NIK about public services provided electronically

The COVID-19 pandemic and the whole spectrum of constraints in the state’s functioning made the digital contact with the public administration the only option. As a consequence, the number of services obtained via the ePUAP and the trusted profile has gone up significantly. The growing interest in e-services results in increasing load of the ePUAP platform. To date the platform has been frequently unstable or temporarily unavailable. Uninterrupted and efficient operation of e-services is the key to proper functioning of the public administration and the Polish state in the digital world. For citizens it is vital that the state provide electronic services covering issues most important for citizens, on the largest possible scale.

During the audit on public electronic services in 2015, NIK established among other things that e-services were not used on a large scale and some of them were not used at all. Part of clients preferred in-person customer service. Barriers indicated by the auditees included: the pressure to deliver some documents to the office in paper (as a result, some affairs could not be settled as part of e-services, i.e. without visiting the office). Also the problems with availability of e-services placed on the ePUAP platform did not encourage people to use the electronic path. Other audits also pointed to numerous irregularities in terms of information security in public offices, such as the one dealing with the information security management in local government units.

Key audit findings

In the audited period, the number of e-services provided by the central bodies of the state administration went up from 72 to 148. The Minister of Digital Affairs provided 30 central e-services. The social demand was defined based on the survey of 2016. The report showed that for 61% of respondents the key thing to settle in the Internet was the issue or replacement of documents, whereas for 51% those were health issues (making doctor’s appointments, online consultations, e-prescriptions), and for 45% the most important services were related to vehicle registration.

Besides, nearly 80% of the survey participants indicated that they would like to receive document expiration notifications and almost 70% would like to be notified that a document is ready to be picked up. As for e-services provided via the ePUAP the most popular one was “Check vehicle history”.

Since 2016, the number of people having the trusted profile has increased more than 13 times. The Minister of Digital Affairs has conducted several campaigns to promote creating this profile. In April 2020, due to the COVID-19 epidemic, the Ministry enabled creation of the temporary trusted profile, which was valid for three months. One could create it without visiting the office, or without the necessity to seek authorisation in banking systems. The client’s identity was verified in a video-chat with a public official. By 30 June 2020, as many as 12 thousand temporary trusted profiles were created. In May 2020, application eDO App. was launched which enabled clients to create and confirm trusted profiles and to log in to e-administration services using e-ID cards and the NFC technology in mobile phones. By 2 July 2020, the application was downloaded 44 thousand times and trusted profiles were confirmed with e-ID cards 3.8 thousand times. By 9 July 2020, the number of logons to public services with an e-ID card totalled 41 thousand.

Despite strong commitment to creating ePUAP and trusted profile systems, NIK has identified some irregularities on part of the Ministry. First of all, it failed to provide independent verification of whether the calculations increasing costs of the ePUAP maintenance and development agreement prepared by the Centre for Information Technology (CIT) were correct. Signing an annex to the ePUAP and the trusted profile agreements resulted in an increase of CIT’s maximum remuneration by nearly PLN 70 million. No documents confirming that the Ministry employees or external experts independent of CIT verified the valuation were submitted for the audit. According to NIK, the absence of such valuation and relying only on the calculation made by the service provider was unreliable.

Also the principles of calculating availability of the ePUAP platform and the trusted profile in agreements between the Ministry and CIT were not developed properly. In the systems maintenance agreements the availability was defined at 98% and 99% for the ePUAP platform and for the trusted profile system, correspondingly. Adopting these values means that those services could be completely unavailable for 7.3 days in a year for the ePUAP and for 3.6 days for the trusted profile system.

Since the ePUAP and the trusted profile systems are of great importance for citizens and for the public administration functioning, NIK stands in a position that relevant agreements should guarantee their availability of a value close to banking IT systems i.e. 99.9%, which is particularly important in the COVID-19 epidemic. According to NIK, the critical incident definition adopted in the systems maintenance agreements is too narrow. As a consequence, a breakdown that would justify classifying an incident as critical is hard to occur in practice. That is why, users’ significant problems with the systems’ access were not recognised as critical incidents having impact on the systems availability. The systems maintenance agreements provided for too long times for handling users’ requests. That could make it difficult to use the ePUAP and the trusted profile by both citizens and public offices.

Another irregularity in the systems management was incomplete rollout of the Information Security Management System in CIT. NIK has not questioned CIT’s efforts to fully implement the norm ISO/IEC 27001. It has noted, though, that although more than four years passed, the norm was not implemented (by the audit end date). CIT also failed to make full security tests of the ePUAP and of the trusted profile. According to NIK, complete tests are essential to confirm that the systems are secure. On the other hand, technical and organisational solutions adopted by CIT ensure continuity of both systems in case of a critical failure or a disaster.

Apart from the Ministry of Digital Affairs and the Centre for Information Technology, the audit also covered 28 municipal offices. The offices provided citizens with 10 to 232 services on the ePUAP platform and requests submitted online were handled impeccably. Local government units are not obliged to render e-services, apart from some statutory exceptions, so they may differ in numbers. According to NIK, more and more e-services should be provided, taking into account the most popular ones.

Only one public office did not take any efforts to inform citizens that they can be served via the Internet. In nine offices the information about e-services was incomplete, hard to understand or find on the offices’ websites. NIK is of the opinion that the absence of effective methods of informing citizens about electronic services may be one of the reasons of their limited interest in this service channel. NIK has underlined that e-services need to be popularised on a broader scale.

In 16 offices the Information Security Management System (ISMS) was not in place. Regulations effective in those entities did not cover all information processed there but were mainly related to personal data protection. The auditees explained that the ISMS development works, including the information security policy, have been planned or are in progress.

Information on IT resources used for data processing was not complete or up-to-date in 11 offices. In seven of them, where an application to register hardware and software was used along with their configuration, it was found that the register was incomplete or the data was unreliable.  In four others the register of IT devices was kept as datasheets or paper lists. NIK has pointed out that the scope of information available in the paper register of IT resources is insufficient as it does not contain updated or complete information on IT resources, including their type or configuration. It means that it prevents efficient recovery of the IT infrastructure in the event of a disaster or another act of God.

Obligatory information security audits were not conducted in as many as 16 public offices. In half of them the audit was not carried out in the entire audited period. In eight others, the audit was not carried out every year but less often.

In 12 entities in which the annual audit was conducted, it was recommended that the information processing security be strengthened. The management support was indicated as essential in the office’s efforts to guarantee the security of its information and IT resources, as critical infrastructure for IT operations.  

NIK has also looked into issues related to blocking or revoking access rights to IT systems. The study covered 441 employees who finished their employment in the audited period. It was found that in nine public institutions the accounts of 59 former employees were still active. Under applicable law, those rights should be revoked immediately. In one of public institutions in case of 11 employees the delay ranged from 59 to 931 days.

NIK auditors have also found that about 10% of employees covered by another study could install any software on their computers, although they were not IT employees. That situation may pose a threat of installing malicious software, e.g. while browsing websites.

Recommendations

- to the Minister of Digital Affairs (whose tasks are now performed by the President of the Council of Ministers) to:

• change methods of calculating availability of the ePUAP and the trusted profile.
• change definitions of the critical incident for the ePUAP and the trusted profile.
• when implementing IT projects the cost calculation submitted by the contracting party should be properly verified by the Ministry’s independent experts or competent external experts and ensure adequate documentation of the process of negotiating remuneration costs for contracting parties.

- to the Director of the Centre for Information Technology to:

• include incidents that were not closed in a given month when calculating availability of the ePUAP and the trusted profile systems,
• shorten guaranteed service times for urgent and standard incidents related to the ePUAP and the trusted profile,
• specify the response time for requests related to the ePUAP and the trusted profile,
• implement changes in terms of the way of reporting about handling requests from the ePUAP and the trusted profile users.

- to presidents of cities, mayors and heads of communes to guarantee information security in public offices, the following in particular:

• to develop and implement the Information Security Management System, particularly the information security policy,
• to run and update on an ongoing basis the register of IT resources along with their configuration,
• to make sure access rights to IT systems are immediately blocked or revoked in case of an employee finishing their employment in a public office,
• to ensure information security audits, periodically, at least once a year.