I study information flows in EU policy-making, and thus am glad about a recent EU Court of Auditors Special Report evaluating an EU Commission information system I haven’t come across: The Common RELEX Information System (CRIS).
As far as I understood, this system is basically a management and control system for the planning and operational execution of the external actions of the European Commission, including all aspects of contracting and audit involved.
One of the 21 modules of this information system – the European Court of Auditors audited five of them – for instance contains contracts the Commission makes in its external actions:
“The Contracts module would enable a user to search all contract records awarded to a given beneficiary. Any contract record so identified would typically contain, among other data, the contract number, a short description of the contract, its status and type, the name of the department and persons in charge, the geographical zone concerned, the contract’s signature and end dates and the contract’s amount and budget lines concerned.
A scanned copy of the contract itself and its accompanying annexes would also be attached to it. Moreover, the contract record would likely be linked, for example, to several records in the Invoices module, corresponding to the invoices received from the beneficiary. From this record, the user would thus be able to navigate through all records related to the action concerned, as well as to directly consult an electronic version of the corresponding documents.”
Another module, the Evaluations Module, has actually never been used:
“A Commission working paper from 2004 suggested that the Evaluations module of CRIS had been planned to provide a complete overview of mid-term and final evaluations managed by delegations and operational units. However, this module has never been used and it did not contain any records. The Commission had no documentation available to explain this situation.”
According to the European Court of Auditors (ECA), about 5000 individuals have used CRIS in 2010 in about 800,000 sessions. The system has cost 13 million Euro in 2011. The main criticism that ECA has to the system is that:
“CRIS does not include a standard mechanism to limit users’ access rights to certain categories of data. In two specific cases, ad hoc technical mechanisms had to be developed so that sensitive documents were not accessible to all users. Apart from these two exceptions, all CRIS users automatically have access to all CRIS data. This situation puts into question the confidentiality of CRIS data, particularly in the case of the few external users of the system. “
This global access to the data was particularly problematic because the database also contains personal data:
“the Court identified documents containing personal data and that were attached to CRIS records […]. These included more than 2 000 CVs attached to records in several CRIS modules and that could thus be accessed by all CRIS users”
I like the answer that the Commission gave (annex to the report) regarding this data protection problem:
“It should be underlined that supporting documents are subject to ‘passive’ storage without any further processing by the application. As a consequence, they do not contain searchable data, i.e. it is not possible to operate a search in CRIS by the name of a given person appearing in an attachment.”
This clearly shows that the Commission has understood the concept of personal data protection – it’s all about searchability. Not.
In summary, the European Court of Auditors report finds many shortcomings that kind of show a piecemeal approach to information management. CRIS has been adapted and developed further since it became operational in 2002, but while it provides the Commission with relevant information, it’s functionality and usability is far from perfect and parts of the system overlap with other information systems (such as the Commission’s auditing system).
One therefore has to hope that the promise of the Commission in the annex is kept:
“The Commission has started a process of rationalising its IT landscape where the main objective is to prevent multiple systems from covering identical or similar processes and to integrate DG-specific needs within corporate solutions.”
That’s probably subject to another European Court of Auditors report…