This chapter will be structured around the three pillars of the Data-Driven Public Sector Framework. It will first explore the policy efforts implemented or considered by the government of Türkiye’s digital strategy in terms of how Türkiye is approaching data governance, applying data to generate public value and recognising the contribution of data to public trust. Based on this analysis, this chapter will then suggest actions that can be taken to help secure a data-driven administration to contribute to their digital transformation journey.
Digital Government Review of Türkiye
7. Moving towards a data-driven public sector
Abstract
Introduction
The COVID-19 crisis highlighted the critical significance of data not only in government preparedness but in the capacity to react quickly in the midst of a crisis and to subsequently prepare equitable recovery initiatives in the long-term. Facilitating data access, sharing, and reuse across the entire ecosystem has helped to foster co-ordinated decisions and collective activities to manage this pandemic. Nonetheless, some responses to the pandemic have seen governments appear to reduce efforts at greater transparency, disaggregating data to unprecedented levels without adopting a persuasive approach to balancing potential dangers with promised advantages. The demonstration of suitable data governance to ensure the ethical and trustworthy use of data has been particularly important in this time of crisis to help protect mutual trust between citizens and governments, which is a critical asset in tackling the pandemic.
As governments have come to recognise the fundamental importance of data to transformation, countries have increasingly adopted strategic approaches to maximise value while limiting potential risks, threats and harms associated to its management. Since governments produce, collect and use data, from personal data in base registries to non-personal data such as environmental data on an ongoing basis, adopting a data-driven public sector (DDPS) approach in the management, sharing and usage of data would not only bring significant value to the public sector, but benefit citizens and businesses as well.
OECD methodology and tools to support more data-driven governments
According to the 2014 OECD Recommendation of the Council on Digital Government Strategies (OECD, 2014[1]), successful digital government transformation relies on several building blocks to support collaboration and co-ordination among government entities. These include creating a data-driven culture in the public sector through frameworks to support the re-use of data and investing in the foundations to unlock the value of data in the delivery of a twenty-first century digital government (see Box 7.1).
Box 7.1. OECD Recommendation of the Council on Digital Government Strategies: Principle 3
The [OECD] Council […] on the proposal of the Public Governance Committee […] recommends that governments develop and implement digital government strategies which:
Create a data-driven culture in the public sector, by:
Developing frameworks to enable, guide, and foster access to, use and re-use of, the increasing amount of evidence, statistics and data concerning operations, processes and results to (a) increase openness and transparency, and (b) incentivise public engagement in policymaking, public value creation, service design and delivery.
Balancing the need to provide timely official data with the need to deliver trustworthy data, managing risks of data misuse related to the increased availability of data in open formats (i.e allowing use and re-use, and the possibility for non-governmental actors to re-use and supplement data with a view to maximising public economic and social value).
Source: Text from OECD (2014[1]), Recommendation of the Council on Digital Government Strategies,
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0406.
As governments increasingly recognise not only the power and opportunities, but also the numerous challenges of data, it is fundamental to implement models of data governance that enable governments to handle data in an ethical manner and generate public value through its application. In this context, the OECD published The Path to Becoming a Data Driven Public Sector (DDPS) to help countries respond to opportunities and challenges in adopting a whole of government approach to data (OECD, 2019[2]). Figure 7.1 summarises the different elements that contribute to a data-driven public sector:
a comprehensive model for data governance,
the application of data for public value, and
the role of data in public trust
The OECD Digital Government Policy Framework (DGPF) builds on this framework to recognise DDPS as one of the six dimensions contributing to the maturity of digital government efforts (OECD, 2020[3]). The DGPF provides the basis for measuring this maturity through the OECD Digital Government Index (OECD, 2020[4]). In the 2019 edition, notable efforts in terms of data could be identified but, overall, OECD member and non-member countries continued to struggle with the internal challenges of making strategic use of data and exploiting its potential with the OECD average being below 0.5, the lowest of all the dimensions measured by the index (OECD, 2020[4]).
Open Government Data (OGD) provides further fertile ground for the transformative role of data. The publication of public sector datasets to stimulate innovation, provide opportunities for the economy at large and increase government accountability has made OGD an increasingly mainstream topic with the introduction of explicit legislation, dedicated strategies and incentives to increase its use (OECD, 2018[5]). Indeed, the OECD Open, Useful and Re-usable (OURdata) Index: 2019 shows that there has been clear progress across OECD countries, which is encouraging (OECD, 2020[6]). For example, it was found that in terms of data availability, 19 of the 32 OECD countries have made progress when compared to the previous edition, indicating a significant commitment among governments to pursue the adoption of a user-driven open government data agenda. However, challenges still remain and would benefit from both political support and an enabling environment (see Chapter 4) to sustain implementation efforts in the long term. In 2021, the OECD Council adopted the Recommendation on Enhancing Access to and Sharing of Data (EASD), which is the first internationally agreed upon set of principles for how governments can maximise the cross-sectoral benefits of access to and sharing of different types of data while protecting individuals’ and organisations’ rights (OECD, 2021[7]). The adoption of the EASD Recommendation illustrates the growing importance of data in the eyes of countries, including within the public sector, and the call for a data-driven public sector. Based on the DDPS Framework, this chapter analyses how Türkiye is approaching data governance, applying data to generate public value and recognising the contribution of data to public trust.
Data governance in Türkiye
The OECD Framework for Data Governance in the Public Sector has three layers (Figure 7.2). At a strategic level, this reflects the importance of leadership for the data agenda and a vision for its value in supporting digital transformation. At a tactical level, it is imperative that questions of implementation capacity and regulation are addressed. This will ensure that data flows steadily within government, across sectors and borders when needed, and always under the conditions to support trust. In terms of delivery, it is critical that data infrastructure and data architecture are prioritised to simplify the means by which services can access quality data.
Strategic leadership and vision
The first element in defining good data governance is the leadership and vision to ensure strategic direction and purpose for data throughout the public sector. This is often materialised by data strategies, and data-centric leadership roles.
Data from the Digital Government Index revealed that only 12% of the OECD member and non-member countries that responded to the survey confirmed the existence of a single dedicated data policy (or strategy) for the central or federal government, whereas 82% of the surveyed countries embed data as part of broader related policies (e.g. digital government or open data) (OECD, 2020[4]). Overall therefore, a majority of countries are taking a strategic approach to data at least in some way. Nevertheless, for most countries, these strategic efforts were not supported by clear communication or guidance around strategic goals and expected actions, as well as recognising data as a policy priority (OECD, 2020[4]).
Although Türkiye does not currently have a dedicated formal data strategy, its importance has been recognised and embedded in related policy documents. Figure 7.3, shows that despite there not being a dedicated formal strategy, two thirds of the public sector institutions that contributed to the survey, believe that there is. These responses indicate the expectation for the Digital Transformation Office (Dijital Dönüşüm Ofisi, DTO) to provide leadership and may reflect the announcement made in the 2022 Presidential Annual Programme (Presidency Strategy and Budget Directorate, 2022[9]) of placing the responsibility on the DTO to develop a National Data Strategy and Action Plan. This is to be welcomed as while public sector organisations seem to be aware of some elements of a data policy they are confused about its level of formality or clarity.
The prospect of Türkiye having a National Data Strategy and Action Plan is to be welcomed. Formally defining a national strategy dedicated to data will set the scene and help to establish the organisational culture and structure to encourage a data-driven public sector in Türkiye in line with commonly understood strategic goals such as greater data integration. Complementing the strategy with an action plan to disseminate these practices throughout government will require a comprehensive policy effort reflecting efforts to enable data stewardship and leadership, coherent action, policy co-ordination and steering, common data standards, and the development of scalable infrastructure for data sharing and access (OECD, 2019[2]).
As the DTO plans for the new strategy, there would be benefits for considering open and participatory processes that can not only integrate the inputs of actors from across the public sector but also seek input from external stakeholders to create a broad base of support for the policy and its ambitions. This would help to establish the foundations for effective prioritisation, steering and consolidation of efforts as well as further extending a data-driven mindset. Some OECD countries have taken such an approach including the United States’ Federal Data Strategy (see Box 7.2), the Government Data Agenda in the Netherlands and Ireland’s Public Service Data Strategy.
Box 7.2. The United States: Federal Data Strategy
In June 2019, the US government issued its Federal Data Strategy, which presents a ten-year vision to unlock the full potential of the country’s federal data assets while safeguarding security, privacy and confidentiality. The data strategy centres on three core principles (ethical governance, conscious design and a learning culture). It adds to several existing initiatives, policies, executive orders and laws that over the past few decades have helped make the United States a front-runner in terms of strategic management and reuse of government data.
In order to capture the linkage between user needs and appropriate management of data resources, the data strategy covers 40 practices that guide agencies throughout their adoption of the strategy. To further ensure coherent implementation of the strategy in its early phase, federal agencies are required to adhere to annual government action plans that include prioritised steps, time frames and responsible entities. A draft version of the 2019-2020 Federal Data Strategy Action Plan covers 16 steps seen as critical to launch the first phase of the data strategy vision, including the development of data ethics
Source: Executive Office of the President (2019[11]), Federal Data Strategy, https://www.whitehouse.gov/wp-content/uploads/2019/06/M-19-18.pdf.
Strategic documents are important for developing a common narrative but their creation, and implementation, rely on those with leadership roles providing a mandate for such work. Political leadership can be helpful in placing data on the policy agenda but needs to be supported with administrative leaders championing a data-centric approach both across government and then within organisations too. Depending on the country, the function of a “Chief Data Office” (or Officer) can take various names such as “officers responsible for the provision of public data” or “data manager”, and be part of different governmental organisations but consistently plays the role of implementing and steering policy design and implementation, ensuring the continuity and sustainability of the data agenda across political terms (OECD, 2019[2]). For example, in some countries the leadership is part of an existing administrative structure such as the Government Chief Data Steward in New Zealand, which is held by the Chief Executive of Statistics New Zealand. In others the person who heads up an agency such as the Agency for Digital Government in Sweden provides the leadership, while a third model is for this responsibility to be held by a management board as with the Information Management Board in Finland.
Figure 7.4 shows that 43% of public institutions (49/113) in Türkiye identified the DTO as the specific central government body in place with responsibility for data management across the public sector. There was also recognition of the National Data Dictionary project as the mechanism by which this responsibility is being enacted. The National Data Dictionary project aims to identify data ownership, duplicate and conflicting data, introduce standards and define the data used by public institutions and organisations to help co-operation and support better decision-making among institutions. However, with a majority of organisations (57%, 64/113) unaware of the DTO’s responsibility for data management, there is an evident gap in the visibility and communication of the DTO’s work with regards to data.
Overall, the OECD team found organisations to be aware of the benefits and associated challenges of data. Figure 7.5 shows that within organisational leadership, the survey found a majority of organisations to consider that their management and senior policy makers valued data and were sufficiently supportive of improving its management. It is positive to see the amount of support, awareness and motivation in the Turkish public sector and the high priority that they give to the management of such important assets.
Although there is awareness of the importance of data among public institutions in Türkiye, the specific role of a ‘Chief Data Officer’ either in an individual or organisational guise to oversee the strategic management of data could be powerful in helping to nurture a data-driven culture, establishing coherent data governance and enabling greater digital maturity in the public sector.
Tactical capacities for implementation and regulation
Governments need to enable the coherent implementation and steering of data-driven policies, strategies and initiatives across the government as a whole. This can be achieved in two complementary ways. One is the role of co-ordination bodies, committees, task forces and training to equip staff. The other are the use of regulatory materials to guide and support data management through rules, guidelines and standards.
Capacity for coherent implementation
The capacity for coherent implementation is fundamentally reliant on the skills and capabilities of public servants. As discussed more fully in Chapter 4, all public servants should be encouraged to develop their ability to understand the potential for applying data in their daily work. Equipping all public servants with the abilities to source data, carry out analysis and define actionable metrics for measuring success, outcomes or impact could contribute to significantly increase public value.
As discussed in the previous section (and seen in Figure 7.5), managers and policy makers are understood to value data. This emphasis is visible in the way that organisations consider data in the context of organisational skills. Data is emphasised as being part of the strategic approach to skills by 68% (77 out of 113) of respondents to the survey while 70% (78 out of 113) of organisations are providing training on the “Trustworthy use of data and technology”. However, only 37% (46 out of 113) of organisations offer training that focuses on the full concept of “Data-driven government” and 35% (40 out of 113) identified that technical capacities are a challenge.
To build and maintain good data governance, the government could consider not only appointing a team to champion a data-driven culture within organisations, but also formalising training in data-driven skills for all public servants no matter their level in the hierarchy. As will be discussed later in the chapter, a strategic approach to this area would be valuable to ensure the capacity of the workforce for coherent implementation of data strategies and a data-driven culture to flourish.
Rules, guidelines and standards
Data related legislation and regulations are instruments that help countries define, drive and ensure compliance with the rules and policies guiding data management, including data openness, protection and sharing. Rules and guidelines can also play a role in the definition and enforcement of common data standards towards greater data interoperability and streamlined data-sharing practices.
Türkiye’s Law on the Protection of Personal Data (KVKK No. 6698) was effective and published on the Official Gazette on April 7th, 2016 (Republic of Türkiye, 2016[12]). Its purpose is to “protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data”.
The Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, KVKK) was established as an independent regulatory body to oversee the enforcement of its provisions; which is composed of the Presidency and the Personal Data Protection Board. The Personal Data Protection Authority serves a mostly administrative and government-relations role, whereas the Board is the decision-making organ within the Authority (five members elected by the National Grand Assembly of Türkiye; and four directly appointed by Türkiye's President) (Personal Data Protection Authority, 2020[13]).
To support those who will be working with personal data, the Personal Data Protection Authority has developed various guidelines (see Box 7.3), some of which have also been issued in English to support non-Turkish entities. For example, the Data Security manual guides public sector organisations on the administrative and technical measures that need to be taken with regards to digital security and provides examples of safe disclosure. Similarly, the Information and Communication Security Guide of the DTO also covers data security and personal data security issues (Digital Transformation Office, 2020[14]).
Box 7.3. Data Guidelines in Türkiye
Guidelines which have been published so far are as follows:
Law on the Protection of Personal Data in 100 Questions (Personal Data Protection Authority, 2019[15])
Implementation Guideline on the Law on the Protection of Personal Data (Personal Data Protection Authority, 2019[16])
Personal Data Security Guidelines (Technical and Organisational Measures) (Personal Data Protection Authority, 2018[17])
Guideline on Erasure, Destruction or Anonymisation of Personal Data (Personal Data Protection Authority, 2018[18])
Frequently Asked Questions About the Law on the Protection of Personal Data (Personal Data Protection Authority, 2019[19])
Right to Request Protection of Personal Data as a Constitutional Right (Personal Data Protection Authority, 2018[20])
Data Controller and Data Processor (Personal Data Protection Authority, 2018[21])
Data Controller’s Registry (Personal Data Protection Authority, 2018[22])
Methods for Seeking Rights of Data Subject (Personal Data Protection Authority, 2018[23])
Rights and Obligations Under the Law (Personal Data Protection Authority, 2018[24])
Processing Conditions of Personal Data (Personal Data Protection Authority, 2018[25])
Key Principles Regarding to Processing of Personal Data (Personal Data Protection Authority, 2018[26])
Explicit Consent (Personal Data Protection Authority, 2018[27])
Basic Concepts in the Law No. 6698 (Personal Data Protection Authority, 2018[28])
Terms in the Law No. 6698 (Personal Data Protection Authority, 2018[29])
The Purpose and Scope of the Law No. 6698 on the Protection of Personal Data (Personal Data Protection Authority, 2018[30])
International and National Regulations for the Protection of Personal Data (Personal Data Protection Authority, 2018[31])
The Need for the Law on the Protection of Personal Data (Personal Data Protection Authority, 2018[32])
Processing Conditions of Sensitive Personal Data (Personal Data Protection Authority, 2018[33])
International Transfer of Personal Data (Personal Data Protection Authority, 2018[34])
Structure and Duties of Personal Data Protection Board (Personal Data Protection Authority, 2018[35])
Information and Communication Security Guide (Digital Transformation Office, 2020[14])
Guidelines on Personal Data Processing Inventory Preparation (Personal Data Protection Authority, 2019[36])
Recommendations on the Protection of Personal Data in the Field of artificial Intelligence (Personal Data Protection Authority, 2021[37])
Guidelines on Matters to Be Considered in Processing Biometric Data (Personal Data Protection Authority, 2021[38])
Guidelines on Cookie Application (Personal Data Protection Authority, 2022[39])
Banking Sector Good Practices Guidelines on the Protection of Personal Data (Personal Data Protection Authority, 2022[40])
Matters to be Considered in terms of Protection of Children’s Personal Data (Personal Data Protection Authority, 2020[41]).
Source: Personal Data Protection Authority (2020[13]), Data Protection in Türkiye, https://kvkk.gov.tr/SharedFolderServer/CMSFiles/5c02cb3c-7cc0-4fb0-b0a7-85cb90899df8.pdf.
Since the Personal Data Protection Authority’s guidelines are generally specific to personal data, this explains why 51% (58/113) of the surveyed organisations feel that there is a lack of guidance and standards around the treatment of data (i.e.: data collection, data sharing and data interoperability) and 47% (53/113) consider there to be a lack of clarity in policy guidance in the governance and use of data. This demonstrates that there is a pressing need to develop clear and sufficient guidelines covering the use and the handling of non-personal data.
Figure 7.6 shows that the current areas where organisations most often have guidelines and standards are data collection (61%, 69 out of 113), compliance with legislation and regulation when handling and processing data (51%, 64 out of 113), and data generation (46%, 51 out of 113). As these areas tend to reflect the aspects of organisational activity most connected and affected by the KVKK there is an opportunity for the public sector as a whole to be provided with centrally curated guidelines and standards rather than leaving this to individual organisations. This would create a more homogenous, seamless and trustworthy data-driven public administration, and at the same time provide a common language to measure, evaluate and improve performance. The National Data Dictionary project could be the mechanism by which these standards are established for the public sector.
The use of standards concerning different types of data would be a good complement to the development of guidelines and allow for greater interoperability and data sharing practices. As an example of how countries are taking comprehensive steps to respond to this standards challenge, the United Kingdom’s National Data Strategy1 is supported by the Data Standards Authority, which recognised that data standards are fundamental as they establish clear and common understanding of how the government must describe, record, store, manage and access data (GOV.UK, 2022[42]) (see Box 7.4). The Data Standards Authority has endorsed standards for beneficial ownership, the formatting of comma-separated values (CSV) files, the open document format and the UK’s unique property reference number with several others currently under review.2
Box 7.4. The United Kingdom’s Data Standards Authority
The government has recognised the need to improve data standards. The Data Standards Authority (DSA) was established in April 2020. It is led by the Cabinet Office in close partnership with the Office for National Statistics (ONS). The DSA leads cross-government work on data standards to support the sharing and interoperability of data in government.
There are complex fiscal, political, technological and operational challenges in government the DSA needs to balance to achieve a cultural shift.
Changing how government uses data is an opportunity for the DSA to strengthen existing processes, encourage the adoption of standards and build on existing standards. Responses to the National Data Strategy and the Civil Service Data Survey 2021 shows widespread support for a greater focus on data standards and an authority to lead government-wide adoption.
The DSA needs to make sure that proposed and implemented data standards fully meet user needs, and can meet future demands. The DSA does this by collaborating with experts from a wide range of organisations, including the public sector, private sector and academia.
Government uses data in many ways, so the DSA must make strategic decisions to prioritise which aspects to standardise. The DSA works closely with other related areas of work such as the Government Data Quality Hub, ONS Integrated Data Programme, the Digital Economy Act 2017’s data sharing powers, open data and data ethics.
This strategy sets out the role, vision and priorities of the DSA. It includes the:
main deliverables
cross-government collaboration
change management for prioritised standards
material and cultural change.
These standards support departments and public bodies in improving outcomes for the public and efficiencies in how the government does business and provides services.
Source: GOV.UK (2022[42]), Data Standards Authority Strategy 2020 to 2023, https://www.gov.uk/guidance/data-standards-authority-strategy-2020-to-2023.
Data Value Cycle
The Data Value Cycle covers data management in government. As Figure 7.7 illustrates, it goes from the initial collection and generation of data, through its storing, securing and processing, on to the sharing, curating and publishing of that data and then finally into its use and re-use. The first two phases are about how the public sector manages and looks after its responsibility to the data it generates, collects and holds and the final two stages address opportunities to generate new public value either through the improvement of policy and services or the opportunities generated by OGD (van Ooijen, Ubaldi and Welby, 2019[43]).
Going from the first two phases where data is raw, isolated and unstructured to the last two phases where relationships between data are identified and then from understanding those relationships to taking actions, which feedbacks to the first phase, is the cycle that data goes through before creating value and impact Since data plays an important role and heavily impacts decision making, it is worth using the Government Data Value Cycle approach when thinking about data management to maximise the potential of data to create value and ensure governments have the most efficient infrastructure and architecture.
In Türkiye, collecting and generating data could be improved in terms of publishing OGD as well as requesting data, which will be addressed later in this chapter. As for storing, securing and processing data, the majority of public institutions reported no issues from a technical point of view.
In terms of data sharing, the country has put several measures in place. Prime Ministry Circular No. 2016/28 on “Inclusion of Public Institutions and Organisations in KamuNet”, created the expectation for institutions in Türkiye to share data using the KamuNet (Public Virtual Network) (Presidency of the Republic of Türkiye, 2016[44]). This secure virtual network, which is closed to the internet, is one of the critical ways in which the Turkish public sector mitigates digital security risks in the exchange of data among public institutions. KamuNet is complemented by the Public Application Centre (Kamu Uygulama Merkezi) platform, which functions as part of the e-Government Gateway suite of tools, and offers a space for public institutions to share data and provide services to other institutions, as well as accessing statistical information about their services (Public Applications Center, 2022[45]). These measures aim to enhance security and ensure the safe transmission of data in line with the necessary privacy safeguards (this aspect will be further discussed further down the chapter).
While KamuNet and the Public Application Centre are the strategic direction for encouraging effective data sharing, many organisations have already invested in their own approaches for serving their needs to provide, or receive data. One example of this is the Migration Registration System (GöçNet) established by the Law on Foreigners and International Protection No. 6458 (Ministry of Interior, 2013[46]). This migration system, discussed in more detail in Chapter 6, involves data being exchanged between more than 30 public institutions and helps to manage information regarding foreigners related to their entry, stay, exit, deportation etc (Official Statistics Website, n.d.[47]). It is valuable for institutions in Türkiye to have these systems for providing data exchange on a bilateral basis with other organisations but these models do not unlock the full value of the data they hold or process and ongoing efforts are needed to ensure data flows freely within the Turkish public sector.
Moreover, as discussed in Chapter 6, the preference for on-premises data storage and high security measures run the risk of creating siloes and reduces the ease with which data might be shared between organisations via cloud-based approaches. As Türkiye thinks about its future cloud hosting strategy and works with organisations to migrate them away from data centres, consideration needs to be given to efforts for simplifying the sharing of data between organisations, the cataloguing of what is available and its cleansing. Ensuring data sovereignty also needs to be a priority as the adoption of cloud computing could break down national boundaries more than ever before, thus it would be important to have strictly defined rules on the use of data.
Despite the existence of guidelines to foster interoperability and data standardisation, Figure 7.8 shows 65% (73/113) of institutions identified these two areas as the number one barrier to the use of data. Indeed, when the OECD and the DTO ran a capacity building workshop focusing on data in Ankara in May 2022, one of the most urgent needs was identified as that of a central vocabulary to ensure semantic interoperability. The National Data Dictionary project aims to achieve this in recognising that a central vocabulary can provide clear, unambiguous and non-redundant definitions with a hierarchical structure, which allows for homogeneous understanding, improves sharing of data within institutions and avoids duplication of projects (OECD, 2019[2]).
Data infrastructure and architecture
Data architecture
As discussed earlier, the e-Government Gateway acts as a mechanism by which data and information is exchanged between public sector organisations in order to provide services and for many organisations is the focal point for data interoperability. However, the OECD peer review team noted that, beyond the data exchange facilitated through the services available on the e-Government Gateway, there was little evidence of data exchange taking place and data staying within organisational or sectoral siloes. The lack of data architecture, and more precisely, of data standards seems to be the challenge, as shown in the previous figure. As each public institution is operating an independent web infrastructure through organisation-specific data centres and standards for data, sharing across government is harder and results in siloed approaches. The current situation sees each institution operate according to its own priorities, which does not foster an eco-system of data sharing and re-use. This creates challenges not only for improved service delivery but also in the use of data as a foundation for emerging technologies such as Artificial Intelligence, Machine Learning and the Internet of Things.
While there are efforts to standardise data through the National Data Dictionary and plans to establish a Public Data Space to support access of data and increase co-operation, many participants expressed an urgent need for a more joined up government in general, to better collaborate and enhance access to and sharing of data. Figure 7.9 illustrates the limitations of data sharing between institutions which are on average only happening in 39% of organisations. Participants indicated that the most frequently preferred ways of sharing data were through open data on an institutional website (61%) or in response to requests through emails or official letters (53%). These ways of sharing are often not automated and require a bureaucratic process (official letters) to enable sharing which neither promote nor reflect the practices of a successful digital government.
However, there is certainly a mixed picture in the experience of public sector organisations in general. Figure 7.9 also shows 44% of organisations sharing data through a central data interoperability platform and in the detailed responses, several organisations recognised their use of web services to share data. Additionally, Figure 7.10 indicates that while many institutions are still accessing most of their data manually through human interactions, the greatest number of responses are from those organisations who are using Application Processing Interfaces (APIs) to facilitate machine-to-machine interactions. Nevertheless, those figures represent less than half of the organisations that responded to the survey, indicating that further efforts need to be made in terms of facilitating data sharing across the public sector in Türkiye.
However, further insights from the survey reflected in Figure 7.11 show that aside from data being generated within organisations, the most common source of data collected, re-used and analysed by institutions come from base registries data. With 77% (88 out of 113) of organisations reportedly using base registries there are good opportunities for better accessibility and interoperability in pursuit of the Once-Only Principle, which implies that citizens and businesses would only need to insert their data once for all public institutions to take all necessary actions to access, exchange and reuse information while respecting the relevant data protection rules. This can ensure faster sharing of data, constant improvement of public services around users-needs and reduced administrative burden.
Despite the use of base registry data and signs of a positive attitude towards machine-to-machine data sharing, the review team observed that some organisations were reluctant to share data as it is “safer” to keep it for themselves. In the context of handling data with trust caution is necessary but over-caution can constrain the potential added-value of data. In order to mitigate the fear of sharing data for security reasons, the role of the Personal Data Protection Authority is crucial in establishing and communicating clear guidelines and support for staff to be confident in sharing data with other organisations. This would highly promote data-sharing culture, increase opportunities to collaborate and unleash the value of data.
Having a data-sharing mindset and culture within the public sector is an important part of digital government maturity. To establish such an environment, governments need to reinforce their national data-sharing guidelines in order to allow for the production of quality, standardised and interoperable government data, with an expectation that this data will be reused either internally by other government actors or externally as OGD. Data sharing mechanisms that enable cross-governmental flows of data can boost public sector intelligence. For example, Argentina’s Ministry of Justice has put in place a tool that accelerates data access by allowing the sharing of personal data between registered users through a central common interoperability platform (INTEROPER.AR). This not only helps the Ministry to meet users’ needs in a more timely fashion, but also reduces friction in finding, understanding, sharing and using data.
Data infrastructure
Data infrastructure describes the tools that facilitate data sharing, such as interoperable data platforms and APIs. As has been previously mentioned, the e-Government Gateway operates as a de facto interoperability platform for the Turkish public sector in the way it allows different organisations to develop associated services in light of the information contained within KAYSIS (discussed in Chapter 6). An important underlying enabler for more effective data infrastructure is a modern approach to web infrastructure in general but the OECD team found that organisations were often operating their own data centres and not enjoying the benefits of greater cloud migration. The DTO is working on a new Public Cloud Strategy and encouraging organisations to revisit their current hosting strategies and is planned to be published in September 2022.
To improve the data infrastructure of the Turkish public sector a National Artificial Intelligence Strategy has been put in place to cover measures to increase access to big data and usage of AI in public sector (Ministry of Industry and Technology/Digital Transformation Office, 2021[48]). A National AI Strategy Steering Committee was established in 2021 and its first meeting was held in January 2022. This committee defines several actions in the AI strategy that may directly affect data technical structure, public data skills and workforce and data governance and legislations. Other departments within the institutions are also starting to establish public institutions specific for AI and big data. For example, the Big Data and Artificial Intelligence Applications Branch Office was established under the General Directorate of computing within the Ministry of Justice (Adalet Bakanlığı Bilgi İşlem Genel Müdürlüğü); Data Mining & Analysis, Big Data and Reporting Unit and the Artificial Intelligence and Wearable Technologies Unit have been established within the Ministry of Health (Sağlık Bakanlığı); and the Process Management and Artificial Intelligence Applications Branch Office was established within the Ministry of National Defense (Millî Savunma Bakanlığı).
An effectively data-driven public sector ensures that service teams have the means to access the datasets they require with the provisions for that data to be shared and re-used. Countries can communicate the availability of data through data catalogues, which help users find the data they need, serve as an inventory of available data, and provide information to evaluate the relevance and quality of data for its intended use. As can be seen in Figure 7.12, the public sector in Türkiye has a mixed approach to data catalogues. Of the organisations that completed the survey, over half of the organisations have a data inventory and/or data catalogue of some sort with 33% (37 out of 113) of all organisations describing theirs as exhaustive. A further 28% (32 out of 113) are currently developing a catalogue. Data catalogues can help improve the speed and quality of data analysis as well as engaging those who need to perform data analysis by reducing some of the pain and friction involved in sourcing data (OECD, 2019[2]). However, in order to help reduce risks of error and improve data efficiency, data context and data analysis across government, the DTO needs to lead efforts to co-ordinate these catalogues to ensure a standardised approach to metadata management within the National Data Dictionary project in order to identify and describe an inventory of shareable data within organisations and across the public sector as a whole.
Data infrastructure makes a vital contribution to enabling data flows within government, allowing for a whole-of-government approach to designing and delivering policies and services and fostering proactiveness in the public sector (OECD, 2020[4]). In order to increase interoperability and support transformation, base registries and data catalogues are important investments that simplify the sharing of data, help the adoption of the Once-Only-Principle, reduce duplicated sources of data and increase data quality. The government could also consider accelerating and promoting the use of AI and machine learning to help structure data, simplify metadata collection and conduct semantic inference to minimise manual effort. Creating more structure to the data infrastructure in Türkiye would also provide opportunities for greater automation and insights into the nature of data in the country. These measures can help to establish a data-driven culture, make data-sharing a natural process and increase collaboration between public institutions.
Open government data
Sharing data within the public sector is an important element of being a data-driven public sector. All the benefits in terms of maximising the impact of data use, facilitating collaboration, increasing efficiency of service design and shaping strategic decision-making are also applicable to OGD. Publishing OGD brings additional benefits in terms of reinforcing efforts to increase the transparency and accountability of government while offering non-governmental actors new opportunities to generate public value (OECD, 2018[5]). OGD can also be used to inform people about developments in their communities and provide the basis for communities to actively participate, engage and contribute to policy making.
According to the Open, Useful and Reusable Data (OURdata) Index, publishing OGD is an increasingly common practice (OECD, 2020[4]). The overall average scores across the three pillars of the Index among OECD countries increased from 0.54 in 2017 to 0.60 in 2019. This increase reflects a combination of greater general maturity of central OGD policies, stronger governance frameworks, high political willingness, and creating the right environments to enhance OGD reuse. Nevertheless, not all indicators are positive with the Index highlighting the challenge of policy sustainability and maturity, which can be explained by political inertia, change in institutional governance arrangements, or competing policy priorities affecting the implementation of open data initiatives. This suggests that governments expecting to extract value from the application of OGD need “enough political support, and an enabling environment to sustain implementation efforts in the long term” (OECD, 2020[4]).
In Türkiye, government policy and related activities regarding open data are covered in the 2015-2018 Information Society Strategy and Action Plan (Action 67), the 2016-2019 National e-Government Strategy and Action Plan (E4.2.1) as well as in the Eleventh Development Plan (Ministry of Development, 2015[49]; Ministry of Transport, Maritime Affairs and Communications, 2016[50]; Presidency of Strategy and Budget, 2019[51]). Following the change to the Presidential model, discussed in Chapter 2, the DTO has taken on the responsibilities contained in these documents including the creation of the National Open Data Strategy and its associated legal frameworks as well as the implementation of the Open Data Portal Project.
Initiatives such as hackathons have been explored to encourage greater value to be created from OGD. In 2021, the Open Data and Technology Association and the Association of Municipalities of Türkiye (Türkiye Belediyeler Birliği) hosted an Open Data Summit with the emphasis on ‘Open Data for the future of Türkiye’. The event was an opportunity to nurture the understanding of the benefits of open data and foster the adoption of open data policies in government, business and civil society, as it brought together experts in the field of open data in Türkiye (academicians, lawyers, public and private sector) (Open Data Day, 2022[52]). Despite these initiatives, communication and co-ordination between public institutions could be improved with Figure 7.13 showing that almost half of the surveyed institutions are unaware the medium-term strategy for OGD. This underlines observations elsewhere in this chapter about the need for much greater effort to communicate data-related activities throughout the public sector and among civil servants at all levels.
The generally nascent state of OGD in Türkiye is evidenced by the ongoing development of the OGD portal as well as related legislations. Nevertheless, there are some good examples of organisations motivated by the opportunities of OGD, particularly at the local level. For example, the Istanbul Metropolitan Municipality (İstanbul Büyükşehir Belediyesi, IMM) has created the IMM Open Data Portal (Istanbul Metropolitan Municipality, 2020[53]), the Küçükçekmece Municipality (Küçükçekmece Belediyesi) developed the Küçükçekmece Municipality Open Data Platform (Kucukcekmece Municipality, 2020[54]) and the Gaziantep Metropolitan Municipality (Gaziantep Büyükşehir Belediyesi) has focused on ensuring the quality of the datasets held in their open data platform which is based on the Comprehensive Knowledge Archive Network (CKAN) open source data management system and provides data in real time using Representational State Transfer (RESTful) APIs (Gaziantep Metropolitan Municipality, 2022[55]). Beyond local governments, the Supreme Election Council (Yüksek Seçim Kurulu, YSK) administers an Open Data Portal covering the full range of election results (President and Deputy General, Local Administrations, General and Referendum) and the electorate, candidate and winning candidate profiles (Supreme Election Council, 2022[56]). In addition, detailed tables and databases concerning national statistics are made available through the Turkish Statistical Institute (Türkiye İstatistik Kurumu, TÜİK) website. Finally, the Turkish National Geographic Information System (Türkiye Ulusal Coğrafi Bilgi Sistemi, TUCBS), makes geographical metadata and data of services produced by public institutions and organisations available as OGD within certain parameters defined by law.
As Figure 7.14 shows, 69% (78 out of 113) of organisations consider there to be barriers to publishing OGD. The most common, reported by 36% (41 out of 113) of organisations, is the lack of legislation supporting OGD and the constraints from other legislations and bodies, such as the Personal Data Protection Law, the Ethics Commission or the KVKK Commission. Determining the degree of confidentiality and publishing the data accordingly is the most challenging considering the provisions of Law No. 6698 on the Protection of Personal Data and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and the Presidential Information and Communication Security Measures Circular No. 2019/12 (Presidency of the Republic of Türkiye, 2019[57]; Republic of Türkiye, 2016[12]). OGD can be reused within the framework of certain protocols and APIs where there is nothing contained within the data that could endanger privacy, security or private life if shared. Public sector organisations are rightly concerned to ensure that their publication of OGD is compliant with all relevant legislation and does nothing to damage trust in government. However, there is a risk that the current approach focuses only on the risks and does not provide enough consideration of how they might be mitigated to generate public value.
In view of the above the government of Türkiye may consider reinforcing the communication of its OGD strategy by supporting open government data publication, launching a central OGD portal and encouraging institutions to use it and championing the transparency, accuracy and accountability that open data can bring to public sector innovation. These measures would underline the priority of OGD in the Turkish government.
Applying data to unlock value
Coherent data governance is the foundation for unlocking the public value associated with the use and re‑use of data. To best serve society, governments need to apply data in practical ways so that it generates public value in terms of anticipation and planning; delivery; and evaluation and monitoring as shown in Figure 7.15 (OECD, 2019[2]).
Applying data for anticipation and planning
Data can be a valuable asset in helping governments to design policies, anticipate change, forecast needs and imagine multiple possible futures. Figure 7.16 indicates that in Türkiye, 60% of organisations are using data to plan for government interventions in areas such as opening training programs and units, staff planning, and the monitoring and evaluation of research activities. Figure 7.17 provides an overview of the ways in which those organisations are then using that data with the most common response being in the design of public services (75%) followed by forecasting and predicting the most likely developments and outcomes (71%), and supporting public financial management and budgeting (57%).
Despite the lack of standards and guidelines in data usage, several experiences surfaced from the survey indicate data influences the anticipatory governance of Türkiye, suggesting that there might be an active data-driven policy community for the DTO to work with, and champion, in establishing a DDPS culture:
The General Directorate of Health for Borders and Coasts of Türkiye (Türkiye Hudut ve Sahiller Sağlık Genel Müdürlüğü) collects and evaluates data in areas such as opening new service units, planning the purchase of vaccines and similar medical supplies, making new updates on service delivery, planning new training for personnel, updating legislation or preparing new legislation.
The Ministry of Health (Sağlık Bakanlığı) analyses data in decision support systems and business intelligence platforms in order to develop effective policies and strategies, to carry out simulation and projection studies for large-scale events such as epidemics, to make efficient service planning in the field and to support service delivery. As a result of these analyses, data is transformed into information and then into policy.
The Ministry of Treasury and Finance, Revenue Administration (Hazine ve Maliye Bakanlığı, Gelir İdaresi Başkanlığı), uses existing data to measure the impact of any proposed or forthcoming legislative changes related to the area they are responsible for. While preparing the Revenue Budget, projections are prepared using existing data.
These examples illustrate the willingness of the Turkish public sector to make better use of data and generate public value by anticipating and planning. However, the examples shared were all focused internally within single organisations. To encourage greater collaboration between institutions, the government could establish cross-government communities of data practice to share experiences, identify common challenges and develop shared solutions. This would enable organisations to learn from each other, avoid duplication of datasets, create long-term cross-governmental partnerships and work collectively to address whole problems (as discussed in Chapter 5). These practices could help to foster more accurate anticipation, more proactive decision-making and more effective policy planning, which could help better detect societal needs as they emerge and facilitate better predictions for future trends.
Applying data for delivery
Data and analytical tools can be used to rethink the opportunities for the design and delivery of public services in order to improve policy solutions, better engage with citizens as co-value creators and respond to the needs of citizens. As seen in Figure 7.18, 68% of organisations are using data to deliver government operations with Figure 7.19 showing that these organisations are most often finding that they do so in response to citizen needs (82%) or emergencies, crises and developing situations (68%).
Several organisations provided further information about how data forms an important part of how they deliver effective services including:
The Ministry of Labour and Social Security (Çalışma ve Sosyal Güvenlik Bakanlığı) uses the data it collects in processes such as providing new services, making changes and improvements in the services offered, and making arrangements regarding the personnel working in the service delivery.
The Ministry of Culture and Tourism Directorate General of Foundations (Kültür ve Turizm Bakanlığı Vakıflar Genel Müdürlüğü) uses data to identify improvements that may be necessary for the effective provision of services for the management of property and charitable conditions of foundations.
More notable examples of how data is shaping the operational delivery was found in the Competition Authority (Rekabet Kurumu) where data determines the prioritisation of work and the assignment of relevant employees to the right jobs at the right time. Elsewhere, the Ministry of Transport and Infrastructure (Ulaştırma ve Altyapı Bakanlığı) uses data for transportation resource planning in disasters and emergencies, which emphasises the need to ensure data is timely and of good quality to make it easier to react in emergency situations. Additionally, the Ministry of Health (Sağlık Bakanlığı) uses the e-Nabız Personal Health System to collect data from more than 28,000 health institutions and use the data to determine health strategies and making critical management decisions.
Similarly, the Ministry of National Education (Millî Eğitim Bakanlığı) uses the National Education Information System (Millî Eğitim Bakanlığı Bilişim Sistemleri, MEBBİS) and e-School, which is a system that works in integration with more than 5 ministries, to exchange data. These data inform investment needs according to the current and projected population by analysing the data in the system, the schools affiliated to the ministry, the investments, the number of teachers and students.
The fact that a majority of organisations in Türkiye are using data in the delivery of their operational activities underlines the high demand for data skills among the public sector workforce. Although some institutions show some good practices on how they collect and use data to inform delivery, there needs to be further efforts in identifying improvements, prioritising issues, assigning people to the right task, addressing statistical data and keeping data up-to-date. As discussed in Chapter 4 and earlier in this chapter, the government may wish to invest in data skills across the public sector. A further area for investment could be in cross-cutting resources that help to gather data, learn about citizens’ habits and anticipate situations. For example, the Fusion Analytics for Public Transport Emergency Response (FASTER) initiative in Singapore collects anonymised location-based information from various sources and prepares them for analysis to help stakeholders identify commuting patterns. This means that when crowds are detected, additional means of transportations are deployed and users get notified so that they can best plan their journey. By modelling citizens transportation habits, this helps to improve transport planning, trigger early alerts for the surge in crowds and predict the impact of incidents such as transport delays and the number of commuters affected (Smart Nation and Digital Government Office, 2022[58]).
Applying data for evaluation and monitoring
Data is vital for measuring impact, auditing decisions and monitoring performance. Assessing the performance of government and drawing insights from the data generated through the delivery of public services is essential in not only being able meet users’ demands in real-time but to evaluate the impact and effectiveness of government in general. Figure 7.20 indicates that 61% of organisations are using data to evaluate and monitor government interventions. The survey used for this review reveal that some organisations such as the Ministry of Interior (İçişleri Bakanlığı) and the National Post and Telegraph Directorate of Türkiye (Posta ve Telgraf Teşkilatı, PTT), use the Performance Evaluation and Monitoring System (Performans Değerleme ve İzleme Sistemi, PERDİS), where the objectives of the activities (indicators) of the institutions are not evaluated by the institutions, but according to the arithmetic average of the past years and the orientation type (positive-negative) determined by the system. Some others rely on the performance data captured by the e-Government Gateway to measure the efficiency of their operations and for auditing activities. Figure 7.21 again provides an overview of the ways in which those organisations are then using that data with the most common response being to track operational performance (81%) followed by accountability through audit trails (66%).
Under the leadership of the Human Resources Office (İnsan Kaynakları Ofisi), there is also an increasing dissemination of People Analytics within the Turkish public sector to make the practices of human resources management (HRM) more transparent, data-based, efficient and accountable. One particular project, "HR Metrics Analysis", helps institutional HRM teams to measure their performance across 32 different metrics and provide the basis for comparison domestically and with international counterparts as part of the support it providers to data-driven HRM decision making.
As has been discussed through the review, Türkiye’s e-Government Gateway is the focal point for access to public services in the country and it is an important source of data analysis for the evaluation and performance of services. The Digital Türkiye Performance System was developed by the DTO to evaluate the performance of certain services contained within the e-Government Gateway. The DTO and Türksat work together to evaluate the performance of services on the e-Government Gateway and share these insights with the relevant public institutions to improve the user experience. Other organisations reported that they use data for understanding the performance of their operational activities for the purposes of audit as well as developing the necessary statistics and reporting mechanisms for sharing within government.
It is essential that all institutions share their evaluation and performance data widely in order to maximise its benefits throughout government. Sharing performance data, especially in public, is an important element of being data-driven as it communicates how taxpayers’ money is being invested and demonstrates return on investment. For example, Statistics Denmark shares the performance data related to the country on a common platform, which presents information about the effectiveness of their strategy (2022[59]). A similar practice would enable the Turkish government to build and maintain public trust.
Data for trust
Good data governance helps to lay the foundations for improving policy making and public services, and by extension, reinforcing public trust. However, the mis-handling of data can have a huge negative effect on trust. Therefore, demonstrating competence and taking steps to defend, maintain and restore citizens’ trust and confidence is essential. This means putting measures in place to ensure ethics; transparency, privacy and consent; and security (OECD, 2019[2]).
Ethics
The increasing use of, availability and access to personal as well as non-personal data raise a significant number of questions not only about their ethical use, collection, treatment and storage, but also about responsibility, accountability, fairness and the respect of human rights or current legislation in relation to the data. Efforts designed to establish a strong culture of ethical data use are essential to create the enabling conditions that maximise the impact of data-driven practices within public sectors (OECD, 2019[2]).
Given that availability, quality and relevance of data are not sufficient to ensure fairness and inclusiveness of policies and decisions, or to reinforce their legitimacy and public trust, it is important to have consistent alignment and adherence to shared ethical values and principles for the management and use of data across public sector institutions. According to the Digital Government Index, only 36% of the participating countries have dedicated initiatives to apply ethical principles to data-related initiatives (OECD, 2020[4]).
When asked about data ethics, most Turkish public organisations recognised the importance of strengthening public trust in how the government handles data, as an essential contribution to providing high quality services and ensuring citizens’ well-being (OECD, 2019[2]; Welby, 2019[60]). Figure 7.22 identifies that 65% of organisations state the existence of explicit formal requirements to ensure the ethical use and management of data in the public sector with a large majority identifying the KVKK. However, it is fundamental to underline that the ethical use of data does not limit itself to personal data.
Establishing a set of soft guidelines on the management of personal and non-personal data could benefit governments as they allow self-regulation of digital practices, while still informing the right behaviours and approaches to achieve ethical practices. Given its non-prescriptive tone, ethical guidelines and frameworks aim at widening a common understanding and to work through ethical concerns. In 2021, the OECD published the Good Practice Principles for Data Ethics in the Public Sector (contained in Box 7.5) in order to guide public servants and support government’s process into the ethical use of data.
Box 7.5. The OECD Good Practice Principles for Data Ethics in the Public Sector
The Good Practice Principles for Data Ethics in the Public Sector include ten high-level principles to support the ethical use of data in the design and delivery of public policies and services. They are:
1. Manage data with integrity.
2. Be aware of and observe relevant government-wide arrangements for trustworthy data access, sharing and use.
3. Incorporate data ethical considerations into governmental, organisational and public sector decision-making processes.
4. Monitor and retain control over data inputs, in particular those used to inform the development and training of AI systems, and adopt a risk-based approach to the automation of decisions.
5. Be specific about the purpose of data use, especially in the case of personal data.
6. Define boundaries for data access, sharing and use.
7. Be clear, inclusive and open.
8. Publish open data and source code.
9. Broaden individuals’ and collectives’ control over their data.
10. Be accountable and proactive in managing risks.
Source: OECD (2021[61]), Good Practice Principles for Data Ethics in the Public Sector, https://www.oecd.org/gov/digital-government/good-practice-principles-for-data-ethics-in-the-public-sector.pdf.
Privacy and consent, and transparency
Privacy is a concept that applies to data subjects while confidentiality applies to data. Regarding consent, this is the concept of “informed consent”, where the individual whose data is being collected is aware of the purpose of the data collection and agrees to give data about them to be used for specific purposes. In order to address issues relevant to privacy and consent, governments have often established data rights for businesses and citizens (OECD, 2019[2]).
As for transparency, in the context of a data-driven public sector it relates to two things. One is the openness of government to share the data underpinning policy decisions and algorithms with the public. The other is how citizens can be given visibility of how their data is being used and to manage the associated consents without decisions being made about the sharing of their data without their knowledge.
Given Türkiye’s application for the EU membership, there are ongoing efforts to harmonise the Personal Data Protection Law No. 6698 with the European Data Protection Regulation: the General Data Protection Regulation (GDPR). As an example, to match with the GDPR, the period of notification for data breaches has been accepted to be 72 hours throughout Board Decisions. This not only allows the country to increase its chances for the EU membership, but also enables Türkiye to facilitate data flow with EU countries.
One of the initiatives to increase the transparency around data in Türkiye comes from the Personal Data Protection Authority, which manages the Data Controllers Registry Information System (Veri Sorumluları Sicil Bilgi Sistemi, VERBİS) – a system on notification obligation – where information such as the identity of the data controller, the purpose for which the personal data will be processed, the explanations related to the group(s) of people subject to the data and the data categories of these people are processed and made publicly available to citizens. As the aim is to ensure transparency and accountability, individuals can have access to the catalogue of information about the categories of data that the data controllers keep about them.
VERBİS is an important initiative to help increase citizen visibility over the use of data but overall the review found a limited approach to proactively visible citizen consent mechanisms with the KVKK requiring any person who wishes to understand the processing of their personal data having to make a request to the data controller. The KVKK is extensive in covering privacy and consent matters in Türkiye but there is a gap between the law and its application from the point of view of a user (Personal Data Protection Authority, 2020[62]). The law is well-communicated within governmental institutions, but its application is rarely considered in terms of simplifying the process or empowering the users it is designed to serve. Figure 7.23 shows that 63% (71/113) of organisations claimed to have initiatives in place to give users’ transparency and visibility over the use of their data in line with the provisions of the KVKK. However, the OECD review observed that many institutions are unaware of any mechanism for having visibility of an individual’s data flow nor any way for users to provide or revoke their consent to the use or sharing of their data. As citizens are very likely to approach the breach of privacy and consent negatively, especially in terms of sensitive data, failure to consider privacy and/or consent can create tensions, challenges and undermine public trust.
Privacy, consent and transparency are critical aspects of legitimacy and public trust that governments should consider to ensure a trustworthy data-driven public sector. Having laws and regulations that formally ensure privacy and data protection, as well as access to information, is not enough to guarantee the effectiveness of these rights. Mechanisms such as independent bodies to monitor and supervise the compliance of data protection laws and privacy impact assessment tools are examples of initiatives that may ensure privacy protection in practice. In addition to this, the adoption of an ethical data framework could serve as a suitable instrument to ensure the ethical use of data across the public sector.
Additionally, it would be crucial to continue harmonising processes towards GDPR to ensure data exchange with the EU and act in co-operation with other institutions. An example of this would be Japan. Shortly after the GDPR entered into force, Japan and the European Union reached an agreement on reciprocal recognition of a sufficient level of personal data protection. Japan is the first country to receive an adequacy decision from the European Commission, ensuring not just a smooth data flow between Japan and the EU, but also making heavy data transfers, trade, and collaborations easier (Coos, 2022[63]).3
Security
Security refers to the measures taken to prevent unauthorised access or use of data. Notwithstanding the constraints discussed in the previous section that may come from an over cautious approach to digital security, it is encouraging to observe a high level of regard for digital security in Türkiye, enshrined through the KVKK for regulating personal data and consent. In order to support the implementation of this legislation, the Personal Data Protection Authority has developed a data security manual that guides public sector organisations on the administrative and technical measures that need to be taken with regards to digital security. Besides, the Defence Industry Agency (Savunma Sanayii Başkanlığı, SSB) established a platform with the participation of all relevant public institutions, organisations, private sector, and academic representatives, named Türkiye Cyber Security Cluster (Türkiye Siber Güvenlik Kümelenmesi) for the purpose of developing the country's cyber security ecosystem. The related activities are being carried out together with the DTO..
According to the Presidential decree No1, the DTO, Ministry of Industry and Technology (Sanayi ve Teknoloji Bakanlığı) and Security & Foreign Policy Board have been given different duties in the field of cyber security (Presidency of the Republic of Türkiye, 2018[64]). The Cyber Security Department of the DTO is responsible for carrying out activities related to the development of national cyber security strategies, its monitoring, development and dissemination. The Security and Foreign Policy Board is in charge of developing policy and strategy recommendations regarding cyber security. The Ministry of Industry and Technology has the duty of establishing policy recommendations, incentive mechanisms and strategies promoting R&D and increasing competencies of individuals and businesses in areas of emerging technologies in order to produce advanced technology products in-house and strengthen the cyber security ecosystem. Furthermore, the Electronic Communications Law (Law No. 5809) (Technology and Communication Authority, 2008[65]) creates a set of responsibilities for the Ministry of Transport and Infrastructure (Ulaştırma ve Altyapı Bakanlığı) and the Information and Communication Technologies Authority (Bilgi Teknolojileri ve İletişim Kurumu, BTK). Operational duties concerning national cyber security are carried out and managed by the BTK via the Computer Emergency Response Team of Türkiye (TR-CERT) (Ulusal Siber Olaylara Müdahale Merkezi, USOM).
However, many participants fear that the emphasis on digital security and confidentiality may limit them to make the most out of data they hold. Moreover, some shared that they face security challenges when moving data to cloud services and that there are restricting data laws, which may reduce the potential value that data could generate and thus shape how organisations work with data.
Figure 7.24 shows that a large number of institutions in Türkiye have strategies and initiatives in place to manage data security. They often seem to either have their independent initiatives or strategies, or rely on the Information and Communication Security Guide. For example, the Ministry of Transport and Infrastructure, which has been given the duty for developing strategy and action plans on national cyber security by Law No. 5809 (Technology and Communication Authority, 2008[65]), has released the National Cyber Security Strategy for 2020-2023 (Ministry of Transportation and Infrastructure, 2020[66]), and it is expected that security-related studies will be carried out by the Institutions within the scope of this project; whereas the Personal Data Protection Authority issues guides and contributed to the Information and Communication Security Guide published by the DTO.
The growing need for government intervention to prevent data misuse and to ensure citizens’ right to control how their data are used can lead to a state of data overprotection which can have potentially negative implications in terms of public service delivery and evidence-based policy making. Although the Information and Communication Security Guide already covers some of these issues, the Turkish government could continue working on finding the right policy arrangements (and the deployment of the relevant data tools to support their implementation) to ensure the secured transfer of data and promote the delivery of value for citizens in a trustworthy fashion. They could also take inspiration from Korea, which in order to counteract the concerns of digital security, has developed a stand-alone policy that focuses on best practices for using and regulating data. The National Information Resources Service is in charge of overseeing all government servers and databases in compliance with this security policy.
References
[63] Coos, A. (2022), Data Protection in Japan: All You Need to Know about APPI, https://www.endpointprotector.com/blog/data-protection-in-japan-appi/.
[14] Digital Transformation Office (2020), Information and Communication Security Guide, https://cbddo.gov.tr/en/icsguide/.
[11] Executive Office of the President (2019), Federal Data Strategy, https://www.whitehouse.gov/wp-content/uploads/2019/06/M-19-18.pdf.
[55] Gaziantep Metropolitan Municipality (2022), Gaziantep Open Data Portal, https://acikveri.gaziantep.bel.tr/.
[42] GOV.UK (2022), Data Standards Authority Strategy 2020 to 2023, https://www.gov.uk/guidance/data-standards-authority-strategy-2020-to-2023.
[53] Istanbul Metropolitan Municipality (2020), Istanbul Metropolitan Municipality Open Data Portal, https://data.ibb.gov.tr/en/about.
[54] Kucukcekmece Municipality (2020), Küçükçekmece Municipality Open Data Platform, https://acikveri.kucukcekmece.bel.tr/about.
[49] Ministry of Development (2015), 2015-2018 Information Society Strategy and Action Plan, Republic of Türkiye, https://www.resmigazete.gov.tr/eskiler/2015/03/20150306M1-2.htm (accessed on 1 May 2022).
[48] Ministry of Industry and Technology/Digital Transformation Office (2021), National Artificial Intelligence Strategy (2021-2025), Republic of Türkiye/Presidency of the Republic of Türkiye, https://cbddo.gov.tr/SharedFolderServer/Genel/File/TRNationalAIStrategy2021-2025.pdf (accessed on 2 May 2022).
[46] Ministry of Interior (2013), Temporary Protection in Law on Foreigners and International Protection, https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6458&MevzuatTur=1&MevzuatTertip=5.
[50] Ministry of Transport, Maritime Affairs and Communications (2016), 2016-2019 National e-Government Strategy and Action Plan, Republic of Türkiye, http://www.edevlet.gov.tr (accessed on 1 May 2022).
[66] Ministry of Transportation and Infrastructure (2020), National Cyber Security Strategy for 2020-2023.
[10] OECD (2021), “Digital Government Survey of Türkiye, Public Sector Organisations Version”, Unpublished, OECD, Paris.
[61] OECD (2021), Good Practice Principles for Data Ethics in the Public Sector, OECD, Paris, https://www.oecd.org/gov/digital-government/good-practice-principles-for-data-ethics-in-the-public-sector.pdf.
[7] OECD (2021), Recommendation of the Council on Enhancing Access to and Sharing of Data, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0463#mainText.
[4] OECD (2020), “Digital Government Index: 2019 results”, OECD Public Governance Policy Papers, No. 3, OECD Publishing, Paris, https://doi.org/10.1787/4de9f5bb-en.
[6] OECD (2020), “Open, Useful and Re-usable data (OURdata) Index: 2019”, OECD Public Governance Policy Papers, No. 01, OECD Publishing, Paris, https://doi.org/10.1787/45f6de2d-en.
[3] OECD (2020), “The OECD Digital Government Policy Framework: Six dimensions of a Digital Government”, OECD Public Governance Policy Papers, No. 02, OECD Publishing, Paris, https://doi.org/10.1787/f64fed2a-en.
[8] OECD (2019), Digital Government Review of Argentina: Accelerating the Digitalisation of the Public Sector, OECD Digital Government Studies, OECD Publishing, Paris, https://doi.org/10.1787/354732cc-en.
[2] OECD (2019), The Path to Becoming a Data-Driven Public Sector, OECD Digital Government Studies, OECD Publishing, Paris, https://doi.org/10.1787/059814a7-en.
[5] OECD (2018), Open Government Data Report: Enhancing Policy Maturity for Sustainable Impact, OECD Digital Government Studies, OECD Publishing, Paris, https://doi.org/10.1787/9789264305847-en.
[1] OECD (2014), Recommendation of the Council on Digital Government Strategies, OECD/LEGAL/0406, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0406.
[47] Official Statistics Website (n.d.), Migration Registration System (GöçNet), https://www.resmiistatistik.gov.tr/detail/subject/goc-kayit-sistemi/.
[52] Open Data Day (2022), Open Data Day 2021 Events, https://opendataday.org/events/2021/#:~:text=The%20event%20on%20March%205th,data%20all%20over%20the%20world.
[40] Personal Data Protection Authority (2022), Banking Sector Good Practices Guidelines on the Protection of Personal Data, https://kvkk.gov.tr/SharedFolderServer/CMSFiles/12236bad-8de1-4c94-aad6-bb93f53271fb.pdf.
[39] Personal Data Protection Authority (2022), Guidelines on Cookie Application, https://kvkk.gov.tr/Icerik/7353/Cerez-Uygulamalari-Hakkinda-Rehber.
[38] Personal Data Protection Authority (2021), Guidelines on Matters to Be Considered in Processing Biometric Data, https://kvkk.gov.tr/SharedFolderServer/CMSFiles/bd06f5f4-e8cc-487e-abe1-d32dc18e2d7e.pdf.
[37] Personal Data Protection Authority (2021), Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence, https://www.kvkk.gov.tr/Icerik/7048/Yapay-Zeka-Alaninda-Kisisel-Verilerin-Korunmasina-Dair-Tavsiyeler.
[62] Personal Data Protection Authority (2020), Considerations When Obtaining Explicit Consent, https://www.kvkk.gov.tr/Icerik/2037/Acik-Riza-Alirken-Dikkat-Edilecek-Hususlar#:~:text=A%C3%A7%C4%B1k%20r%C4%B1za%20vermek%2C%20ki%C5%9Fiye%20s%C4%B1k%C4%B1,oldu%C4%9Fu%20a%C3%A7%C4%B1k%20r%C4%B1zas%C4%B1n%C4%B1%20geri%20alabilir.
[13] Personal Data Protection Authority (2020), Data Protection in Türkiye, https://kvkk.gov.tr/SharedFolderServer/CMSFiles/5c02cb3c-7cc0-4fb0-b0a7-85cb90899df8.pdf.
[41] Personal Data Protection Authority (2020), Matters to be Considered in terms of Protection of Children’s Personal Data, https://www.kvkk.gov.tr/Icerik/6737/Cocuklarin-Kisisel-Verilerinin-Korunmasi-Bakimindan-Dikkat-Edilmesi-Gerekenler.
[15] Personal Data Protection Authority (2019), 100 Soruda Kişisel Verilerin Korunması Kanunu, https://kvkk.gov.tr/SharedFolderServer/CMSFiles/185c2130-8070-4b2b-a91e-1d48322ca352.pdf.
[36] Personal Data Protection Authority (2019), Guidelines on Personal Data Processing Inventory Preparation, https://kvkk.gov.tr/SharedFolderServer/CMSFiles/14a17049-71da-4417-a07b-961f75a0070e.PDF.
[19] Personal Data Protection Authority (2019), Kişisel Verilerin Korunmasi Kanunu Hakkinda Sikça Sorulan Sorular, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/c148901d-cd7f-43ff-ae9a-978fb78fb43c.pdf.
[16] Personal Data Protection Authority (2019), Kişisel Verilerin Korunmasi Kanununa Ilişkin Uygulama Rehberi, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/41784a70-2bac-4e4a-830f-35c628468646.PDF.
[28] Personal Data Protection Authority (2018), 6698 Sayili Kanunda Yer Alan Temel Kavramlar, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/8110dc3c-2856-4e54-9129-5e2e375469af.pdf.
[29] Personal Data Protection Authority (2018), 6698 Sayili Kanunda Yer Alan Terimler, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/d077ff3c-887a-46ab-b284-9c25b47e3a69.pdf.
[30] Personal Data Protection Authority (2018), 6698 Sayili Kişisel Verilerin Korunmasi Kanununa Amaci Ve Kapsami, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/8e9b520e-0581-4cfb-8535-f6d6fc2b8206.pdf.
[27] Personal Data Protection Authority (2018), Açik Riza, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/e3c6aa10-9de4-46f8-9b51-71bcf07c09b5.pdf.
[20] Personal Data Protection Authority (2018), Anayasal Bir Hak Olarak Kişisel Verilerin Korunmasini İsteme Hakki, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/11931dc2-233d-45b0-892c-5debcc9bc9a1.pdf.
[23] Personal Data Protection Authority (2018), İlgili Kişinin Hak Arama Yöntemleri, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/353d85d5-87df-4c91-b08e-b4f0991a80f4.pdf.
[24] Personal Data Protection Authority (2018), Kanun Kapsamindaki Hak Ve Yükümlülükler, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/8662692a-80ff-49a8-9ce9-7aca5b69ccd7.pdf.
[17] Personal Data Protection Authority (2018), Kişisel Veri Güvenliği Rehberi (Teknik Ve İdari Tedbirler), https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf.
[35] Personal Data Protection Authority (2018), Kişisel Verileri Koruma Kurulunun Yapisi Ve Görevleri, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/c6206722-f4dc-484d-9bff-63f99b840158.pdf.
[25] Personal Data Protection Authority (2018), Kişisel Verilerin İşlenme Şartlari, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/9feefe58-9b0f-49c9-a0c7-2b2eb8c012bb.pdf.
[26] Personal Data Protection Authority (2018), Kişisel Verilerin İşlenmesine İlişkin Temel İlkeler, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/32ff74f6-9798-405a-b3d2-b42d28423fde.pdf.
[31] Personal Data Protection Authority (2018), Kişisel Verilerin Korunmasi Alaninda Uluslararasi Ve Ulusal Düzenlemeler, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/3a7934b6-406e-4911-a94d-795293aa0e3d.pdf.
[32] Personal Data Protection Authority (2018), Kişisel Verilerin Korunmasi Kanununa Duyulan Ihtiyaç, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/6d465cc4-5ab0-453c-9174-68e2505fe44d.pdf.
[18] Personal Data Protection Authority (2018), Kişisel Verilerin Silinmesi, Yok Edilmesi Veya Anonim Hale Getirilmesi Rehberi, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/bc1cb353-ef85-4e58-bb99-3bba31258508.pdf.
[34] Personal Data Protection Authority (2018), Kişisel Verilerin Yurt Dişina Aktarilmasi, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/9178818a-12c7-4d7f-a839-bdb8b6f358b1.pdf.
[33] Personal Data Protection Authority (2018), Özel Nitelikli Kişisel Verilerin Işlenme Şartlari, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/0ef45a05-ac30-4f35-bc4b-3b2cbefc9864.pdf.
[22] Personal Data Protection Authority (2018), Veri Sorumlulari Sicili, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/ed040488-ee55-40de-b503-646c8e1bc916.pdf.
[21] Personal Data Protection Authority (2018), Veri Sorumlusu Ve Veri İşleyen, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/31d9c444-27a5-4a75-95b1-1ca9bdb81ea5.pdf.
[51] Presidency of Strategy and Budget (2019), Eleventh Development Plan (2019-2023), Presidency of the Republic of Türkiye.
[57] Presidency of the Republic of Türkiye (2019), Presidential Circular on Information and Communication Security Measures No. 2019/12, https://cbddo.gov.tr/en/presidential-circular-no-2019-12-on-information-security-measures.
[64] Presidency of the Republic of Türkiye (2018), Presidential Decree No. 1, https://www.mevzuat.gov.tr/MevzuatMetin/19.5.1.pdf.
[44] Presidency of the Republic of Türkiye (2016), Prime Ministry Circular No. 2016/28, https://www.resmigazete.gov.tr/eskiler/2016/12/20161203-24.pdf (accessed on 16 December 2022).
[9] Presidency Strategy and Budget Directorate (2022), 2022 Presidential Annual Programme, Republic of Türkiye, https://www.sbb.gov.tr/wp-content/uploads/2021/10/2022-Yili-Cumhurbaskanligi-Yillik-Programi-26102021.pdf.
[45] Public Applications Center (2022), Government Application Centre, https://kamu.turkiye.gov.tr/.
[12] Republic of Türkiye (2016), Law on the Protection of Personal Data (KVKK No. 6698).
[58] Smart Nation and Digital Government Office (2022), Enhancing Public Transport Using Data, https://www.smartnation.gov.sg/initiatives/transport/open-data-analytics.
[59] Statistics Denmark (2022), Statistics Denmark, https://www.dst.dk/da.
[56] Supreme Election Council (2022), Open Data Portal, https://acikveri.ysk.gov.tr/anasayfa.
[65] Technology and Communication Authority (2008), Electronic Communications Law, https://tahseen.ae/media/3385/turkey_electronic-communications-law.pdf.
[43] van Ooijen, C., B. Ubaldi and B. Welby (2019), “A data-driven public sector: Enabling the strategic use of data for productive, inclusive and trustworthy governance”, OECD Working Papers on Public Governance, No. 33, OECD Publishing, Paris, https://doi.org/10.1787/09ab162c-en.
[60] Welby, B. (2019), “The impact of digital government on citizen well-being”, OECD Working Papers on Public Governance, No. 32, OECD Publishing, Paris, https://doi.org/10.1787/24bac82f-en.
Notes
← 3. Japan’s data protection law, the Act on the Protection of Personal Information (APPI), adopted as early as 2003, was one of the first data protection regulations in Asia. It received a major overhaul in September 2015 after a series of high-profile data breaches shook Japan, making it clear that APPI’s requirements no longer met present-day needs. The amended APPI came into force on 30 May 2017, one year ahead of the EU General Data Protection Regulation (GDPR). The update brought with the establishment of the Personal Information Protection Commission (PPC), an independent agency that, among others, protects the rights and interests of individuals and promotes the proper and effective use of personal information. Thanks to the updated law, on 23 January 2019, Japan became the first country to earn an adequacy decision from the European Commission (EC) after the GDPR came into force. These decisions, which govern cross-border data transfers from the EU, reflect the adequacy of a third country’s level of data protection compared to the EU’s legislation.