Tuesday, September 23, 2014

What penalties are there for agencies and individuals who breach government security and accessibility policies for websites and online channels?

I regularly hear stories from people in government agencies and councils about how their organisation isn't meeting mandated security and accessibility requirements for their websites and broader online presence.

Often this is because there's insufficient time, money or a lack of understanding of the mandated requirements by either the business owners or the vendor doing the work. I still remember an experienced developer at a web development company claiming that in his ten years of working on government websites he'd never understood that accessibility was a legal requirement.

Sometimes I can understand and accept these reasons. 

Ministers set deadlines, as do real world events, this can constrain the full process of testing the security and accessibility of a website. 

Equally some campaigns are spread across different channels, and the budget allocated to online doesn't always allow for the best possible outcomes - or there's some 'bling' requested by senior management that eats the budget of the project very quickly. Again these can make it difficult to find the money to do any necessary testing and adjustment. 

In a few cases I get told that security or accessibility was simply "not important" to senior management, the business owner or the ICT team/vendors doing the work. 

These cases I could never condone, and it did affect my public service career when I stood up to senior people who held this attitude - even when I 'won' the point and was able to ensure websites were delivered to government-mandated minimum requirements.

This last group still worries me - and I've heard several new stories in the last month along the same line.

The fact these people are still around is disheartening, and raises a major question for me:

What penalties exist for agencies or individuals who deliberately go against the government's mandated policies and standards for websites, on topics such as security and accessibility?

I'm not aware of any public servant ever being investigated, sanctioned, retrained, demoted, moved or sacked after making a decision to ignore or water down website requirements.

In fact I can recall a few times where they were promoted and rewarded for their work in delivering outcomes cost-effectively and quickly.

Of course there's potential legal ramifications for ignoring both security and accessibility requirements - however it is generally the agency that takes on this risk, rather than the individual who exposed them to it.

In some cases the individual may not even have been the business owner, or has moved on to a different role, even a different agency.

This type of behaviour is generally picked up and addressed when an individual breaches finance, procurement or HR guidelines.

I'd like to see the same apply for websites - the front door of the modern government.

Whether a federal agency or local council, you serve citizens through your online presence, and putting them at security risk, or creating sites that a significant proportion of your audience can't access by not meeting mandated standards and policies is simply not on.

No comments:

Post a Comment