4. Treading the path towards a data-driven public sector in Luxembourg

In 1865, the term “business intelligence” was first coined by Richard Miller Devins when describing how a banker beat his competitors by collecting and analysing information in a structured way on relevant business activities. Half a century later, the first technology that would radically improve the ability to collect and store large volumes of information was invented - the magnetic tape (World Economic Forum, 2015[1]). In the 1960s, the concept of cloud data storage was first envisaged, and the theory of a relational database was first presented to the public (ThinkAutomation, n.d.[2]). Another 30 years later, in the 1990s, with the advent of the Internet, data would slowly start to resemble what we see today - easily accessible and shared across the world. It was in this same decade that the founders of Google Search came up with their mission to "organise information on a global scale with the aim of making it accessible and useful to everyone" (Google, n.d.[3]).

The access and sharing of data is today estimated to generate social and economic benefits of between 0.1% and 2.5% of gross domestic product (GDP) (OECD, 2019[4]). Data generated and held by the public sector, from sensitive data in registers to non-personal data such as environmental, mobility, and meteorological data, are extremely valuable assets that if managed, shared and used effectively could bring significant value not only to the public sector itself, but also to the public. Yet there are also evident risks and high security and privacy standards that need to be met when improving the management and use of data, especially in the public sector. Countries wishing to secure a data-driven public sector (DDPS) should, therefore, adopt a strategic approach to data that seeks to maximise value while limiting potential risks, threats and harms associated to its management.

In 2014, the OECD Council adopted the Recommendation on Digital Government Strategies which includes a provision for governments to support the creation of a data-driven culture in the public sector. In 2021, the Council also adopted the Enhancing Access to and Sharing of Data (EASD) Recommendation (OECD, 2021[5]), which provides the first internationally agreed upon set of principles for how governments can maximise the cross-sectoral benefits of access to and sharing of different types of data while protecting individuals’ and organisations’ rights (OECD, 2021[6]). The adoption of the EASD Recommendation demonstrates the value that countries today see in data, including within the public sector, and the need for a DDPS. Similar types of legal instruments have been developed among other international fora, including in the European Union, with the recent Data Governance Act (European Commission, 2020[7]) and Data Act (European Commission, 2022[8]).

The OECD’s analytical framework for a DDPS published in 2019 aims to support countries’ implementation of DDPS (see Figure 4.1; (OECD, 2019[9])). It summarises the breadth of challenges and opportunities that public sector organisations face in working towards being data-driven, across three areas of focus: 1) data governance 2) applying data to deliver value; and 3) building trust. Data governance includes having the right leadership and a vision for data, tactical capacities, and data infrastructure and architecture. For delivering public value, public sector organisations should apply data strategically in the planning, delivery, monitoring and evaluation phase of public services and policies. Lastly, for a DDPS to promote trust it needs to work on ethics, transparency, privacy and consent, and digital security.

On top of the DDPS framework, the OECD has developed additional policy and measurement tools including the Digital Government Policy Framework (DGPF), the Good Practice Principles for Data Ethics in the Public Sector, the Digital Government Index, and the Open, Useful and Re-usable data Index (OURdata Index). In 2020, the first OECD Digital Government Index was launched. The DDPS dimension of the Index included an assessment of the extent to which countries manage and use data to inform the design, delivery and monitoring of public policies and services. As part of this, it assessed the availability of public sector data strategies, institutional roles, requirements for data sharing, standards, and more. According to the overall results, DDPS was the dimension where OECD member countries had developed the least out of the six areas assessed. Luxembourg ranked below the OECD average, at 17 out of 29 countries (see Figure 4.2) (OECD, 2020[10]) and performed least well in DDPS compared to the other assessed dimensions.

Building on the above-mentioned Recommendations and tools developed by the OECD to support and assess the DDPS-level maturity of public sector organisations, this chapter looks at the current state of becoming a DDPS in Luxembourg, focusing on the three areas of the DDPS framework. The first section looks at the current data governance in the Luxembourg public sector, including leadership, strategy, data infrastructure and architecture. The second section looks at how ministries and administrations are applying data strategically to deliver value. The final section looks at how data is managed and used to retain and build trust in the public sector.

Data governance can be described as the set of people, policies, rules, frameworks and processes that help organisations manage and use data effectively to support their mission and objectives. While there is no single, commonly used definition of data governance, existing approaches (DAMA International, 2017[11]; Knight, 2021[12]) describe data governance as exercising “control” over the “management of data” or being a “system of decision rights and accountabilities” for data management. Data governance can be seen as framing and steering data management towards trusted value creation.

The model framework for data governance in the public sector developed by the OECD has three layers (strategic, tactical, and delivery) and six sub-layers (2019[9]). While the framework is broad, it is not exhaustive and there are components not covered that would need to be considered by organisations as they build a data governance programme or framework, depending on the context in which they operate.

As a first step, governments should define leadership and a vision for what it wants to achieve with data, and how this should be achieved. Having the right leadership and a strategy is the foundation for effective prioritisation, the steering and consolidation of efforts, and the promotion of a data-driven culture in the public sector. Without knowing what the government wants to accomplish, how it will be accomplished, and who is accountable for effective implementation, few data-related initiatives are likely to succeed.

The Electronic Governance Strategy 2021-2025 stresses the importance of good quality data, data protection, and the once-only principle for digital government transformation, though it does not chart out a high-level course of action with concrete objectives for implementation. An internal roadmap has been created by the Inter-ministerial Committee for Digitalisation to support the implementation of the strategy, with actions such as the development of base registers and authentic sources, a central API gateway, a new document and case management system, and the operation of a central Business Intelligence (BI) platform.

The work on data in Luxembourg is largely influenced by EU-level policies and is seen as transversal to several entities and ministries. Although there is currently no dedicated public sector data strategy in place, data is treated separately in a mix of different strategies, including the open data strategy under the Ministry of State (ME), the data-driven innovation strategy under the Ministry of the Economy (MECO), and the Electronic Governance Strategy and GovCloud Strategy under the Ministry for Digitalisation (MDIGI). The development of actions relevant to DDPS also include the National Interoperability Framework (NIF), which is a framework that includes high-level principles and guidelines for the public sector, and that defines essential elements necessary to have a coherent, clear and structured base for interoperability in the Luxembourg public sector, which is strictly linked to data.

During the peer review mission and workshop, one of the identified challenges relating to data governance was the lack of a coherent and comprehensive vision for data across the public sector – as still reflected in the fragmented approach towards establishing a public sector data strategy. Less than half of the surveyed ministries and administrations agree that there is clear policy guidance on the governance and use of data.1 Box 4.1 shows how other OECD member countries, in this case France and Ireland, have developed dedicated strategies for data in the public sector as ways to address the issue.

DAMA (2017[11]) suggests that, to be successful, a data strategy “(…) must come from an understanding of the data needs inherent in the business strategy: what data the organisation needs, how it will get the data, how it will manage it and ensure its reliability over time, and how it will utilise it.” As presented, the purpose of developing a stand-alone data strategy is not for it to be added on top of the core business operations of the public sector. To the contrary, it should support the public sector’s main mission and objectives. By formulating a stand-alone data strategy, in consultation with affected parties, there is a greater chance that data management and better use of data will be taken seriously. A strategy could help increase legitimacy and build ownership across ministries and administrations for DDPS implementation.

Figure 4.4 shows a template based on Knight (2019[15]) for the process of developing a public sector data strategy: 1) identify the mission and objectives of the public sector; 2) assess the current state of DDPS; 3) propose a future state; and 4) develop an implementation roadmap.

Linked to the lack of a coherent and comprehensive vision for data across the public sector, almost 50% of surveyed ministries and administrations in Luxembourg could not answer whether there is a central body or function responsible for data across the public sector, or not. According to the Grand-Ducal Decree that established the current ministries and their responsibilities, the Ministry for Digitalisation (MDIGI) is responsible for promoting and organising the “automation of administrations, particularly with regard to the collection, transmission and processing of data”, and also for “searching for synergies between the various State administrations and optimising their exchanges of information.” (The Government of the Grand Duchy of Luxembourg, 2018[16]). The Government IT Centre (CTIE) which currently operates under the MDIGI, has also these same two responsibilities according to the Law of April 20, 2009 (The Government of the Grand Duchy of Luxembourg, 2009[17]).

MDIGI is co-ordinating the implementation of the Electronic Governance Strategy 2021-2025, the GovCloud strategy, and the NIF that cover important elements of DDPS. Other ministries leading strategies or policy areas relevant to DDPS include mainly the ME and MECO, but also the Ministry of Finance (MFIN) (see Table 4.1). The ME, via Service Information and Press (SIP), is responsible for open data. The MECO is responsible for co-ordinating the implementation of the country’s High Performance Computing project and the data-driven innovation strategy with the latter primarily targeting the use of data by the private sector. The MFIN is leading the co-ordination of the work on the public sector geospatial data infrastructure via the Land Registry and Topography Administration (ACT).

Across OECD member countries, the exact form of central leadership for data once it is defined does vary – it may it be an agency (e.g. Agency for Digital Government in Sweden) or a body situated directly under the centre of government (e.g. DINUM in France, Central Digital and Data Office in the United Kingdom).

For improving tactical capacities for DDPS, public sector organisations need dedicated resources including institution-level leadership and strategies, co-ordination mechanisms, data-related skills, regulations and guidelines to implement coherently the common vision for DDPS while aligning it with their own mission and objectives.

Few ministries and administrations in Luxembourg currently have a strategy for data, and 46% neither indicate any plans for pursuing this in the near future.2 Few organisations also indicate having a dedicated role of function responsible for data stewardship (e.g. a Chief Data Officer, Data Steward), or plans for such. During the capacity-building workshop on data, participants raised several challenges that could be tied to the absence of institutional leadership and strategic plans for data, including:

  • a lack of data ownership and stewardship among ministries and administrations;

  • a lack of consistency in the management of data, which in turn affects data quality;

  • a limited public sector culture for data sharing.

Increasing the ownership and accountability of ministries and administrations for their data would be a necessary step towards making public sector data management more consistent, and thereby improving the quality and interoperability of data. Similarly, it would help foster a public sector culture of data sharing which is currently limited. Achieving a culture for data sharing is done by lowering the perceived costs of exchanging data (risks, less control, fear of failure, resources) while increasing the perceived benefits (efficiency, working towards a common goal, saving resources, better policies and services). Developing ministry-level strategies, roadmaps or plans for data would be beneficial to promote coherent implementation of any vision and guidelines outlined at the central level, to increase awareness, and build ministry-level tactical capacities while adjusting objectives to the ministries’ and administrations’ mission and strategy. The Ministry for Digitalisation has currently a pilot project to test a new service called ‘Advisory Service for Digitalisation’ that allows ministries to request maturity assessments of their digital development, and support in the development of ministry-level strategies in line with their ambitions and as support to the implementation of the Electronic Governance strategy 2021-2025. This service could be extremely valuable also for progressing coherently in the area of data.

Apart from leadership and strategy, ministries and administrations need to co-ordinate and collaborate effectively around data-related projects, standards and tools for data management and use to allow for coherent implementation and interoperability of data and processes. One of Luxembourg’s strengths is the fact that the CTIE is one of very few IT providers, and as such a valuable resource in developing common, interoperable data-related tools and services across the public sector. The Luxembourg government has recently taken further steps to support collaboration and co-ordination by establishing the Inter-Ministerial Committee for Digitalisation, the National Committee for Interoperability (CNI), and the central government Sectoral Committee for Interoperability (CSI). With the NIF having the most concrete objectives relevant to DDPS at this stage, the role of the CNI and the central government CSI to support ministries and agencies in working together towards interoperability of data will likely be very important. During the peer review mission, other co-ordination mechanisms that administrations have referred to as supporting them in working together around data were the Coordination Committee for Luxembourg’s Geographical Data Infrastructure (CC-ILDG) and the Technical Group for Geographical Data Infrastructure (GT-LDG).

In addition to co-ordination and collaboration mechanisms, ministries and administrations need the right skills and talent to support better management and use of data. Box 4.2 presents the general concepts that public servants should be trained in to understand DDPS and manage and use data with trust as described in the OECD Framework for Digital Talent and Skills in the Public Sector (OECD, 2021[18]). During the capacity-building workshop on data, participants raised that there is currently, and in general, a lack of human resources and skills among ministries and administrations for managing data consistently. Some ministries and administrations are better equipped than others. Ensuring the right skills includes working with universities to build skills among the young population, becoming an attractive workplace for people with data-related skills, improving data literacy among middle-management, and upskilling and reskilling people who already work with data in government. The Digital Academy of the National Institute of Public Administration (INAP) is currently integrating new courses regarding digitalisation and many useful subjects to increase and advance the skills for civil servants and could also be a useful resource for providing data literacy training.

In terms of Luxembourg’s regulatory framework for DDPS, it is as discussed previously tied to the EU regulatory framework for the Single Digital Market Initiative. Many of these EU regulations and directives have the explicit aim to support free flow of data with trust across the Union, including notably the General Data Protection Regulation (GDPR), the Single Digital Gateway Regulation, the Open Data Directive, and the proposal for a Data Governance Act. While the Luxembourg government has a robust regulatory framework rooted in the EU regulatory framework, several ministries and administrations have expressed that the current national regulatory framework is not entirely fit-for-purpose in supporting them to exchange and use data.

Non-compulsory guidelines and principles are also important for supporting coherent implementation of DDPS. Luxembourg has made great achievements with the NIF being published in 2019. The framework has 11 principles and 48 recommendations that build on the European Interoperability Framework (EIF) for standardising the approach ministries and administrations take to digitalisation and data (The Government of the Grand Duchy of Luxembourg, 2019[19]). A large share of the principles and recommendations are highly relevant to DDPS (see Table 4.2).

Despite the well-developed NIF, a number of surveyed ministries and administrations expressed a lack of concrete guidelines or standards to support the work on data quality, ethics, GDPR-compliance, interoperability, and data sharing. For example, only 40% have access to guidelines that support them in metadata management (OECD, 2021[20]).

The third layer of data governance - the delivery layer - covers the data infrastructure and architecture needed to support the management, sharing, and consumption of data. In Luxembourg, the data infrastructure is relatively centralised to the CTIE, while the data architecture is partly decentralised to the respective ministries and administrations responsible for specific types of data, such as the base registries or national statistics.

When it comes to data infrastructure, Luxembourg has a solid reputation in digital security. The country has one of the largest concentrations of secure types of data centres - TIER IV, which has made it a valid option for countries wishing to store sensitive data in another location. In 2017, the Luxembourg government signed a contract with Estonia to host the first so-called “data embassy” and in 2021, the data embassy of Monaco also opened up its doors following the signing of a bilateral agreement (The Government of the Grand Duchy of Luxembourg, 2021[21]). In addition to the data embassies, Luxembourg has set up its own Gaia-X Regional Hub, co-ordinated by MECO and Luxembourg’s national innovation agency, Luxinnovation. The purpose of the Gaia-X project, which was initiated by France and Germany a few years ago, is to provide a secure, federate and digitally sovereign cloud service for public and private sector organisations in Europe (Gaia-X Hub Luxembourg, 2021[22]). Luxembourg has had its own GovCloud strategy and public sector cloud service in place since 2016, managed under the responsibility of the CTIE. The cloud service consists of a private cloud architecture hosted in Luxembourg, which offers secure services to ministries and administrations. Today, the CTIE stores most of the data held by ministries and administrations in Luxembourg, apart from organisations with specific needs such as the National Institute of Statistics and Economic studies (STATEC).

Most surveyed ministries and administrations perceive the existing data storage capacity and IT infrastructure of the government as sufficient. Luxembourg has had a historically strong centralised approach to government IT-infrastructure managed by the CTIE, acting as a service provider to ministries and administrations. CTIE currently provides Infrastructure as a Service (IaaS), Platforms as a Service (PaaS) and generic and customised software solutions - Software as a Service (SaaS) (The Government of the Grand Duchy of Luxembourg, 2021[23]). As a result, ministries and administrations can access a number of common platforms and solutions for storing, processing and analysing data, reducing overall costs and allowing organisations to direct more of their resources to primary tasks. More recently, and as presented earlier, these services include a central BI platform, a new document and case management system, a government API gateway, a national data sharing platform, and a pseudonymisation platform. In addition, a data broker service is expected to be made available in 2022. The development of solutions and tools that support a trusted and more automated flow of data across the Luxembourg public sector is important as several ministries and administrations still access and download data manually, as opposed to machine-to-machine interactions. Examples of where automated sharing of structured data has been implemented include the health and social security domain, and data transmitted from MyGuichet.lu to the back offices of administrations.

In terms of additionally identified challenges related to data infrastructure, some ministries and administrations have mentioned that they are not always aware of existing platforms or solutions for sharing or analysing data, indicating that the communication between the CTIE and ministries and administrations could be improved.

Data architecture can be seen as the “soft data infrastructure” and the recipe defining the relationships, processes, and concepts for the management and exchange of data between organisations. It includes, among other things, government-wide standards, specifications and semantic rules. Although standards should normally be developed as close to their primary use as possible, to enable interoperability and secondary data use across the government, it is necessary for some standards to be developed based on a common, central framework. In the case of Luxembourg, it is also important for standards to align with standards developed at the EU-level.

Data interoperability and the once-only principle are both a major priority for the Luxembourg government, with several of the NIF recommendations targeting these specific areas. During the capacity-building workshops and peer review mission, the lack of common standards and semantic rules were highlighted as important challenges for enabling data exchange between ministries and administrations, and with external parties. Moreover, improving master data management (management of authentic sources of data held in the base registries) was raised as critical. The development of the Myguichet.lu platform is promoting the standardisation of transactional data submitted by individuals and organisations to specific ministries and administrations via the platform, and re-use of such data.

For base registries, the relevance of defining and enforcing standards for interoperability purposes is particularly important. As seen in Figure 4.6, base registries are the second most common source of data collected, re-used and analysed by ministries and administrations in Luxembourg. Better exchange and re-use of base registries data would thus be a central aspect of making public services in Luxembourg more seamless and secure while also reducing long-term costs and inefficiencies. The NIF does include important recommendations which refer to the base registries and their interoperability, including metadata management and making data from the registers accessible to third parties.

Currently in Luxembourg there are more than 20 base registries administrated by different public sector institutions. The operational, semantic and technical management aspects of the base registries are primarily the responsibility of the owner of the registry, while partially centralised to the CTIE, as the CTIE is responsible for providing general support and to deliver a joint strategy (European Commission, 2020[24]). The development of a common data architecture framework in Luxembourg with agreed upon standards and rules for base registries is likely something which will have a major impact on the DDPS-maturity of the Luxembourg public sector and the possibility to implement the once-only principle if done properly. Box 4.4 presents an example for how another OECD country has developed such a framework, in this case Sweden. Similar frameworks have been developed also by the government in Denmark and Norway.

In addition, the data broker service which is currently under analysis by the NIF “once-only” working group is looking at how a central data intermediation platform should be implemented and what services it should offer. The data broker would need to define exchange standards and provide data catalogues to support the sharing and re-use of data on the platform.

In addition to closed or semi-closed data access and sharing arrangements, the publication of open government data can help stakeholders both inside and outside of the public sector extract value from public sector data. The Luxembourg government has for many years been successful with open geospatial data and has a policy to publish all core geospatial data under a Creative Commons Zero (CC0) license (European Commission, 2021[26]). The work on open geospatial data has paved the way for Luxembourg to also make other valuable public sector data available, such as data on public procurement, environment, and transport.

Still, the Luxembourg government’s general performance in open data has not lived up to that of the geospatial data. In 2019, Luxembourg ranked 23 out of 34 OECD member countries and 13 out of 21 EU Member States in the OECD OURdata Index. The below-average performance of Luxembourg in open data is also reflected in the EU Open Data Maturity assessment, where it was categorised as a “beginner” in 2021 (European Union, 2020[27]).

Despite this, Luxembourg has had a dedicated strategy and roadmap for open data in place since 2017, and the central open data portal data.public.lu, managed by SIP. Some reasons why the general performance on open data has not yet lived up to expectations might be linked to the fact that the current open data strategy and roadmap contain few concrete objectives coupled with actions, timeframes, and roles and responsibilities. SIP is currently working on a new version of the open data strategy together with a concrete 5 year roadmap. These are expected to be published before the end of 2022.

According to ministries and administrations the main barriers for them to publish open data are a lack of resources and deficient data governance (OECD, 2021[20]). Ministries and administrations need to find ways of integrating open data into their daily operations by considering the publication and maintenance of open data as a strategic, long term digital investment and not as a short-term project. While the benefits of open data are sometimes difficult to assess and can be both indirect and direct and spread across multiple sectors and actors, it is certain that greater maturity in terms of sharing data today will increase the advantages of an organisation in terms of digital readiness in the future.

While the SIP provides excellent support from the central level it cannot implement the open data policy on its own. SIP does not have the power to enforce existing principles and policies for open data but can only notify ministries and administrations that they believe they do not comply with them and should act. Therefore, it is the responsibility of ministries and administrations to ensure compliance in practice, which could be more easily achieved if dedicated resources such as contact persons for open data would be appointed and be given proper mandate, skills and resources. Alongside this, the SIP and MDIGI could work together to further promote and supervise the connection of the work on open government data with the overall data-driven public sector agenda. Implementing the DDPS framework will lead to better (and more) open data being published, which in turn will help implement the DDPS agenda. With open data currently being the responsibility of ME and not MDIGI, the ability to further strengthen the link between the two agendas is not straightforward, even though the two organisations are actively collaborating through several government programs spanning across government such as AI4GOV and the National Interoperability Framework.

The insufficient resources and enforcement mechanisms related to open data which is common in many countries might explain why only 31% and 9% of ministries and administrations currently see open data as a high or very high priority (see Figure 4.8). Those that see it as a high priority are ministries and administrations who already published open data either via their own channels, or on data.public.lu. With the national transposition of the EU Open Data Directive in place since 2021, SIP becomes better equipped to promote the implementation of existing principles and convey the importance and priority of open data not only for external actors but for public actors too. Even more importantly, it should support ministries and administrations in raising more awareness of the importance of open data inside their organisation and take more ownership and action around this policy area.

While it has been argued that “data are to this century what oil was to the last one” (The Economist, 2017[28]), data does not possess any intrinsic value. As discussed previously in this chapter, data comes in many shapes and forms and the only thing that can determine its value is if and how it is being used, and the result of that use, which is determined by if and how the data can be accessed and used in the first place. The application of data within the public sector can be thought of as either of the following three actions: anticipating and planning, delivery, and monitoring and evaluation (see Figure 4.9) (OECD, 2019[9]).

For anticipation and planning, public sector organisations can use data to design better policies, anticipate change, and forecast needs. The value of being equipped to use data to anticipate is particularly important in the context of a global climate crisis and security instabilities. It is moreover important for governments and public sector organisations to use data in the delivery of policies and services - such as in reacting and adapting to change. Finally, public sector organisations should use data as part of monitoring and evaluating their interventions, including to audit decisions, monitor the performance of policies and services, and measure their impact on social, economic, and environmental factors.

90% of surveyed ministries and administrations in Luxembourg claim to be collecting, processing, and using data on a regular basis (OECD, 2021[20]). A substantial proportion of these data are identifiable data on citizens, businesses, and other actors, but also non-personal data such as data about the environment, infrastructure, or transport. As previously mentioned, base registries are the second most common data source, after data generated by other departments within the same administration or ministry. When it comes to the main reported barriers for ministries and administrations to use data, these include a lack of information about available data, absence of relevant data sources, and a legislation that is slowing down processes, in line with the previous findings.

Going back to how ministries and administrations apply the data that they have, a majority claim to use it as part of the anticipation and delivery phase of government interventions (Figure 4.11). Only 44% of ministries and administrations use data to evaluate and monitor government interventions. For those that use data regularly to anticipate and plan interventions (Figure 4.12), almost all apply data to support evidence-based policy making (91%). A large majority also use it to support financial management and budgeting; to forecast needs and probable events; and to support the design and deliver public services. Less than half use data to support regulatory development (including impact assessments), and to develop a deeper understanding of citizen needs for the design of new policies and services.

For the ministries and administrations that use data in the delivery of government interventions (Figure 4.14) 92% use it to improve existing public services and to communicate and engage with the public. Around 50% use data to better respond to emergencies and crises, and to free up public servant capacity so they can engage in more important tasks. Finally, a majority of the ministries and administrations that use data to monitor and evaluate interventions use it to evaluate policy interventions and to track operational performance (Figure 4.15). Few use data for auditing and accountability, and to demonstrate return on investment. To improve the use of data to evaluate and monitor government interventions it is essential to use benchmarks and set performance baselines. It is moreover advisable to publish online to the public, ideally as open data, such performance metrics to instil trust and strengthen accountability for the performance of public policies, regulations, and services.

Besides thinking about the objectives for how data can be used, AI (and other emerging technologies) can be extremely useful systems for ministries and administrations to effectively use large volumes of data in the design and delivery of public policies and services. In 2019, the Luxembourg government launched the national AI strategy “Artificial Intelligence: a strategic vision for Luxembourg” (The Government of the Grand Duchy of Luxembourg, 2019[30]).

Luxembourg’s strategic vision for AI has also led to the creation of an AI4Gov inter-ministerial committee, comprised of the MIDIGI and the ME (SMC and SIP). The purpose of the AI4Gov Committee is to encourage ministries and administrations to make better use of AI and data to transform the way they operate and their services. The Committee launched a first call for AI4GOV projects in November 2019, which resulted in a final selection of six proposed projects, of which four were implemented in 2020. The projects range from extraction of topographical objects (ACT), indexing of government photos (SIP), and transcriptions of texts of articles (Luxembourg National Library). By the end of 2020 a new call for proposal was made and a new set of projects have been initiated, including for recruitment procedures (CGPO) and automatic labelling of documents (Central Legislative Service) (The Government of the Grand Duchy of Luxembourg, 2022[29]). In January 2022, a third call for projects was launched by AI4GOV, and in parallel trainings are being organised together with INAP to enhance AI-related competencies in the public sector (Ministère de la Digitalisation, 2021[31]).

Data governance and strategic use of data has little value if citizens, civil servants, and businesses do not trust how the government handles and uses data. While people in Luxembourg have comparatively high confidence in their government, the use of data and data-driven technologies inside the public sector needs to be backed up by an anticipatory approach to managing risks and acting trustworthily with data by considering present and future needs in terms of ethics and transparency, privacy and consent, and digital security. The Luxembourg government has made considerable achievements in this area. However, the peer review mission and workshop revealed some challenges, in particular with regards to promoting awareness around data ethics, and actively supporting public servants and data professionals in ensuring compliance with data protection rules.

Data ethics can be defined as “the branch of ethics that studies and evaluates moral problems related to data, algorithms, and corresponding practices in order to formulate and support morally good solutions” (Floridi and Taddeo, 2016[32]). Data ethics and moral principles are by nature non-binding and should thus complement binding laws and regulations, not substitute them. Data ethical principles may cover issues such as the impact of using data on distinct groups and communities, and the impact of not sharing and using specific data on the same groups and communities. Data quality is moreover something which shapes how the public sector can use and interpret data, which in in turn impacts people and society. During the peer review mission, a lack of consistent data management and low-quality data was raised as one of the biggest issues related to trust and data.

In addition to low quality data, some ministries and administrations find that there is unclear accountability at the national level for trustworthy management and use of data. It was also identified that there is a low level of awareness and understanding of what data ethics means beyond GDPR. Moreover, 30% of ministries and administrations disagrees with there being sufficient guidance or standards for ethical handling and use of data, and 35% believe that there are not sufficient accountability mechanisms for data-driven and automated decision making. In 2020, the OECD (2020[33]) published the Good Practice Principles for Data Ethics in the Public Sector with the aim to support governments’ progress in this area (Box 4.7).

When it comes to emerging technologies in the public sector, in particular AI, the discussion on trust and data is critical. AI has been proven to provide considerable benefits to economies and societies, including by being used in the public sector. A study by Vinuesa et al. (2020[34]) published in Nature estimated that AI technology3 could help implement 134 out of 169 targets part of the UN Sustainable Development Goals. At the same time, it estimated that if not properly regulated and monitored to avoid gaps in transparency, safety and ethical standards, the use of AI technology could actually inhibit achieving 59 of the targets. As such, the study suggests that the regulatory framework, institutional capabilities for monitoring AI technology use, and efforts for strengthening transparency and ethics needs to be prioritised to avoid the use of AI causing unintended negative effects.

In a study by the Luxembourg Institute of Social and Economic Research (LISER) from 2020 (Poussing, 2021[35]) commissioned by the MDIGI and SMC, 58% of surveyed citizens reported that they have medium confidence in the use of AI by the public sector, whereas only 41% felt the same for the private sector. This shows the success of the Luxembourg government in maintaining trust of citizens in the public sector’s use of data and digital technologies as compared to the private sector, something which is not to be taken for granted. Since less than 20% of respondents felt that they had large confidence in the use of AI by the public sector, more could still be done to even further promote trust in the use of data and especially emerging technologies as such use cases are developed. The establishment of the AI Legal and Ethics Working Group under the AI4GOV initiative is a good example of such efforts.

Given that data is the “engine” of AI systems, the Luxembourg could moreover consider aligning this work with the possible development of a data strategy as a foundation to effectively deploy AI in the public sector (Berryhill et al., 2019[36]).

Protecting the privacy of individuals remains a central aspect of managing and using data appropriately in the public sector and is an important priority of the Luxembourg government. The legal framework for privacy and consent in relation to personal data in Luxembourg is based on the GDPR. The national implementation of the GDPR established Luxembourg’s National Commissioner for Data Protection (CNPD) and laid out the rules for Data Protection Officers (DPOs) to be appointed within ministries and administrations, and their tasks and responsibilities. The Government Commissioner for Data Protection of the State (CGPD) is in charge of coordinating the network of DPOs inside the ministries and shaping central policies to support the implementation of the GDPR by ministries.

During the capacity-building workshop on data, concerns were raised by some ministries that their DPOs were not always available when needed or had the resources to cater fully to their needs as they advance their management and use of data. As ministries work more with data (which is the ambition), there will also be a need for more tailored and attentive support to be able to work with data more without facing unnecessary barriers, including the fear of a GDPR-breach.

On top of GDPR-compliance, as part of new ways of empowering citizens and increasing transparency of the public sector, governments are looking at how they can enable citizens and businesses to be more meaningfully informed and participate in deciding how data about them are being stored, accessed, and used by public sector organisations. In Luxembourg, on the personal space of MyGuichet.lu, private users of public services can see data stored about them from more than 15 authentic sources, and what organisations have accessed their data during the last six months (Box 4.8). For some of these data, users can also request the correction of data that they do not consider accurate, if they have legitimate justifications.

Since 2021, a pilot project is also being run via the GovTech Lab to develop a concept and implement technology that enable the creation of a verifiable digital residence certificate, using the structured data of a residence certificate from the national register of natural persons (RNPP). The digital certificate would also allow for selective disclosure of information on the attestation, for example for a person can prove that they have reached a certain age without having to show date of birth, which in turn supports data minimsation (govtechlab.public.lu, 2021[39]; Portail des marchés publics du Grand-Duché de Luxembourg, 2021[40]).

Luxembourg is an advanced country when it comes to digital security. As mentioned previously, Luxembourg is considered such a safe and stable environment for storing sensitive data that it hosts other countries’ government data. According to the Global Cybersecurity Index 2022, Luxembourg ranks 13 in the world in cybersecurity measures. The relative strengths are its legal and technical measures, whereas the area for potential growth is organisational measures, meaning the “the existence of co-ordination institutions, policies, and strategies for cybersecurity development at the national level.” (ITU, 2021[43]). The centralisation of IT infrastructure under CTIE has an important impact on security measures as most controls and security-related competencies can be managed by the CTIE. The CTIE has standardised methods for information security and puts it at the centre of all projects it carries out, whether for its own behalf or for ministries and administrations. Security measures are applied gradually according to the security needs identified and pay detailed attention to issues such as data minimisation, data retention, data dissemination, profiling and automated decisions, accuracy of decisions, data accuracy and quality, and guaranteeing the exercise of rights and respect of privacy. In the course of 2020, the CTIE has begun work to diversify the application security measures in order to adapt them to the needs of constantly evolving projects (Ministère de la Digitalisation, 2021[31]).

The regulatory framework for digital security in Luxembourg is based on the Law of 28 May 2019 of ensuring a high common level of security of network and information systems and the GDPR. The National Information Systems Security Agency (ANSSI) is the national authority responsible for the security of both classified and unclassified information systems installed and operated by the Luxembourg government. ANSSI is under the responsibility of the High Commission for National Protection (HCPN), which is also responsible for the protection of critical infrastructure, crisis prevention and management, and co-ordinating the fight against terrorism (The Government of the Grand Duchy of Luxembourg, 2021[44]). ANSSI has developed the “General policy for information security of the Luxembourg State”, and a “Charter of good conduct for digital information security” that supports ministries and administrations in working securely with information and information systems (The Government of the Grand Duchy of Luxembourg, 2021[45]).In 2021, the National Cybersecurity IV was adopted, which include actions related to: reinforcing trust in the digital world and the protection of human rights online; the consolidation of the security and resilience of the digital infrastructures of Luxembourg; and the development of a digital economy which is reliable, sustainable and secure (The Government of the Grand Duchy of Luxembourg, 2021[46]).

In addition to the work of ANSSI, Security Made in Lëtzebuerg (securitymadein.lu) is the national cyber security agency which provides support to companies in Luxembourg, but also to municipalities, to address cybersecurity challenges. The agency is an economic interest group founded by the State of Luxembourg, represented by the Ministry of the Economy, the Ministry of Education, Children and Youth; the Ministry of Family Affairs, Integration and the Greater Region; the Intercommunal Information Management Association (SIGI); and the Association of Luxembourg cities and municipalities (SYVICOL) (The Government of the Grand Duchy of Luxembourg, 2021[47]).

In 2022, the CEO of securitymadein.lu took over the chair of the newly installed EU Cyber Security Competence Centre, and securitymadein.lu was appointed Luxembourg’s national co-ordination centre for the initiative (European Commisssion, 2022[48]).


[36] Berryhill, J. et al. (2019), “Hello, World: Artificial intelligence and its use in the public sector”, OECD Working Papers on Public Governance, No. 36, OECD Publishing, Paris, https://doi.org/10.1787/726fd39d-en.

[11] DAMA International (2017), DAMA-DMBOK, Technics Publications, New Jersey.

[8] European Commission (2022), Data Act, https://digital-strategy.ec.europa.eu/en/policies/data-act (accessed on 15 June 2022).

[26] European Commission (2021), Luxembourg - 2021: Country Fiche, https://inspire.ec.europa.eu/country-fiche/luxembourg-2021-country-fiche (accessed on 20 October 2021).

[24] European Commission (2020), Digital Public Administration Factsheet 2020 - Luxembourg, https://joinup.ec.europa.eu/sites/default/files/inline-files/Digital_Public_Administration_Factsheets_Luxembourg_vFINAL.pdf.

[7] European Commission (2020), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act) COM/2020/767 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0767 (accessed on 15 June 2022).

[48] European Commisssion (2022), The European Cybersecurity Competence Centre and Network moves forward: Nomination of the Chair of the Governing Board and National Coordination Centres, https://digital-strategy.ec.europa.eu/en/news/european-cybersecurity-competence-centre-and-network-moves-forward-nomination-chair-governing-board (accessed on 15 June 2022).

[27] European Union (2020), “Open Data in Europe 2020”, data.europa.eu, https://data.europa.eu/en/dashboard/2020#country-overview (accessed on 10 October 2021).

[32] Floridi, L. and M. Taddeo (2016), “What is data ethics?”, Phil. Trans. R. Soc. A, Vol. 374/20160360, https://doi.org/10.1098/rsta.2016.0360.

[22] Gaia-X Hub Luxembourg (2021), Gaia-X Luxembourg Regional Hub, https://www.gaia-x.lu/ (accessed on 18 November 2021).

[3] Google (n.d.), From the garage to the Googleplex, https://about.google/our-story/ (accessed on 13 June 2022).

[13] Government of France (2021), Note : Cadre interministériel d’administration de la donnée, Ministrère de la transformation et de la function publiques - Direction interministérielle du numérique, https://www.numerique.gouv.fr/uploads/Cadre-interministeriel-donnee.pdf (accessed on 15 June 2022).

[14] Government of Ireland (2018), Public Service Data Strategy 2019-2023, Department of Public Expenditure and Reform, https://www.gov.ie/en/publication/1d6bc7-public-service-data-strategy-2019-2023/ (accessed on 15 June 2022).

[39] govtechlab.public.lu (2021), govtechlab.public.lu, https://govtechlab.public.lu/en/call-solution/2021/trust-my-data.html (accessed on 15 June 2022).

[43] ITU (2021), Global Cybersecurity Index 2022 - Measuring commitment to cybersecurity, International Telecommunication Union, https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2021-PDF-E.pdf.

[12] Knight, M. (2021), What is Data Governance?, https://www.dataversity.net/what-is-data-governance/ (accessed on  February 2022).

[15] Knight, M. (2019), Developing a Data Strategy Template, https://www.dataversity.net/developing-a-data-strategy-template/ (accessed on  February 2022).

[31] Ministère de la Digitalisation (2021), Rapport d’activitié, The Government of the Grand Duchy of Luxembourg, https://gouvernement.lu/dam-assets/fr/publications/rapport-activite/minist-digital/2021-rapport-activite-mindigital.pdf.

[6] OECD (2021), Data governance: Enhancing access to and sharing of data, https://www.oecd.org/sti/ieconomy/enhanced-data-access.htm (accessed on 15 June 2022).

[20] OECD (2021), Digital Government Survey of Luxembourg: Ministries and Administrations, unpublished.

[5] OECD (2021), “Recommendation of the Council on Enhancing Access to and Sharing of Data”, OECD Legal Instruments, OECD/LEGAL/0463, OECD, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0463#mainText.

[18] OECD (2021), “The OECD Framework for digital talent and skills in the public sector”, OECD Working Papers on Public Governance, No. 45, OECD Publishing, Paris, https://doi.org/10.1787/4e7c3f58-en.

[10] OECD (2020), “Digital Government Index: 2019 results”, OECD Public Governance Policy Papers, No. 03, OECD Publishing, Paris, https://doi.org/10.1787/4de9f5bb-en.

[33] OECD (2020), Good Practice Principles for Data Ethics in the Public Sector, OECD, Paris, https://www.oecd.org/gov/digital-government/good-practice-principles-for-data-ethics-in-the-public-sector.pdf.

[4] OECD (2019), Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-use across Societies, OECD Publishing, Paris, https://doi.org/10.1787/276aaca8-en.

[9] OECD (2019), The Path to Becoming a Data-Driven Public Sector, OECD Digital Government Studies, OECD Publishing, Paris, https://doi.org/10.1787/059814a7-en.

[40] Portail des marchés publics du Grand-Duché de Luxembourg (2021), Portail des marchés publics, Détail de la consultation - Référence 2101554, https://pmp.b2g.etat.lu/app.php/consultation/522602 (accessed on 15 June 2022).

[35] Poussing, N. (2021), Résultats de la consultation publique relative aux opportunités et aux défis de l’Intelligence Artificielle, Luxembourg Institute of Socio-Economic Research (LISER), Luxembourg, https://gouvernement.lu/dam-assets/documents/actualites/2021/04-avril/28-bettel-cdp/Rapport-IA6-final.pdf (accessed on 20 October 2021).

[25] Swedish Agency for Digital Government (2021), Ramverk för nationella grunddata inom den offentliga förvaltningen, https://www.digg.se/49049e/globalassets/dokument/utveckling-av-digital-forvaltning/digital-infrastruktur/grunddata_underlag_ramverk_for_nationella_grunddata_inom_den_offentliga_forvaltningen_20210129.pdf.

[28] The Economist (2017), Data is giving rise to a new economy - How is it shaping up?, https://www.economist.com/briefing/2017/05/06/data-is-giving-rise-to-a-new-economy.

[38] The Government of the Grand Duchy of Luxembourg (2022), Guichet.lu - Actualités - Consultez désormais encore plus de sources authentiques dans l’application mobile MyGuichet.lu !, https://guichet.public.lu/fr/actualites/2022/mars/02-sources-authentiques-app.html (accessed on 15 June 2022).

[37] The Government of the Grand Duchy of Luxembourg (2022), MyGuichet.lu, https://guichet.public.lu/fr/myguichet/app-myguichet.html (accessed on 15 June 2022).

[29] The Government of the Grand Duchy of Luxembourg (2022), The AI4GOV initiative, https://gouvernement.lu/en/dossiers.gouv_digitalisation%2Ben%2Bdossiers%2B2021%2BAI4Gov.html (accessed on 15 June 2022).

[47] The Government of the Grand Duchy of Luxembourg (2021), “About us”, Securitymadein.lu, https://securitymadein.lu/agency/ (accessed on 15 June 2022).

[44] The Government of the Grand Duchy of Luxembourg (2021), Agence nationale de la sécurité des systèmes d’information (ANSSI), https://hcpn.gouvernement.lu/fr/service/attributions/missions-nationales/anssi.html (accessed on 15 June 2022).

[49] The Government of the Grand Duchy of Luxembourg (2021), “Centre des technologies de l’information de l’État (CTIE)”, government.lu, https://ctie.gouvernement.lu/.

[21] The Government of the Grand Duchy of Luxembourg (2021), “E-embassies in Luxembourg”, Luxembourg.public.lu, https://luxembourg.public.lu/en/invest/innovation/e-embassies-in-luxembourg.html (accessed on 15 February 2022).

[45] The Government of the Grand Duchy of Luxembourg (2021), “Information security policy”, Gouvernment.lu, https://hcpn.gouvernement.lu/fr/service/attributions/missions-nationales/anssi/politique-securite.html (accessed on 15 June 2022).

[46] The Government of the Grand Duchy of Luxembourg (2021), Stratégie nationale de cybersécurité IV, https://hcpn.gouvernement.lu/fr/publications/strategie-nationale-cybersecurite-4/strategie-nationale-cybersecurite-4.html (accessed on 15 June 2022).

[23] The Government of the Grand Duchy of Luxembourg (2021), The CTIE, The Government IT Centre (CTIE), https://ctie.gouvernement.lu/en/l-administration.html (accessed on 15 June 2022).

[41] The Government of the Grand Duchy of Luxembourg (2021), Trust My Data, https://govtechlab.public.lu/en/call-solution/2021/trust-my-data.html (accessed on 22 August 2022).

[42] The Government of the Grand Duchy of Luxembourg (2021), Trust my data: Issuance of a verifiable digital certificate in a wallet - Case of the Luxembourg residence certificate, https://pmp.b2g.etat.lu/app.php/consultation/522602 (accessed on 22 August 2022).

[30] The Government of the Grand Duchy of Luxembourg (2019), Artificial Intelligence: A strategic vision for Luxembourg, https://gouvernement.lu/dam-assets/fr/publications/rapport-etude-analyse/minist-digitalisation/Artificial-Intelligence-a-strategic-vision-for-Luxembourg.pdf (accessed on 15 June 2022).

[19] The Government of the Grand Duchy of Luxembourg (2019), Cadre national d’interopérabilité, http://digital.gouvernement.lu/en/publications/document-de-reference/NIF-2019/NIF-2019.html (accessed on 21 October 2021).

[16] The Government of the Grand Duchy of Luxembourg (2018), “Grand-Ducal decree of 5 December 2018 establishing the Ministries”, Official Journal of Grand Duchy of Luxembourg, http://data.legilux.public.lu/eli/etat/adm/agd/2018/12/05/b3633/jo (accessed on 15 June 2022).

[17] The Government of the Grand Duchy of Luxembourg (2009), “Loi du 20 avril 2009 portant création du Centre des technologies de l’information de l’Etat”, Official Journal of the Grand Duchy of Luxembourg, https://legilux.public.lu/eli/etat/leg/loi/2009/04/20/n2/jo (accessed on 15 June 2022).

[2] ThinkAutomation (n.d.), The History of Data, https://www.thinkautomation.com/histories/the-history-of-data/ (accessed on 15 June 2022).

[34] Vinuesa, R. et al. (2020), The role of artificial intelligence in achieving the Sustainable Development Goals, Nat Commun 11, https://doi.org/10.1038/s41467-019-14108-y.

[1] World Economic Forum (2015), A brief history of big data everyone should read, https://www.weforum.org/agenda/2015/02/a-brief-history-of-big-data-everyone-should-read/ (accessed on 15 June 2022).


← 1. 41.03% of surveyed ministries and administrations replied either “Agree” or “Strongly agree” to the statement “There is clear policy guidance on the governance and use of data.”

← 2. To the question “Does your ministry/administration have a dedicated formal strategy or policy in place for the strategic management of data in your ministry/administration?” 46% of ministries and administrations responded “No”, whereas 26.64% responded “No, but we are working on it.”

← 3. The study considered AI as “any software technology with at least one of the following capabilities: perception—including audio, visual, textual, and tactile (e.g. face recognition), decision-making (e.g. medical diagnosis systems), prediction (e.g. weather forecast), automatic knowledge extraction and pattern recognition from data (e.g. discovery of fake news circles in social media), interactive communication (e.g. social robots or chat bots), and logical reasoning (e.g. theory development from premises). This view encompasses a large variety of subfields, including machine learning.”

Metadata, Legal and Rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

© OECD 2022

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at https://www.oecd.org/termsandconditions.