The BC Technology Code of Practice, being developed pursuant to BC's Digital Framework and the priority actions therein, is a DRAFT set of criteria to help the BC Government design, build, and buy better technology. The Code is envisioned to be used as a cross-government agreed standard in government's new technology funding review process.

The Code as it exists below is an alpha (https://developer.gov.bc.ca/Agile-Delivery-Journey/Alpha), modelled after exemplars from leading jurisdictions, being developed at the direction of central government. The intent is for this Alpha Code to be socialized and iterated with the BCGov digital community, ultimately coming to form a co-created Practice that is uniformly adopted and followed from the start of any BC Government technology program, project or product development.

This Code is envisioned to be part of an interconnected set of guidance and standards for all BC Public Service employees and partners engaged in applying the culture, processes, business models and technology of the digital era to meet the needs and expectations of the people of British Columbia - that is to say, the Digital BC community:

• For employees, our British Columbia Public Service Oath of Employment (https://www2.gov.bc.ca/assets/gov/careers/managers-supervisors/managing-employee-labour-relations/oath_of_employment.pdf) and Standards of Conduct (https://www2.gov.bc.ca/gov/content/careers-myhr/about-the-bc-public-service/ethics-standards-of-conduct/standards-of-conduct);
• A new set of (DRAFT) Digital Principles - fundamental propositions - intended to serve as the foundation for a system of behaviors to guide the work of the Digital BC community (find those Principles here: https://github.com/bcgov/digital-principles/);
• For those creating digital services, a new (DRAFT) Digital Service Standard; and
• For those using technology, this new (DRAFT) Technology Code of Practice.

It is envisioned that this Code will eventually reside as a GitHub repository at https://github.com/bcgov/ and online as part of https://digital.gov.bc.ca/. The content has been borrowed heavily - with gratitude - from the UK's Technology Code of Practice (https://www.gov.uk/government/publications/technology-code-of-practice/technology-code-of-practice).

Following the Technology Code of Practice will help you gain approval and support for technology spending. It will also help you introduce technology that:

• meets user needs, based on research with your users
• can be shared across government
• is easily maintained
• scales for future use
• is less dependent on single third-party suppliers
• provides better value for money

The Technology Code of Practice contains guidance and case studies to help you migrate from legacy infrastructure and manage the full lifecycle of your technology. More guidance and case studies will continue to be added.

You should use the Technology Code of Practice for all of your technology initiatives. If your initiative needs funding approval, you should contact the OCIO's Digital Support Team team as soon as possible. The team will guide you through the approvals process which can provide you with greater confidence that your spend request will be approved.

All points of the Technology Code of Practice must be considered. Where legacy technology limits your ability to adhere to the standard, this must be explained as part of the digital investment process. The Standards Assurance team consider individual circumstances for each application.

(Individual Code items are set out in greater detail below.)

If you are building a digital service, make sure you meet the Digital Service Standard.

Describe your ongoing user research, your understanding of user needs and what that means for your technology project or program.

Make sure your technology, infrastructure and systems are accessible for users, regardless of region, device, or channel.

Your technology should adapt to future demands and work with existing technologies, processes and infrastructure in your organization.

Improve efficiency, promote collaboration, and reduce duplication by reusing existing solutions and working in the open.

Build technology that uses open standards to ensure your technology works and communicates with other technology, and is easily upgraded and expanded.

Use public cloud intelligently as stated in the government’s cloud policy. [Note: Adapted from the UK's "cloud first" practice and policy.]

Keep systems and data safe with the appropriate level of security.

Make sure citizens’ rights are protected by integrating privacy as an essential part of your system.

Consider how to minimize data collection and reuse data to avoid duplication of datasets.

Your purchasing strategy must show you’ve considered commercial and technology aspects, and contractual limitations.

If you are building a digital service, make sure you meet the Digital Service Standard.

Describe your ongoing user research, your understanding of user needs and what that means for your technology project or program.

To meet point 1 of the Technology Code of Practice you must show you understand your users and their needs.

You’ll have to explain how you’re doing this as part of the digital investment process.

Doing user research will help your technology initiative by identifying:

● how your users define value ● any risks to introducing or changing the technology
● the skills needed to deliver, use and manage the technology
● the technologies that service support teams will need for their end users
● the commercial and operational needs; for example, the need to decommission an obsolete mainframe in order to create a more resilient data and service tier

User research can also:
● make sure that services such as online office suites, network shares, project management software and HR suites really do meet your users’ needs
● support internal agreement of what you want the technology to help you achieve

● [Service Design in the BC Public Service] (https://www2.gov.bc.ca/gov/content/governments/services-for-government/service-experience-digital-delivery/service-design/service-design-in-the-bc-public-service)
● [Citizen Engagement Handbook] (https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/service-experience-digital-delivery/citizen-engagement/full_citizen_engagement_handbook.pdf) ● [GBA+] (https://cfc-swc.gc.ca/gba-acs/index-en.html) ● ‘Understand users and their needs’ from the BC Service Standard for initiatives that include the creation of a service

Find out more about:
● user research
● service assessments
● assisted digital support

Make sure your technology, infrastructure and systems are accessible for users, regardless of region, device, or channel.

To meet point 2 of the Technology Code of Practice your plan or design must show how you’re making technology inclusive.

You’ll have to explain how you’re doing this as part of the digital investment process.

Your technology initiative will benefit from:

● Making your technology work for as many users as possible
● Being assured that all staff members on your team will be able to easily access the information and infrastructure needed to do their work including services such as online office suites, network shares, project management software and HR suites
● Being assured that there will be no barrier to employing people with specific access needs

Your research must include users with a range of abilities. Make sure your technology and systems can be used by a diverse set of users by:

● Meeting the requirements and following the accessibility and inclusion guidance set out in the service manual ● Involving users with a range of impairments in user testing as you develop your services and systems
● Knowing the range of devices and software that need to work with your technology
● Enabling access to services through a range of web browsers and ensuring compatibility with assistive technologies and a range of end user devices

● Accessible Government Toolkit (https://www2.gov.bc.ca/gov/content/home/accessible-government) ● Meeting the accessibility standard ● Meeting compatibility with assistive technologies

Your technology should adapt to future demands and work with existing technologies, processes and infrastructure in your organization.

To meet point 3 of the Technology Code of Practice your plan or design must show how your technology initiative integrates into your organization.

You’ll have to explain how you’re doing this as part of the digital investment process.

Good integration means making sure your new technology works with legacy solutions without limiting your ability to adapt to future demands or upgrade systems.

Your initiative will benefit from:

● Less risk to your infrastructure as integration planning will discover compatibility gaps in the new technology
● Less downtime on your regular processes when you upgrade or amend them
● Systems which enforce built-in redundancy of services, minimizing single points of failure
● Lower long-term support costs

Each organization’s technology and infrastructure will have services and issues that are unique. There are some common elements to consider when fitting new technology into your current or legacy system, including:

● How different aspects of your organization’s IT operating model come together, including business areas such as processes, governance, service support and service delivery
● How the new technology will work with your service management
● What skills and capabilities your organization needs to deliver, support and continuously improve the new technology you’ll purchase

To optimize systems integration consider:

● Adopting a continuous integration model so you can solve smaller issues iteratively (this is generally easier and cheaper than waiting to test everything at the end of an initiative)
● Designing your system using independently developed components that can easily work together
● Building a system architecture early in the program to describe your current or future system and mapping hardware and software components
● Defining a configuration management process
● Doing component-level testing to make sure integration is possible
● Doing regular integration and stress testing to track progress and make sure the system remains robust

If you have chosen to use a systems integrator you should make sure they meet all of your requirements.

When managing system processes and service management integration aim to:

● Define the governance, processes, tools and information required to meet business needs and user needs
● Map and track the interdependencies between the infrastructure and the services running on it
● Provide support to the infrastructure and make sure you have the flexibility to add hardware and software
● Be flexible so that processes can incorporate legacy and new infrastructure, including the use of cloud services
● Understand the probable lifespan of your technologies (being aware of expiry and renewal timings) and create a roadmap showing your plan for retiring legacy systems

System integration is important for the overall network performance and for considering your organization’s service management.

Service management depends on how your current infrastructure is managed, what new technology is being integrated and what the longer-term business objectives are for IT in the organization.

[Placeholder]

Improve efficiency, promote collaboration, and reduce duplication by reusing existing solutions and working in the open.

To meet point 4 of the Technology Code of Practice your plan or design must show that you have considered reusing existing solutions, including BC government and open source solutions, and that you have considered publishing your code openly and sharing your technology.

There are several technology resources and common government platforms available to all government organizations.

Communities

There are 4 cross-government technology communities that discuss the latest thinking on services. You can apply to join through the Service Manual. [UK exemplars left in place for BC guidance]

● Technology community (backend development)
● Technology community (frontend development)
● Technology community (technical architecture)
● Technology community (web operations)

Government platforms

Consider using common government platforms and services where appropriate. These include: [UK exemplars left in place for BC guidance]

● GOV.UK Notify for user notifications [In-development in BC]
● GOV.UK Pay for payments [PayBC?]
● GOV.UK Platform as a Service for hosting [OCP?]
● GOV.UK Verify for secure identity assurance [BC Services Card?]
● performance dashboards for Services data [GDX Analytics?]
● registers to access and use current and accurate data
● guidance on how to choose and implement common technology services

Common technology

Common technology guides and services include:

[UK exemplars left in for BC guidance]

Secure email
● Email security standards
● Securing government email
● Set up government email services securely
● Protect domains that don’t send email

Networks and GovWifi
● Sharing workplace wireless networks
● Sharing wide area network connections in shared buildings
● GovWifi
● Set up GovWifi on your infrastructure
● Set up managed end user devices to automatically connect to GovWifi
● Connect to GovWifi
● Terms and conditions for connecting to GovWifi

Public Services Network
● Introducing the UK public sector DNS

Government code for reuse

Government publishes code openly in several places including GitHub. Some of the repositories in GitHub include:

● MOJ’s repository of services on their platform, for example, the postcode lookup. Find out more about their platform and some of their services or contact them at platforms@digital.justice.gov.uk
● the Home Office repository which includes useful forms for reuse
● GDS' repository contains their source code
● DEFRA’s repository
● GCHQ’s repository that includes their platform for data storage, processing and analysis

Aggregation opportunities

Crown Commercial Service provides information about current and future opportunities to aggregate buying requirements when purchasing technology.

Open source is a way of developing and distributing software. The code is often written collaboratively, and it can be downloaded, used and changed by anyone.

Open standards are a set of rules designed to do a specific job in technology. They are also designed collaboratively and free to use. Open standards allow open source and closed source (proprietary) software to work together.

The following questions are some of the points to consider when choosing technology and evaluating whether you want a proprietary or open source solution:

1. Does the solution do what you need it to do?
2. Does the solution meet the needs of your end users?
3. What are the solution’s initial and ongoing costs?
4. Will the staff need training or will expert users need to be employed to manage the solution?
5. If the solution is open source, how widely is the code already adopted? How mature is it?
6. Does the solution offer the level of support needed?
7. How well is the solution maintained and is there evidence of further development?
8. How reliable is the solution? This is hard to measure, but one way is to assess it by looking at its maturity.
9. How well does the solution perform? Can you analyse performance data or reviews?
10. How well will the solution scale to meet your needs?
11. Does the solution’s security meet your needs and does it have regular security patches?
12. Is the solution flexible? You can customize the solution to fully meet your needs but be aware this can make future updates and security patches hard to implement.
13. Will the solution work with your other technology?
14. Is the solution’s licence acceptable to your organization’s business requirements? Are there any restrictions or gaps that would cause issues?
15. Is the solution’s warranty acceptable and is there an option to buy one?

Publishing your code and data from the beginning of your technology initiative will encourage:

● Clearer documentation, making it easier for your team to maintain the code, track changes to it and for other people to use it
● Cleaner and well-structured code that is easier to maintain
● Clarity around data that needs to remain protected and how that’s achieved
● Suggestions about how the code can be improved or where security can be improved

When building a solution consider that others may want to use it in the future. It’s easier and cheaper to build this possibility in at the start than at the end. Consider the general application, not just your own departmental application, of the specific problem you are solving. Other initiatives can benefit if you share a solution to a common problem.

● [Common components] ● [Todd Wilson 2014 Open Source Standard, if it is current]

Build technology that uses open standards to ensure your technology works and communicates with other technology, and is easily upgraded and expanded.

To meet point 5 of the Technology Code of Practice your plan or design must show you are using or have considered using open standards and data. You must make your technology initiative as interoperable as possible.

You’ll have to explain how you’re doing this as part of the digital investment process.

Open source is a way of developing and distributing software. The code is often written collaboratively, and it can be downloaded, used and changed by anyone. Open standards are a set of rules designed to do a specific job in technology. They are also designed collaboratively and free to use. Open standards allow open source and closed source (proprietary) software to work together.

Open standards can be used when designing individual elements of the solution.

Using open standards means you:

● Save time and money by reusing things that are already available
● Increase compatibility with all stakeholders
● Potentially open up the range of companies you can purchase from as more of them are likely to use the same standard as you
● Can move between different technologies when you need to and don’t get locked into contracts

Build flexibility into your technology by:

● Using open standards, complying with any that are compulsory for use in government, unless you’ve been granted an exemption
● Being clear what data your systems will hold, and which identifiers are in place to make sure the data can be used effectively
● Avoiding the duplication of data, and being very clear about their approved source
● Using RESTful APIs for integration where possible
● Publishing your APIs on the [BC Government API Registry] (https://catalogue.data.gov.bc.ca/group/bc-government-api-registry) to make them reusable

● [API Guidelines] (https://devhub-static-test-devhub-test.pathfinder.gov.bc.ca/Data-and-APIs/BC-Government-API-Guidelines?intention=LOGIN#error=login_required)
● [API Registry] (https://catalogue.data.gov.bc.ca/group/bc-government-api-registry)

Use public cloud intelligently as stated in the government’s cloud policy.

To meet point 6 of the Technology Code of Practice your plan or design must show you have considered using the public cloud as stated in the government’s cloud policy.

You’ll have to explain how you’re meeting point 6 as part of the digital investment process or any limitations you’ve encountered that prevented you from achieving this.

Cloud computing is a way of storing and retrieving data and software over the internet. The 3 main service areas are:

● Software-as-a-service (SaaS), which is the use of applications over the internet
● Platform-as-a-service (PaaS), which provides the platform for developing, testing and deploying your applications over the internet
● Infrastructure-as-a-service (IaaS), which provides the physical technology infrastructure/network virtually over the internet without the need for you to buy your own hardware

You can benefit from adopting an intelligent cloud approach because:

● You can avoid upfront investments in your infrastructure, reducing overall costs
● There’s greater flexibility to trial new services or make changes, with minimal cost ● Pricing models are scaleable - instead of building for the maximum usage you buy for less usage and increase or decrease as appropriate
● It will be easier to meet the [Greening Government Commitments] - cloud facilities typically try to use server space and power in the most efficient way possible
● Upgrades and security patches can be applied continuously

For greater detail on the benefits of using cloud you can read the blog posts on ‘Why we use the cloud: security and efficiency’ and ‘Why we use the cloud: supporting services’.

Follow the cloud policy by:

● Evaluating potential public cloud services before you consider alternatives such as BC On-Prem Hosting, which is a data centre available for all of government, and BC Private Cloud, which is an on-premise container hosting service
● Demonstrating your chosen service represents the best value for money if selecting an alternative to public cloud - you must also show you’ve allowed for flexibility by being able to change the system and reduce costs over time

● BC On-Prem Hosting [placeholder] ● [BC Private Cloud] (https://developer.gov.bc.ca/Getting-Started-on-the-DevOps-Platform/BC-Government-OpenShift-Container-Platform-Service-Definition)

Keep systems and data safe with the appropriate level of security.

To meet point 7 of the Technology Code of Practice your plan or design must show how you are securing data and systems.

You’ll have to explain how you’re doing this as part of the digital investment process.

Include security at the start of the project. Have your team involved in making each element secure, from the start, instead of your security experts adding technical countermeasures to a finished product.

Training users and having clear processes are important for security, as is doing realistic threat assessments and taking a balanced approach to managing risk.

Plan how to deny, and quickly recover from, malicious access. Make sure you have processes in place to record information about any attacks and use this data to improve defences.

Choose the appropriate level of security for your technology initiative. Consider the risks and have processes in place to mitigate against them and improve time to recovery.

You can protect your data and infrastructure by:

● Following the principles set out in the [Information Security Policy and Guidelines] (https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/information-security-policy-and-guidelines) and [Information Security Classification Standard] (https://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/information-security/information-security-classification)

[placeholder]

Make sure citizens’ rights are protected by integrating privacy as an essential part of your system.

To meet point 8 of the Technology Code of Practice your plan or design must show how you are considering privacy by design.

You’ll have to explain how you’re doing this as part of the digital investment process.

Your technology initiative will benefit from:

● Being proactive about privacy and reducing the risks of data theft
● Identifying potential privacy issues earlier when they are easier and cheaper to solve
● Better awareness of privacy issues across the organization
● Adherence to legal privacy requirements

[placeholder]

● [BC Guide to Good Privacy Practices] (https://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/privacy/good-privacy-practices) ● [BC Freedom of Information and Protection of Privacy Act] (https://www.bclaws.ca/civix/document/id/complete/statreg/96165_00)

Consider how to minimize data collection and reuse data to avoid duplication of datasets.

To meet point 9 of the Technology Code of Practice your plans must show you’ve considered minimizing data collection and duplication.

You’ll have to explain how you’re meeting point 9 as part of the digital investment process or any limitations you’ve encountered that prevented you from achieving this.

Minimizing data collection and duplication will mean your project benefits from:

● Adhering to the [BC Digital Framework] (https://digital.gov.bc.ca/digital-transformation/)
● Saving time and money by reusing open data that is already available
● Infrastructure and services that contain consistent information
● Giving your users a more consistent experience when using government services online, which builds trust
● Potentially reducing unnecessary new demands for data storage

When using data your obligations include:

● Making your data open by default, following Open Data principles when publishing data
● Making sure users of transactional services have access to data held about them - the service should clearly communicate how data will be used
● Following the [UK] Information Commissioner’s Code of Practice for data sharing
● Conducting a Privacy Impact Assessment in line with the [UK] ICO Code of Practice when using personal data
● Anonymising personal data in accordance with the [UK] ICO Code of Practice for anonymisation
● Considering ethical issues around using data, and assessing these according to the principles of the [UK] Data Science Ethical Framework
● Holding data securely and for specified purposes, in accordance with point 7 in the Service Standard

● Making sure newly collected data can be made easily accessible to APIs for future use
● Minimizing the amount of data shared for achieving a specific purpose (large amounts of personal information should not be shared or copied unnecessarily)
● Using common standards and patterns to ensure data can be easily analysed, and where appropriate, shared with other departments
● Understanding best practices for collecting, storing, analysing and sharing data from other departments, other governments and other sectors
● Keeping data for only as long as necessary, and securely deleting the data when it’s no longer needed

[placeholder]

Your purchasing strategy must show you have considered commercial and technology aspects, and contractual limitations.

To meet point 10 of the Technology Code of Practice your plan or design must show your sourcing strategy and how your contracts meet government rules and guidelines.

You’ll have to explain how you’re doing this as part of the digital investment process.

Your technology initiative will benefit from:

● Competitive and innovative commercial products and opportunities
● Long-term financial savings
● Improved supplier negotiations
● A commercial approach that supports the disaggregation of contracts
● Managing contract exits successfully, making sure the exiting supplier passes over any relevant knowledge and capabilities
● Help with the transition to the cloud, commodity and common technology services
● Shorter, more manageable contracts with a streamlined renewal process
● A clearer view of contract status, risks and issues

Your sourcing strategy must demonstrate that you have a thorough understanding of the commercial undertakings required to deliver, use and manage your initiative. You should plan how to manage multiple suppliers, where that structure is appropriate for the organization’s operating model, and when they're working as part of the same delivery teams. This includes:

● Routinely challenging your sourcing strategies to consider whether your requirements can be simplified or broken up to allow for greater competition in the marketplace, including by small and medium-sized enterprises.
● Using value chain mapping to help identify the products and their components you need, and whether it would be better to build or buy depending on their maturity as a product
● Moving from large contracts with a single supplier to multiple suppliers where there’s an operational and value for money justification
● Understanding where and how you’ve disaggregated the technology that underpins your initiative and the contracts that supply the technology
● Considering what skills and capabilities your organization needs to deliver and support the product or service you’ll purchase
● Using a sourcing model that fits your services, and works in your organization’s specific circumstances

Your sourcing strategy must consider technology approaches that will encourage the future use of your product or service, including:

● Breaking up services in line with industry best practices including using a lean sourcing approach, pre-procurement market engagement and being as open as possible
● Where you use off the shelf products and services, avoiding customizations that stops you from maintaining, upgrading or removing these products and services in future
● Complying with the [UK] Greening Government Commitments to reduce your organization’s environmental impact

Find appropriate services and suppliers to avoid lengthy and expensive procurement processes. Work with your departmental commercial team to understand which route is most appropriate. Use approved sourcing routes including:

● The [in-development in BC] Digital Marketplace for technology or people for digital projects

Contracts must [UK data left in, to be updated with BC guidance]:

● Not be over £100 million in value – unless there’s an exceptional reason
● Be explicit about the ownership of government data, including data created through the operation of the service
● Be explicit about the ownership of intellectual property involved in the delivery of a technology service (including software code and the business rules that process information between user interfaces and stored data)

Contracts should:

● Where economic, include a break clause at a maximum of 2 years which allows you to terminate the contract with minimal exit costs
● Ensure competition from the widest possible range of suppliers using smaller contracts where they improve value
● Include usage-based billing models where appropriate and where this represents best value for money
● Address the need for continuous improvement, maintaining market competitiveness and flexibility to meet changing requirements

Remember that:

● You can use the CCS technology category framework agreements which have pre-defined terms and conditions
● Suppliers must not provide either systems integration, service integration or service management services at the same time as providing a component service within that system
● You cannot automatically extend contracts unless there are extenuating circumstances
● You should align contract duration to current best practices for the product or service in question

[placeholder]