How to tackle the “monsters” lurking in public sector websites

As a website administrator, you face an increasingly demanding job. It’s not enough to create engaging content, master SEO, and keep your organization’s information up-to-date. On top of that, you also need to comply with the requirements of the Information Management Act, the Digital Services Act, and data protection laws. These “monsters” often end up lurking under the bed because you’re unsure where to even begin.

In this blog, I’ll briefly outline these “monsters” and provide a few tips to help you get started. These guidelines won’t cover everything or guarantee perfection, but a little is better than nothing.

Accessibility

Website accessibility means that as many people as possible, regardless of their abilities, can easily use the service. This includes technically error-free implementation, a clear and understandable user interface, and content that is easy to comprehend.

At a minimum, check the following:

Visit a random page from your site’s footer menu. Imagine a user lands on this page via Google. Can they understand where they are within the site and what topic the page relates to?
Ask a colleague to find a guide or page unrelated to their usual tasks. Does the menu make sense? Can they find the page in multiple ways (menu, sitemap, internal search)?
Can you navigate your site using only the keyboard (tab, space, and enter keys will be your friends here)?
Test your site on a mobile device.
Does your site have an accessibility statement?

Additional tips:

Use Google’s PageSpeed Insights tool for more guidance on improving accessibility, along with other useful information.
Explore the accessibility guides from Papunet and AVI’s Saavutettavuusvaatimukset.fi website (both in Finnish).

Data security and privacy

Data security is about ensuring the availability, integrity, and confidentiality of the service. Data privacy, on the other hand, refers to using personal data for its intended purposes and minimizing the amount of collected data.

Improving both data security and privacy starts with identifying what data is used and what risks are associated with it, followed by preparing for potential issues.

First steps to improve data security:

Gather information:
- What non-public data is stored in your service? For example, feedback, inquiries, or data behind login systems.
- List all the services connected to your platform, such as the content management system, analytics, chatbot, server capacity, domain management, etc.
- Collect a list of companies and contact information related to the services mentioned above.
- Gather a list of administrators and user accounts for the services.
Risk assessment:
- Do you know all the entities involved with your platform? Do you know who can modify the content?
- Would data leaks cause any harm?
- How long can the service be down without significant impact?
- What if all data in the service is completely or partially lost?
Get the basics right:
- Are user accounts only given to the right people, with appropriate access permissions?
- Do you know who logged into the system and when?
- Can you view the content’s version history?
- Do you know where backups are stored, and have you practiced restoring them?
- Have security updates been installed for your software? Who is responsible for this?
- How do you receive information about security threats?
Prepare for the unexpected:
- What steps should be taken if the service is down for an extended period?
- How can you restore backups?
- What if the service needs an emergency shutdown? For example, if it starts distributing viruses.
- How could you switch to an alternative service if things go wrong?

Checklist for improving data privacy:

Make sure your privacy policy is easily accessible, and that you understand its contents.
Ensure you aren’t collecting more data than specified in the privacy policy.
Keep personal data up-to-date, and don’t retain unnecessary information longer than necessary.
Are you transferring data outside the EU/EEA?
- If so, ensure this is mentioned in your policies, and that transfer mechanisms are covered in agreements.
- If not, avoid installing tools like Facebook Pixel or Google Analytics on your site.
If you use cookies that are not strictly necessary for the technical functionality of the service, ensure your cookie policy is on the website, and that it’s as easy to reject cookies as it is to accept them.

Remember, achieving perfection is nearly impossible. The key is to make continuous improvements step by step, focusing on what is most relevant and practical.

Would you like to hear more? Get in touch using the form, and I will get back to you shortly.

Contact us

Author

Pasi Järnstedt

Director, Production

Cookie	Duration	Description
_GRECAPTCHA		This cookie is set by Google reCAPTCHA, which protects our site against spam enquiries on contact forms.
cli_user_preference
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
CookieLawInfoConsent
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
_lfa	2 years	This cookie is set by the provider Leadfeeder. This cookie is used for identifying the IP address of devices visiting the website. The cookie collects information such as IP addresses, time spent on website and page requests for the visits.This collected information is used for retargeting of multiple users routing from the same IP address.
AnalyticsSyncHistory	1 month	No description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Cookie	Duration	Description
_hjAbsoluteSessionInProgress	30 minutes	No description
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description
_hjIncludedInSessionSample	2 minutes	No description

Druid

How to tackle the “monsters” lurking in public sector websites

Accessibility

Data security and privacy

Checklist for improving data privacy:

Contact us

Send us a message

Author

Pasi Järnstedt

How to tackle the “monsters” lurking in public sector websites

Accessibility

Data security and privacy

Checklist for improving data privacy:

Contact us

Send us a message

Author

Pasi Järnstedt

Other interesting stuff

The Notes of the DrupalCon First-Timer

Not the city but the people