This report examines sourcing strategies for ICT and the use of cloud services in the public sector in Norway. The study is based on interviews held with four state agencies and four local authorities, as well as documents provided by these parties and a review of official documents describing the government’s policies and reports in the area.
The digital development has led to an increase in online digital services, known as cloud services. New platforms such as mobile phones, tablets and laptops also mean that communication via the internet has become a very useful tool. During the height of the coronavirus pandemic in the spring of 2020, we saw worldwide growth in the use of video services and cloud-based communication. The digitisation of cars, homes and objects we surround ourselves with, the ‘internet of things’, generates data. This development has led to a need for the transfer and storage of large volumes of data that can be stored in digital ‘clouds’.
The modern-day clouds were introduced as cloud services from Amazon (2006), Google (2008) and Microsoft (2010), and the terms ‘cloud service’ and ‘cloud computing’ are used today as generic terms for online data services, and can include everything from computing power (data processing) and data storage, to operating systems and software. Using old computer programs or computer programs from different suppliers or platforms can create what has been termed ‘technical debt’, and can represent a barrier to sharing and exchanging data. The cloud services of today seek to overcome many of these challenges by integrating a wide range of services and linking them together over the internet.
The provision of online digital services presents us with challenges both in the way we work and organise our activities, and in how we secure personal data and other sensitive data of commercial or national value. In Norway, legislation on the sale of services and the regulation of privacy is adapted to EU regulations. In most cases, the EU member states represent a single market and a common regulatory area for ICT and privacy issues. However, in a global market, we often operate outside the EU’s borders.
Information security can be compromised and public or private interests can be violated in two different ways when ICT services are outsourced: data can be compromised through legal proceedings under another country’s jurisdiction, and as a result of illegal access to or acquisition of information.
If data is stored in places where it could fall under another country’s jurisdiction, the Norwegian authorities or businesses could lose control of their own data. Uncertainty related to jurisdiction can pose a problem for security. Consequently, the EU has relatively strict rules for transferring personal data out of the EU/EEA. With regard to other types of data, the individual data owner and the individual country must legally secure their data. However, this can be a challenge if the data is stored in other countries.
Illegally accessing computer systems, known as hacking, is a major problem that affects all ICT. One of the main reasons why hacking and espionage aimed at ICT services take place is that data can be of great value. Public and private sector actors must protect their data in order to prevent industrial secrets, research material or critically important socioeconomic information from falling into the wrong hands. For the nation state, national security is important.
One country where data is protected to safeguard national sovereignty is Germany, where the authorities have chosen to establish their own ‘private’ cloud – Die Bun-descloud. The aim is to be independent from external suppliers who previously sold software but now provide leasing or subscription services. In Germany, digital autonomy has become a key goal in digitalisation policy.
In Norway, the government has devised a strategy to increase the pace of digitalisation and use of cloud services. Through a number of publications and measures, the Solberg government has put considerable pressure on the entire public sector to hasten digitalisation and to adopt new technology and cloud services.
The government points out that the public sector has a special need to have control over information, and points to two ways of maintaining public control. One is by establishing separate data centres for the state or public sector. The other method proposed by the government to safeguard public control is through contracts with suppliers.
In parallel with the transition to market-based cloud services in the public sector, and the establishment of an official market place for such services, considerable efforts are underway to coordinate digital services in the public sector. One such example is the Norsk Helsenett, which has been demerged from the Norwegian Directorate of eHealth in order to serve as a national supplier of e-health services.
Overall, we can view the measures as a mixed-market policy: both a market-based orientation and public sector coordination. However, the government’s documents give little indication of the general principles that should be applied in the choice of strategy.
The Norwegian Armed Forces, the Norwegian Meteorological Institute (MET), the Norwegian Labour and Welfare Administration (NAV) and the University of Bergen are state agencies that represent different sectors within the state, and whose size and operations vary.
The Norwegian Armed Forces’ ICT strategy, which also covers sourcing, is based on the international trends in ICT developments: a more strategic use of ICT, integration and communication between systems, and regular upgrades and module building. The Armed Forces aim to increase the digital competence within ICT and give the various agencies in the defence sector a greater degree of freedom to choose how they want to work. They also aim to make use of new platforms, and to this end have approached Microsoft with a view to forming a collaboration.
MET processes large volumes of data in order to monitor and forecast the weather for the authorities, the business community and the general public. In recent years, MET has chosen to procure software through cloud solutions in the administrative area. It has laid out three main strands in its sourcing strategy: adopting and developing its own IT resources related to the core activity, procuring services and software in the market when this proves to be cost-effective, and forming national and international collaborations in order to establish and maintain competence and capacity within MET’s core activity. It is important for MET to ensure core competence so that it can operate and develop its main activity. The main principle for the procurement of services and software is that there should be a mature market with several suppliers. MET’s sourcing strategy also aims to ensure that it is not locked into one supplier and to take advantage of the opportunities for collaboration nationally and internationally.
NAV provides services in accordance with the Labour Market Act and the National Insurance Act, and labour input in its central IT department corresponds to 750 full-time equivalents. NAV’s sourcing strategy aims to maximise value creation through the use of its own resources in combination with the purchase of standardised software or the procurement of services. The agency is moving away from large monolithic computer systems towards a more micro-service architecture with small components that can be modified as needed. According to NAV, this will maintain its adaptability over time. NAV’s strategy is to build up its own development services and place more of the operational activities in the cloud. Being able to develop and retain competence is critical to the success of its strategy.
The IT department at the University of Bergen has just over 100 employees. The university needs a wide range of services and has adopted different types of infrastructure to accommodate these. In order to be able to offer a cost-effective cloud service, the University of Bergen and the University of Oslo have jointly created a cloud service that uses dedicated servers for their users. According to the universities, this solution enables them to ensure good control of their data. The University of Bergen has chosen to procure services where there are large volumes of data, such as Microsoft 365 and the associated cloud storage. The university’s sourcing strategy includes administrative and technical services, and is designed to serve as a guide for decisions related to whether services should be performed using internal resources, outsourced or organised as a collaboration with an external partner.
Oslo and Bergen are the two largest urban municipalities in Norway, while Bodø and Fauske can be described as a medium-sized and a small urban municipality respectively.
Bergen local authority previously had IT operations in every agency, but over time has worked actively to assemble ICT activities in a single group function. Bergen local authority does not have an established sourcing strategy, but can be said to follow a multi-sourcing strategy for the operation and procurement of digital services. For the local authority, the development and establishment of the new shared services in the public sector is an important factor that will determine where data operations and storage take place in the future. The local authority’s IT systems, which have been subject to small modifications over time, are now being challenged by more dynamic systems that are delivered via cloud services and continuously being updated and developed. In addition, the local authority says that its use of digital services in the future will be determined by the need for information security, access security and personal data protection.
For the past 15–20 years, Bodø local authority has been outsourcing all of its IT services to an operating partner. One of the challenges associated with outsourcing services is the need for good commercial expertise. Even though the local authority has good technical expertise, it still considers the framing and management of agreements to be a challenge. Security is a key issue in a sourcing strategy. Bodø local authority points out that the expertise of the individual users is a critical factor. Major international suppliers are considered to have a good standard of security.
Fauske local authority has chosen not to outsource its IT services, but has not devised a sourcing strategy. The fact that its own systems are not always compatible with new cloud systems is a challenge. For example, the document and archive system used by Fauske local authority is not compatible with Google's desktop products. These kinds of issues make it difficult for the local authority to make changes. It points out that keeping its own IT operations in-house makes it less dependent on suppliers for support.
In Oslo local authority, the Agency for Improvement and Development provides IT services for 50 municipal departments. The development has moved towards assembling IT expertise in one agency, but several other departments still have their own IT staff and systems operation. Oslo local authority has chosen to switch from owning the infrastructure itself to procuring services. The goal was to develop a multi-sourcing strategy with several cloud service suppliers. However, the local authority acknowledges that using several cloud service suppliers became problematic. It found that because the suppliers are quite similar, using several suppliers did not add to the functionality of the IT systems. It was also difficult to set requirements for standardisation, and dealing with a number of different interfaces tends to be more costly.
The participants in this survey have, to varying degrees, devised their own sourcing strategies for ICT. None of the local authorities have formulated a written sourcing strategy, but some have framed a direction for development in a very general sense. Nevertheless, the participants’ experiences show that there are some common development trends in the organisation and sourcing of ICT in the public sector:
This survey shows that the four state agencies and four local authorities have organised their ICT operations in different ways and that their sourcing strategies vary. Most use cloud services in one or more areas. The cloud services have proven to be easy to use, and they are often developed seamlessly on an ongoing basis such that the user always has the latest version of the service. However, the survey participants also experience disadvantages with cloud services, such as a risk of being locked into one supplier, high prices and problems related to achieving the necessary customisations.
The survey participants assess the security of the use of cloud services and storage in the cloud in light of the type of data to be stored, and place a great deal of emphasis on compliance with the General Data Protection Regulation (GDPR). The question of where data is stored is important in this context.
The survey participants emphasise the importance of having expertise that understands their work. If Norway is to be at the forefront in certain areas, the participants consider it to be vital for Norway to be able to handle its own data and undertake critical IT work, thereby generating expertise and ensuring control.
The government has facilitated the organisation of a public procurement scheme or market place for cloud services. The government has not facilitated a data storage collaboration for the public sector or the establishment of a common data centre for the public sector. There is little indication in the government’s digitalisation strategy or strategy for the use of cloud services that assessments have been made in relation to digital autonomy or to the need to ensure digital competence in the public sector. Perhaps it is time to start a debate on this. In the future, ownership and control of data will be valuable commodities. They will also be a path to power and influence. It is therefore important to discuss how we should regulate these values and manage the values that are created in the public sector.