Estonia is saving more than 2.8 million hours of labour every year through a data exchange network that has helped digitise 99% of government services. The platform connects government agencies’ IT systems with the databases of other public bodies through a series of authentication codes contained in their secure servers, allowing users to instantly access information held by other agencies. The volume of data exchanged on the platform has increased by more than 1,300% since 2007, when the Estonian government ordered public agencies to refrain from asking citizens for the same information more than once.
Results & Impact
The World Bank estimated that the time saved from a third of X-Road transactions, which would otherwise have involved face-to-face interactions between government officials and citizens, added up to at least 3,225 years in 2014. Because of X-Road, Estonia has been able to digitise 99% of government services. Since its launch in 2001, companies can be incorporated in under 20 minutes and taxes can be submitted in five. Citizens can vote online, drive without a licence and ride public transport without a pass thanks to Estonia’s e-ID system, made possible by X-Road.
The Estonian Information System Authority (RIA), government agencies, AS Cybernetica
X-Road is a data exchange platform that allows registered databases and information systems to automatically share information without human involvement. The system operates by creating a common set of protocols and authentication codes that allow members' servers to recognise each other. To make a request, users must first register with RIA, the government agency that manages the network. Although the platform is geared toward government bodies, non-profits and private companies may also apply to join. Members are logged in a directory that displays the information they provide, and must get approval from the owner of each database they wish to access. Once approved, the information is transferred through a temporary connection established through the two members’ servers.
Cost & Value
The system cost approximately $450,000 to build. Annual maintenance costs range from $250,000 to $500,000.
Running since 2001
Initially, some agencies were reluctant to use X-Road because they were concerned about opening up their data and implementing the technical requirements. RIA also comes under pressure to modify or adapt technical requirements from X-Road applicants who ask for special consideration. Maintaining a consistent set of rules whilst making the network available to as many potential users as possible can therefore be demanding.
Finland implemented its own data exchange network, Palveluväylä, based on Estonia's X-Road system in 2015. The two countries are working together to enhance the technology underpinning X-Road, and jointly founded the non-profit Nordic Institute for Interoperability Solutions in March 2017 to advance these efforts.
The system, X-Road, automatically shares information with government agencies that need it without human involvement. For instance, babies born in Estonia are automatically registered for child benefits and enrolled in school. This is done by assigning them an ID code that is transmitted to the country’s population registry. The code is automatically requested by the IT systems of the education department and welfare authorities.
X-Road works by creating a common set of protocols and authentication codes that allow the secure servers of all members to make and verify information requests from registered databases. Requests are only approved if two X-Road members have agreed to share information between each other, which allows the owner of each database to retain control over its information.
By requiring all public authorities to use the system, X-Road allows much of Estonia’s state administration to be conducted automatically. Just a third of X-Road’s exchanges are thought to save as much as 2.8 million hours per year.
“Everybody understood that to optimise processes and make public services better and more effective, they needed to reuse the data that already existed in the public sector,” said Taavi Kotka, Former Chief Innovation Officer for Estonia. “Think about it: information flows between registries and you don’t have to deal with that when you use the services. I mean, a car registry exchanges information with police, so you don’t have to carry any driving licence or documents. All hospitals speak with each other and can see a patient’s medical history.”
Since X-Road’s launch in 2001, Estonia has put itself at the forefront of digital governance. Companies can be incorporated in under 20 minutes and taxes can be submitted in five. Citizens can vote online, drive without a licence and ride public transport without a pass thanks to Estonia’s e-ID system, made possible by X-Road. The World Bank estimated that the time saved from a third of X-Road transactions, which would otherwise have involved face-to-face interactions between citizens and government officials, added up to at least 3,225 years in 2014.
Although the use rate of X-Road initially increased only gradually, it grew exponentially from 2007 when the Estonian government implemented the ‘Once-Only Principle,’ a demand that government agencies refrain from asking citizens for information they had already submitted to the state.
“People loved it, and they became advocates of the system,” said Kotka. “Whenever a ministry asked for information about something they could say, ‘I already gave it to you.’ And then we saw exponential growth in X-Road. Without the Once-Only Principle… what happens is that instead of taking information from another ministry they ask for it again from the citizens. So you end up with the same kind of information in different databases.”
In 2006, prior to the ‘Once Only’ principle, less than 30 million requests for information were made using X-Road. In 2016, that number had increased to more than 574 million. In the same time frame, the number of databases logged on the system more than quadrupled, from below 70 in 2006 to almost 250 a decade later.
Unlike other data exchange systems, X-Road contains no central facility for storing information. Instead, data is stored in the departments where it is produced, while the management of X-Road has no authority over any of the data available within the network.
This approach has three main benefits: it avoids the complexities of redesigning legacy systems; it allows X-Road members to decide who can access their data and the basis on which they can do so; and it prevents the platform from having any single point of failure. This is because there is no central database that can be breached, with information scattered throughout the system. Were there to be a leak, its scale would be restricted to the information available to the organisation that suffered it.
Although the network was designed for and is primarily used by government agencies, private sector companies and NGOs are also able to register as users. They might choose to do this if their work requires them to access government-held information on a regular basis, or they may be obliged to join if they are involved in providing a public service. About 70% of the network’s members come from the public sector.
To use X-Road, an organisation must first register with RIA, Estonia’s Information System regulator, which oversees the platform. To be part of X-Road, there are three key requirements. All members must have their own information system – without this, there is no way to request information from other registries. The applicant must demonstrate that it has the right to operate a database with the information they are registering. (Any database that is likely to duplicate ones that already exist is rejected.) Applicants must also have a recognised security system, such as Estonia’s ISKE security platform, operating as part of their IT setup. Finally, users must have a recognised online certification system integrated into their servers, allowing them to verify data requests.
Once users are admitted to X-Road, they receive a digital identity to denote them within the network. This way, all requests by servers can be easily tracked, and no unauthorised servers can access the system.
“All the potential entry points to our platform or our system need to be fully mapped,” said Kotka. “That way, if there is a leak, we can say it might be through a particular door, or if our partner has a leak then we know what kind of registries they have access to.”
However, becoming a member of X-Road is only the first stage in a two-part process to access information. All member organisations are listed in a database, the X-Road phonebook, which is held by RIA outside of X-Road. This allows network users to see the range of information and databases available to them on the platform. However, each connection within X-Road has to be arranged by the parties themselves. If network members have not agreed to share information with each other, any requests for data made by their information systems will be unsuccessful. Each member can also specify the terms on which other parties access their data within the system.
“The X-Road process is connected with data protection and privacy,” said Kotka. “Let’s say a bank wants information from police, for example. They send a request to the police for data and that request is reviewed by several parties. For example, the data inspection agency will ask if they actually have a right to get that information and whether they need all the information they want.”
X-Road requests are triggered automatically when staff perform an action on their information system that requires data outside its own database. A request is made for a piece of data through the organisation’s secure server, which transmits it to the server of the organisation that holds the information. For example, someone working at a cat shelter might scan the chip of a stray cat. A request would then be sent to the Ministry of Agriculture, asking for the information on the cat’s owners. The request would then be checked by the Ministry of Agriculture’s adapter server to ensure the organisation requesting the information had the authority to do so. Once verified, the adapter server would forward the request to the relevant database and translate it into a programming language it could understand. The requested information would then appear on the screen of the staff member who scanned the cat ID. The connection between the two servers would be severed as soon as the information was communicated.
Specialised portals allow X-Road to be accessed by citizens, who are ineligible to join, and organisations that would struggle to meet the technical costs of membership. A citizen portal, called Your Estonia, allows Estonians to log in and submit requests to X-Road databases, enabling them to check all their personal information that is held by state authorities. A similar platform, called the Mini Information Service Portal (MISP), performs the same function for organisations. In both these systems, Web Services Description Language files, normally used to transmit requests between X-Road servers, are converted into web pages, allowing users to make requests and receive information without their own databases.
Estonia is currently working with Finland to further develop X-Road technology. Finland implemented its own data exchange system, Palveluväylä, based on the X-Road system in 2015. The two countries built on that cooperation in March 2017 by creating the Nordic Institute for Interoperability Solutions, a non-profit institute to further develop the technology underpinning both systems.
(Picture credit: Pixabay/Dragons)