowadays safe banking involves making good choices particularly surrounding protecting your personal financial information to avoid costly surprises and even scams.

View Our Other Work on National Data Regulations and Standards in the GCC

Is Open Data Leading to Better Government in the GCC?

Banks know a great deal about consumers – they know how much you earn, how much you spend, where you spend your hard earned Dirhams, where you work, what your title is, your address, your phone number, your e-mail address, the languages you speak etc. How do financial institutions use this personal data?

As we discovered, many of the banks in the UAE use this personal data to market services to you directly or through third party affiliates. This is why you are receiving SMS messages on a Wednesday at 3 PM from your bank promoting a 40% discount on Japanese cultured pearl necklaces even though you are not in the market for pearls. There appears to be no easy way for consumers to compare UAE financial institutions’ personal financial data privacy policies. Because you likely haven’t read your bank’s data privacy policies, we analyze them for you in this blog post.

Are Some Banks Better (or Worse) Than Others?

According to the UAE Banks Federation Code of Conduct, banks must use reasonable care to prevent unauthorized disclosure of client information and can only release confidential information when permitted by law. By law, UAE banks require consumer authorization to share private financial information with affiliated companies and third parties that market products or services to customers. However, there are no laws in the UAE that specify how financial institutions should notify consumers of their institutional data sharing practices or which extend consumers the right to limit or opt out of sharing their private data. In some countries specific laws contain financial privacy provisions which give consumers the right to opt out of sharing their personal information with affiliates and third parties for marketing solicitations via telemarketing, SMS, direct mail marketing, or electronic mail.

Since institutional data sharing polices in the UAE are devolved to individual financial institutions, there are significant differences in financial institutions’ privacy practices. For example, there is significant variance in the provisions of online privacy policies of UAE financial institutions with several institutions failing to offer online privacy policies in Arabic. Institutional data sharing practices are also commonly buried in 50+ page terms and conditions documents which are not consumer friendly.

In the absence of standardized disclosure of institutional privacy practices, there is significant opportunity for UAE financial institutions to distinguish themselves by adopting more consumer friendly privacy practices. In a recent study Tahseen Consulting conducted on data sharing practices of financial institutions in the UAE, we found that only three of the UAE’s 10 largest banks allowed consumers to opt out of sharing their information for marketing solicitation. However, even these institutions failed to offer clear processes on how consumers could opt out of sharing their private data.

Data sharing practices of financial institutions in the UAE

In a recent study Tahseen Consulting conducted on data sharing practices of financial institutions in the UAE, we found that only three of the UAE’s 10 largest banks allowed consumers to opt out of sharing their information for marketing solicitation.

Mandated annual privacy disclosures in a standardized format which would explain with whom data is shared, what data is collected, how data is collected, why data is shared, and explain opt-out rights would significantly improve industry data privacy practices. Until the UAE mandates such disclosures, it is extremely difficult for consumers to distinguish between the data sharing practices of financial institutions. The only way for consumers to fully understand how their private information will be treated by a particular financial institution is to read their bank’s standard terms and conditions. Unfortunately, banks don’t make this easy for consumers, and consumers will have to search through a lengthy document to locate the bank’s data sharing provisions. However, the majority of UAE banks do not offer consumers the right to opt out of sharing their personal information with affiliates or third parties. UAE financial institutions generally make the holding of an account contingent upon consumers agreeing to the sharing of their personal information for marketing purposes. The only way to avoid having your information shared for marketing purposes is to cease to be a customer.

US Model Privacy Form for Financial Institutions

Financial institutions in the US are required to make annual disclosures to inform consumers of how their personal financial information is shared and what rights they have to limit the sharing of their data. The financial services industry in the US adopted a standard disclosure format to make it easier for consumers to compare privacy policies between financial institutions and more easily opt out of banks sharing certain types of information for marketing purposes.

I Never Agreed to This. Did Your Read the Fine Print?

While there is no federal law that protects personal information in the UAE, a number of laws have broad protections that prevent the sharing of information about an individual’s private or family life without consent. For example, the UAE Credit Information Protection Law contains provisions which require written approval to share confidential consumer credit information. However, many consumers in the UAE don’t realize that they provide written authorization to their bank to share credit, financial, and personal information with affiliates and third parties when they complete account opening procedures. After a consumer opens an account, banks continue to gather personal information, including data such as postal and e-mail address, phone numbers, employment, financial status, and credit history, from transactions and applications for services such as funds transfers and loans.

When consumers complete account opening application forms, they must agree to a declaration that indicates they have read and agree with the financial institution’s general terms and conditions for holding an account and using internet banking services. Within these documents, which are often difficult for consumers to read and understand, financial institutions retain the right to share a consumers’ private information with affiliates, companies related by common ownership or control, and third parties, nonaffiliated financial companies with a formal agreement with the financial institution to market products or services to the bank’s customers. Several banks also retain the right to share private information with affiliates and third-parties in countries outside the UAE.

Example Declaration From Account Sign Up Form Authorizing Your Information To Be Shared

You just signed this declaration when you opened your bank account, but did you read Clause 5 on page 7 of the General Terms and Conditions for Banking Services regarding how your personal information is used and shared for marketing and other purposes?

Since UAE laws do not contain provisions restricting information sharing among companies related by common ownership or control, personal information (such as name, address, and account number) and account information (such as type of accounts, account balances, and transaction history) can be shared for marketing purposes. For example, if a large bank has affiliated subsidiaries that offer private banking, financial management, or insurance services, all of the consumer’s information can be freely shared for cross selling additional services. The UAE’s approach is similar to the United States in which the Gramm-Leach-Bliley Act allows companies to share personal data with affiliated entities with the exception of information on creditworthiness. However, in Europe, the European Union Data Directive prevents banks from sharing personal data between affiliated entities to cross sell services unless the information was specifically collected for marketing a particular service.

When consumers complete account opening application forms and agree to a financial institution’s general terms and conditions, they also typically authorize the financial institution to share their information with third parties which have formal agreements to market products and services to consumers via telemarketing, SMS, direct mail marketing, or electronic mail. Generally, third-party service providers have access to Personal information (name, address and account number), Account information (type of accounts, account balances and transaction history), and Transaction information (dates, amounts, locations and type of transaction) but not account numbers.

Because the UAE has residents from so many countries, reactions to telemarketing, SMS, direct mail marketing, or electronic mail marketing solicitations range from apathy to consumers becoming extremely irate because they do not know how a particular entity received their private information and are unable to remove themselves from a marketer’s database. The marketing departments of financial institutions use personal data to market directly to existing clients, cross sell products of affiliated companies, and form joint marketing partnerships that allow third parties to target customers with solicitations for other products and services. Financial institutions and third parties who have entered into formal agreements with a particular financial institution do not need to purchase databases to sell into their existing client base since they already have substantial private information about consumers already.

What Could Regulators Do to Prevent This Issue?

  1. Mandate annual privacy disclosures in a standardized format in Arabic and English which would explain with whom data is shared, what data is collected, how data is collected, why data is shared, and explain opt-out rights would significantly improve transparency of industry data privacy practices;
  2. Similar to Europe, the UAE could enact a law which would mandate that data must be collected for specified, explicit purposes and not further processed in a way incompatible with those purposes;
  3. Enact federal laws which would compel financial institutions to implement simple opt-out processes so that consumers canlimit the transfer and use of personal information;
  4. Require financial institutions to provide easy access to privacy policies at branch offices and online through a single web site with opt-out information;
  5. Financial institutions could be required to provide simply stated and clear privacy policies following common standards for readability to stop the current practice of banks including data sharing provisions in general terms and conditions that must be agreed to in order to hold an account;
  6. Clarify the rights of individuals to protect their privacy and seek remedies if their privacy rights are violated and stop the practice of allowing banks to indemnify themselves from damages which might result from the sharing of personal information with third parties;
  7. Regulate the sharing of private information to countries outside the UAE;
  8. Give individuals the right to review information that is disclosed or to correct inaccurate or incomplete data.

GCC leaders must adjust policies to move beyond low impact forms of technologically-driven citizen engagement that do not address public demands for increased accountability, improved performance, and participation in decision making

While the use of technology is a common denominator between Arab open data initiatives and those in other countries, leadership, social, cultural, and institutional factors have negatively influenced the effectiveness of open data initiatives in the GCC. According to a new Tahseen Consulting report, most GCC open data initiatives are severely lacking in comparison to open data programs in OECD countries.

The report outlines a comprehensive framework and best practices that Arab governments can use to improve open data initiatives and bring them into alignment with good practice from OECD countries. Any information such as transit schedules, hospital locations, school enrollment data, birth statistics, traffic data, or weather trends might qualify as an open government initiative. However, by focusing on low priority government activities, GCC open data initiatives rarely provide additional information that is not already available via traditional media or institutional websites.

View a Summary of the Report’s Findings

Is Open Data Leading to Better Government in the GCC?

While the embrace of open government to complement public sector service provision is still in its infancy in the GCC, there is much expectation that open data will have a transformative impact on citizen participation, policy formation, and the way public sector entities conduct business. Relative to OECD countries, most GCC governments focus on national data portals rather than regional and city initiatives, have not enacted right to information laws, fail to engage civil society and academia in efforts, and lack education and training courses for developing more effective open data programs, the report says.

Drawing on examples from OECD countries, Tahseen Consulting’s report Is Open Data Leading to Better Government in the GCC? Identifies several policy, implementation, and data improvements that GCC governments can undertake to make the most of regional open government and data initiatives.

“There are many examples of open government and data best practices from the OECD countries that need to be applied more effectively in the GCC,” said Wes Schwalje, Chief Operating Officer of Tahseen Consulting and author of the report. “Use of technology is not a substitute for deeper reform towards transparency, accountability, and cooperation. Current open data initiatives must go beyond releasing data on non-sensitive political topics towards the release of data which involves the public in a participatory dialogue that can shape decision making, policies, and public service delivery.”

How GCC Open Data Initiatives Compare to OECD Benchmarks

Although several GCC countries have invested heavily in open government and data programs and establishing e-government authorities, Tahseen Consulting’s research finds that GCC government open data programs may not be adequately meeting citizen needs. GCC governments must adapt to new citizen expectations for participation and engagement, coproduction of government services, crowdsourcing solutions to societal issues, and increased transparency and accountability.

View Our Other Work on Open Government and Data in the Arab World

An Arab Open Government Maturity Model for Social Media Engagement

GCC governments must respond to evolving citizen expectations by showing clear senior level commitment to open government and data programs, establishing federal implementation guidelines, and ensuring sufficient resources. “GCC governments must become much more specific in establishing guidelines and data standards for open government and data initiatives,” said Walid Aradi, Chief Executive Officer of Tahseen Consulting. “Most federal guidelines in the GCC remain at a general level and only outline basic principles without specifying how government entities should implement open government and data programs and what types of data should be released.”

Tahseen Consulting has developed an Open Government and Data Diagnostic Tool to help GCC governments adopt more effective practices to make the most of open government and data initiatives. Tahseen Consulting’s diagnostic tool provides a comparative framework that enables entities to determine specific organizational changes that need to be made in order to reach higher stages of open government and data maturity and compare their organization’s maturity level to other entities in the region.

Insights to Help GCC Governments Succeed With Open Government and Data Initiatives in Response to Increased Citizen Expectations

Lack of guidance on how to implement open government and data good practices and regional governance traditions have led to several public sector entities introducing politically low impact programs that fail to enhance transparency, citizen participation in decision making, and collaboration in public service delivery. “Technology often solidifies existing institutional practices rather than changing long standing organizational behaviors,” said Schwalje. “Bringing Arab open government and data initiatives in line with the spirit of programs in OECD countries will require reforms at the national level as well as substantial organizational changes at many entities.”

Tahseen Consulting’s research identifies several ways in which GCC governments can align open government and data programs with similar initiatives in OECD countries.

Enact Right to Information Laws. Many Arab countries do not have right-to-information laws, don’t permit citizens to request data, and have no mechanisms via which to handle citizen requests for data. In several countries, right to Information laws will need to be passed to overcome a prevailing culture of secrecy that limits citizen access to information.

Enact Personal Data Protection Laws. The principle of a right to privacy of personal information is codified in some Arab constitutions and contained in laws that require consent for collection and processing of personal data However, very few countries have federal laws that protect personal information. Many of the data privacy policies in the region have broad clauses related to taking measures to prevent use and disclosure of information but do not specify particular methods of compliance. Updated personal data protection laws are required to reduce citizen concerns about how their personal data is used.

Increase Civil Society Engagement. There is little evidence which suggests that civil society or information technology professional groups are being actively engaged by governments in forming open government and data strategies, identifying data requirements, or in increasing citizen use of open data. Open data initiatives are generally designed to broadcast data rather than create a genuine dialogue about what data might be required by the community. There is a significant role that civil society can play in defining the types of data citizens might find useful and in analyzing publicly available data.

Establish Regional and City Initiatives. The majority of entities with open government and data initiatives are federal ministries, authorities, or agencies. More emphasis on creating regional and city initiatives is required to ensure local needs are being met.

Increase Academic Participation. There is very little evidence that the academic community and academic institutions publish open data as a part of fulfilling their research mandates. For example, grant guidelines for receiving funding from national research funds rarely contain stipulations to publicize data which could be useful to other researchers. An institutional research culture which supports sharing of data must be instilled to promote higher impact research.

Improve the Education and Training System. At the higher education level, many public and private universities offer computer and information science degrees which address concepts related to open government and data. While degree programs cover technological subjects, many programs fail to sufficiently provide more extensive training on areas such as data science, visualization, legal issues related to open data, and open data entrepreneurship.

For more on Tahseen Consulting’s work on open data in the Arab World and other findings in the new report, please visit http://www.tahseen.ae/r&iarabopendata.html.