Digital Code of Practice

Public products and services should be impactful, responsive and equitable.

Why it matters

Good products and services build public trust, which is essential for government to function. Public servants and their partners have a shared responsibility to:

• use resources wisely to benefit people who live in Nova Scotia
• choose products and services that address the technical, policy and service problems we are trying to solve
• provide products and services that uphold public service ethics and values
• make decisions that are fair, data-driven and well-documented

How to apply the Code in Practice

• State the policy, service or operational problem you’re trying to solve. Include your intended outcomes (like specific changes or impacts) in ways that are:
  • easily understood by anyone, regardless of their technical background
  • connected to larger government priorities, goals and plans
  • adjustable as new information emerges
  • measurable
• Choose meaningful outcomes and performance indicators (like the impacts your product or service has on users, or improving service delivery and experiences).
• Do user research and usability testing to understand how people experience your product or service. Use your findings to improve your product or service.
• Gather metrics for your product or service (like transaction volume, user satisfaction rates, uptime and error rates) to make decisions about how to improve your product or service.
• Continuously improve your product or service based on measurement results, user feedback and emerging best practices.
• Document important design and delivery decisions.
• Share your performance and learning with the public and other partners to build trust and encourage participation in your work.

Designing and delivering impactful internal and public-facing services is powered by multidisciplinary delivery teams and those who support them.

Why it matters

Setting up and supporting your team for success will enable you to apply the Digital Code of Practice in integrated and holistic ways.

Successful product and service delivery teams:

• include people with diverse skillsets and backgrounds to ensure capability and inclusiveness
• have the resources they need to build services properly, maintain them on an ongoing basis and attract the best talent in the industry
• get support from executive leaders and supervisors who value new ways of working and collaborating across organizational and functional boundaries
• have permanent public servants as core delivery team members, with access to support from external contractors
• can access guidance, tools and infrastructure to help them design, build and buy digital products and services in responsible and effective ways

How to apply the Code in Practice

Fund and set up multidisciplinary delivery teams for success

• Assign a dedicated service owner with the authority to make decisions about your product or service, communicate and monitor its goals and outcomes, and mobilize the people and resources to build it.
• Assign a product manager who establishes product-level priorities and aligns your delivery team and stakeholders on:
  • why you’re developing the digital product or service (for example, to meet a defined policy objective)
  • who the product or service is being built for (for example, audience and their user needs)
  • how you’re developing, building and maintaining the product or service in a continuous way (like a roadmap)
• Establish a core delivery team (may be a combination of public servants and contractors) with enough technical knowledge to build and maintain the product’s or service’s entire technology stack.
• Have service design expertise on the core delivery team (public servants or contractors).
• Engage subject matter experts for specialized data, security, privacy, policy, legal and technical advice and support.
• Get early and continuous input from operational and business areas that implement and maintain the product or service, including non-digital service delivery staff.
• Collaborate widely, share your work and benefit from lessons learned by teams in Nova Scotia, other governments and the non-profit and private sectors.

Empower teams with strong digital leadership

• Plan and resource teams sustainably, knowing that the product or service needs maintenance and continuous improvement (it’s not a point-in-time project).
• Structure delivery teams with minimal hierarchy so everyone respects each other and listens to their opinions.
• Track progress towards outcomes and allow for course adjustments and delivery in stages rather than making decisions based on untested assumptions.
• Give teams the flexibility to adjust their resourcing and fill gaps quickly as their needs change.
• Find ways that multiple delivery teams can support each other and share resources.
• Promote and develop digital literacy and skills at all levels, including at the leadership level.
• Create a culture that values diversity, inclusion, innovation, experimentation, collaboration and learning.
• Reduce barriers to diversity by ensuring workplace and hiring practices are accessible and inclusive.
• Prioritize competitive pay, rewarding career paths and meaningful work to attract and keep the best digital talent available.

Make the best use of external contractors

• When possible, build your team on a strong foundation of permanent public servants before adding support from contractors.
• Plan ahead to create right-sized and ongoing product teams of public servants and contractors that can support products and services during their entire lifecycle.
• Make sure that public servants fill roles that lead and oversee service delivery and make important decisions, like service owners, so there’s leadership and expertise within government to maintain and improve products, services and systems.

The most important goal of a digital product or service is to meet the needs of all the people who use it.

Why it matters

Designing with the people who use your product or service helps inform and identify:

• who the users of your product or service are
• what users need
• how users’ needs can vary based on where they live or work, or how they interact with the product or service
• opportunities to provide value and improvements to the product or service
• risks or ways the product or service could create harm
• specific people, processes and technology that will power the product or service
• opportunities to leverage existing technology by investigating other products and services used for similar purposes

Diverse teams need to:

• work closely with the communities and people who use the product or service
• conduct user research and accessibility testing throughout the lifecycle of the product or service
• use human-centred and collaborative design practices to meet the needs of a wide range of people and communities
• provide equitable access to everyone who might use the product or service, no matter their abilities, background, device or level of connectivity
• join up related products and services and provide ways for people to get access to them as an integrated service experience

How to apply the Code in Practice

• Conduct user research to understand the needs, pain points and preferences of the people who will use a product or service.
• Work with diverse communities, including talent and users, to make sure empathy and inclusivity are included in the design process.
• Map end-to-end experiences using tools and techniques (like journey maps and service blueprints) to identify opportunities for improvement.
• Gather and incorporate feedback at each stage of the design and development process to identify areas where you can improve the user experience.
• Design an end-to-end experience, making sure there is consistency and continuity across all touchpoints (including digital, physical and human interactions).
• Conduct accessibility testing and follow accessibility guidelines to make sure the product or service is usable by individuals with diverse abilities and needs (see code 4).
• Regularly review and update the product or service based on user feedback and changing needs.

Designing for inclusion and accessibility means removing barriers that prevent people from fully accessing and using government’s products and services.

Why it matters

Making your product or service accessible means that it provides the best possible experience for all who need it. Inclusion means making sure everyone can access digital information, products and services.

Include a wide variety of people in the product and service design process. This helps you understand how people with different needs or abilities might use your service. You’ll also see what barriers they might face and how you can improve their experience.

Designing and delivering inclusive and accessible products and services:

• helps your products and services work for as many users as possible
• provides equal access to everyone who might use your product or service
• makes sure that people can easily access the information, tools and infrastructure needed to do their work
• provides options for people to get access
• makes sure there is no barrier to employing people with specific accessibility needs

How to apply the Code in Practice

• Follow requirements and guidelines in the Nova Scotia Accessibility Act, Web Content Accessibility Guidelines (WCAG), and government’s minimum web and accessibility requirements.
• Make accessibility and inclusion part of every team member’s role in the design process.
• Involve people with diverse perspectives, abilities and needs in user research and usability testing.
• If you provide your product or service in additional languages, test with users in those languages.
• Review and test any automations or algorithms to remove bias or impact to underrepresented or marginalized groups.
• Know the range of devices and software that need to work with your product or service.
• Provide access to the product or service through a range of web browsers and make sure the product or service is compatible with assistive technologies and a range of end-user devices.
• Provide a way for people using the product or service to report barriers. Then work to remove those barriers.
• Have a process to test new features, identify barriers, or major changes with people with disabilities. Then fix any issues.
• Consider the physical accessibility of spaces and or server rooms.

Designing for adaptability and connectivity means considering the capacity, conditions and interconnected technology and systems that support your product or service. It also means thinking about how they’ll operate together and how you’ll sustain them.

Why it matters

Designing for adaptability and connectivity will help you consider the government digital ecosystem that enables your product or service. This includes how:

• your product or service works within the existing ecosystem
• your product or service impacts people, your colleagues and partners
• you make your product or service sustainable to fund and maintain (for example, by not getting locked into certain vendors or technologies)
• you design your product or service to integrate and communicate easily with other systems
• you apply reusable and cloud-based technologies to simplify your work and improve your service delivery and experiences
• you help build reusable technologies that benefit the entire ecosystem

Building a cohesive digital ecosystem improves how government’s digital products and services work together. This allows people to access products and services without noticeable barriers. It also creates a seamless and consistent user experiences across platforms.

Effective integration can improve the quality and reliability of the information, products and services government provides. It can also be easier to make improvements in response to changing needs and technology.

Considering your public cloud option may be part of your approach. This includes:

• avoiding upfront investments in your infrastructure, which could reduce overall costs
• gaining greater flexibility to trial new products and services or make changes
• taking advantage of scalable pricing models (instead of building for maximum usage, you buy for less usage and increase or decrease as needed)
• using server space and power efficiently
• continuous upgrades and security patches

It’s important to understand your build and buy, as well as your repurposing options. You also need to know what makes sense in your delivery context as it relates to your product or service and user needs.

How to apply the Code in Practice

Explore your build, buy and repurposing options

• Work with digital practitioners to understand needs and context.
• Inform your decision to build, buy, repurpose or use a combined approach to deliver your product or service.
• Decide how to achieve the best value for money.
• If you buy a product or service, develop a purchasing strategy before you buy technology or hire the team needed to develop and deliver it.
• Get support from technical, procurement and legal representatives to help you consider the commercial, service and technology aspects, along with the contractual and legal limitations.
• Use the Digital Code of Practice to inform and structure your Request for Proposals, and inform how you evaluate and select contractors to work with.
• Plan for the capacity and resources required to develop, deliver and maintain the product or service in a continuous way
• Follow appropriate procurement policies and guidelines.
• Document your decision process for building, buying or repurposing technology. Also document the contractors needed to design, develop and continuously deliver your product or service.

Use reusable technologies

• Build your product or service using common government technology platforms.
• Use the Pattern Library to make sure there’s a consistent look and feel and provide seamless interactions with other government products and services.
• Use shared services, like government email, as well as shared infrastructure like government networks, servers and facilities.
• Explore and evaluate open-source solutions, including free, publicly available standards and software, especially if they’re maintained by a strong community of contributors.
• Consider public cloud options as a way of storing and retrieving data and software over the internet on a shared and segregated platform with other users.

Integrate with other products, services or systems

• Get support from the enterprise architecture community, as well as Platform and Infrastructure and Operations teams to help align integration methods and API strategies with organizational goals.
• Design the systems that underpin products and services using modular, independently developed components that can work easily together.
• Prototype a system architecture to guide the iterative development of the system, including hardware and software components.
• Plan for scalability and flexibility to accommodate future integrations and system changes.
• Make sure new digital products and services are compatible with the existing systems they have to integrate with.
• Use open and standard APIs to allow integration with other systems and services.
• Adopt standard data formats and protocols to facilitate data exchange and compatibility.
• Document integration points, API specifications and data models to provide clear guidance for developers who want to integrate with the product or service.
• Establish clear authentication and authorization processes for secure integration with other systems.
• Collaborate with stakeholders and external partners to ensure seamless integration with their systems and services.
• Regularly test integrations to ensure ongoing compatibility and performance.
• Integrate code into GitLab (government’s shared repository), then test and scan builds frequently.

Consider Public Cloud options

• Evaluate potential Public Cloud services before you consider alternatives such as on-premises hosting and NS Private Cloud (an on-premises container hosting service).
• Make sure that you store information in Canada. You can only store information outside of Canada if you meet the exceptions and requirements in government data residency policies and guidelines.
• Make sure your chosen cloud solution has the appropriate level of security in relation to your delivery context and needs.
• Assess the risk of becoming dependent on the products and services from cloud providers (for example, cloud lock-in).
• Manage your cloud lock-in risk and include Termination Transition Services in your contract.

Delivering products and services to meet citizens’ expectations and needs builds trust. It also requires government to manage privacy, security and investment risks as a team.

Why it matters

Government is in the trust business. People expect government to:

• care about their information and data
• provide safe and secure products and services
• use government resources efficiently

When developing and delivering products and services, public servants and teams need to use judgement, make informed decisions and follow guidelines and standards outlined in legislation, regulations, policies, contract language and more.

Managing risk proportionately means being aware of risk as it relates to your product or service. The actions you take to identify and minimize risk should support the context of your product or service (who uses it, why are they using it and how are they using it), the likelihood of risk events happening and the expected impact if they do.

All products and services come with risk. Including risk management in your discovery, development, delivery and use of products and services helps make sure that you and your team are building, buying and using products and services in responsible ways.

Examples of risk in delivering products and services include:

• service risk from a product or service being delayed or not meeting its outcomes
• legal risk from falling short of legal standards or obligations
• reputational risk from actions that harm public trust in the government
• financial risk from a project going over budget
• privacy risk from a loss of users’ personal information
• security risk from a bad actor gaining access to a system or confidential information
• data risk from a loss of data integrity or quality
• operational risk from service interruptions or natural disasters

How to apply the Code in Practice

Plan for product and service risk

Things like delays, cost overruns, scope increases and changes in government priorities can cause negative outcomes. Take steps to reduce the negative impact these events have on your service:

• Comply with laws, government and corporate policies and contract terms that are relevant to your product or service.
• Make sure you have the knowledge, resources and support you need to identify and manage risks throughout the lifecycle of your product or service.
• Identify and map risks to your product or service and prioritize them by their likelihood and impact.
• Identify and prioritize the actions you’ll take to reduce risk. Include them in your product backlog and business continuity plan.
• Continuously monitor your risk environment throughout the lifecycle of your product or service. Make changes to your planning and delivery as needed.

Manage risk collaboratively

• Follow the Digital Code of Practice. A multidisciplinary delivery team will help you design and deliver in responsible and impactful ways. The team can be supported by representatives in cybersecurity, privacy and other disciplines relevant to your product and service.
• Share your work as you design and deliver, and invite feedback from partners and subject matter experts so you understand events that could threaten your product or service.
• Collaborate with other teams and help identify risks they might have missed in their assessments.
• Stay connected with delivery support representatives (like cybersecurity and privacy) during the lifecycle of your product or service. This includes staying connected while monitoring and mitigating risks in a continuous way.
• Document all risk consultations, assessments and decisions at an appropriate level of detail for the risk in the context of your product or service.

A modern government should manage data in a way that builds trust and maximizes its value to the public.

Why it matters

At the very least, government needs to comply with legislation and policy to keep data safe and accessible. The best teams go beyond this by using data to improve product or service quality and enable better decision-making. To help your team maximize the value of data:

• keep privacy in mind throughout the lifecycle of your product or service
• use proactive and preventative privacy protections
• design your product or service to be secure
• plan to manage any security issues throughout its lifecycle
• manage data in a way that maximizes its value by making it easy to find, access, share and reuse
• responsibly use new and emerging technologies (like artificial intelligence)

How to apply the Code in Practice

Integrate privacy into your design and delivery

Privacy protections are crucial to preventing harm to users and keeping trust in government. It’s important to take a proactive and preventative approach to privacy.

• Involve privacy experts from the beginning to help you identify and mitigate privacy risks.
• Know when you are working with personal and other sensitive information, and understand the legislation, policies and practices that protect it.
• Use the Information Security Classification Guidelines to determine the appropriate classification level of your data.
• Complete a Privacy Impact Assessment Checklist to determine if you need a Privacy Impact Assessment for your product or service.
• Begin addressing privacy needs early and throughout the lifecycle of your product and service to minimize harm to users. This includes:
  • building services to protect privacy by default so they don’t need any action from users
  • limiting the collection of personal information to only what is necessary for providing the product or service
  • clearly explaining how you are collecting, using and sharing personal information by providing an easy-to-understand privacy statement written in plain language
  • implementing measures to protect user data, such as encryption and secure storage, both at rest and in transit
  • making sure all third-party service providers that handle user data also meet the required data protection standards
  • establishing and enforcing data retention practices, and deleting data that is no longer needed for the product or service
  • conducting regular privacy impact assessments to evaluate and mitigate potential risks
• Making sure there’s compliance with the Privacy Policy (PDF) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
• Making sure there’s delivery team members and those who support them get privacy training.

Make and keep your product or service secure

Strong cybersecurity practices are an essential part of creating trust in government’s products and services. Design with security in mind from the beginning. And include security experts and stakeholders into the design and development process to help find and address any potential cybersecurity risks and vulnerabilities.

• Follow cybersecurity policies and directives.
• Establish delivery teams with public servants and contractors who understand and take care of their cybersecurity responsibilities.
• Involve cybersecurity experts throughout the lifecycle of your product or service to support your team in identifying, assessing and reducing security threats and risks.
• Make sure vendors are certified and maintain sound cybersecurity practices when buying externally hosted products and services. Confirm that cybersecurity certificates are valid and up to date.
• Make sure delivery teams manage and reduce cybersecurity risks by:
  • implementing strong authentication and authorization controls to prevent unauthorized access and limit access to sensitive data to a need-to-know basis
  • making sure digital products and services are hosted on secure infrastructure with necessary cybersecurity controls to protect against attacks and data breaches
  • using frameworks, template languages, libraries and best practice guidelines, like the Open Web Application Security Project (OWASP) Application Security Verification Standard, to reduce the risk of introducing vulnerabilities in applications
  • creating and maintaining an incident response plan to address and mitigate cybersecurity incidents
  • monitoring and logging activity within the product or service to detect and respond to cybersecurity incidents
  • implementing a secure development lifecycle (SDLC) to integrate cybersecurity measures throughout the development process
  • using multi-factor authentication (MFA) where appropriate to add an extra layer of cybersecurity
  • regularly updating and patching your product or service to fix vulnerabilities and prevent attacks
  • regularly backing up data and ensuring data recovery procedures are in place and tested

Manage data responsibly and effectively

Collect, manage and use data and information in a way that builds trust and maximizes its value to the public. Consider privacy and cybersecurity as you make data and information accessible in safe and responsible ways to help with service delivery improvements and data-informed decision making.

• Take a holistic and integrated approach to information and data management.
  • Involve data management representatives from the beginning and throughout the lifecycle of your product or service to support your team in managing data more responsible and effectively.
• Focus on making data more findable, accessible, interoperable and reusable, including using shared data services like the Information Assets Register and data sharing programs like the Open Data Portal.
• Plan how you will manage and use data for its entire lifecycle, from creation or collection to final disposition.
• Create and collect data using methods that reduce duplication and inefficiency.
• Document your data holdings, your team’s accountabilities for data management and your purpose for creating or collecting data.
• Have practices to assess, maintain and improve the quality of your data so it meets government and user needs.
• Capture appropriate metadata and use interfaces that support data interoperability by making it easy to exchange and reuse.
• Reassess your data management practices over time to build your team’s maturity and ensure legal and policy compliance.

Use artificial intelligence (AI) responsibly

Generative artificial intelligence tools and services present opportunities to better serve Nova Scotians through service enhancements, operational efficiencies and improved decision-making. With appropriate care and consideration, generative AI (Public GenAI) tools can enhance and improve the efficiency of work.

Read and apply the Public Generative AI Acceptable Use Guidelines, which include the following and other important guidance, to ensure the safe and responsible use of Public GenAI for public servants:

• Don’t create an account if the use of a Public GenAI tool doesn’t require an account.
• Only enter information with an Information Security Classification (ISC) of “public” into a Public GenAI tool as input.
• Don’t enter personal or other sensitive information into a Public GenAI system.
• Don’t enter information about the plans of government or public organizations into a Public GenAI system if that information is not yet available in the public domain.
• Consider all Public GenAI system output as incorrect until critically examined, validated and cross-referenced.
  • always treat this output as a suggestion and never as an authoritative source
  • don’t use the output for decision-making or service delivery without first reviewing it for appropriateness and accuracy
  • don’t use the output for automated decision-making
  • don’t use the output in production services, communication tools, official documents or any other use that could expose copyrighted material to the public
• Review code generated by Public GenAI tools for errors and security vulnerabilities.
• Check code generated by Public GenAI tools against another source, like a public code repository, code management systems (like GitHub) or a colleague, before using it in any government codebase or environment, including local, test, development, staging and production.
• Be transparent and include notes to show that you used a Public GenAI tool to produce content (as is or with changes) related to your product or service.

Test, try new ideas and learn through experimentation and continuous improvement.

Why it matters

Change is a constant. Modern product and service delivery methods help teams focus on user needs, flexibility and collaboration. You can minimize risks by helping teams develop, test and continuously improve products and services in small increments rather than launching them via a single, ‘everything-at-once’ release.

Being flexible and engaging the people that use internal and public-facing products and services helps ensure the products and services meet user needs and address issues as early as possible. It reduces the risk of product and service failure. This means you won’t spend time developing a product or service that doesn’t meet user needs or solve the problem it was created to solve.

Maintaining and continuously improving products and services helps ensure that they are responsive to user needs and resilient to policy, technological and operational changes.

How to apply the Code in Practice

• Establish goals and outcomes for your product or service that you can track and make progress towards.
• Consult with experts in modern development methods, like service design, product management, and DevSecOps, to inform how you can set up and support your delivery team for success.
• Allow your multidisciplinary delivery team to make timely design and delivery decisions based on testing and direct feedback from users.
• Use and support delivery methods and practices that suit your context and help your delivery team make progress towards the goals and outcomes early and often.
• Create a backlog with user stories, desired capabilities and related tasks to design and deliver your product or service, and how you plan to prioritize and action them using iteration and learning.
• Create and get feedback on a roadmap for the delivery of your product or service. The roadmap should reflect the delivery phase that you’re in and where you plan to go.
• Deliver a minimum viable product and show your work in progress as early as possible for user feedback, to test assumptions and to make improvements.
• Focus your decision-making on user needs and use insights from usability testing and user engagement to improve your product or service.
• Meet regularly as a team to reflect on your progress and performance.
• Stay current on the latest technologies and development practices and use them to enhance your work.