From principles to practice: OECD E‑Leaders 2025 in Sydney and the road to Government 3.0

Australia recently hosted the E‑Leaders and the OECD Expert Group on Open Government Data for the first time, with around 60 delegates focusing on how digital, data (including open data) and AI can boost productivity, streamline processes and improve outcomes — while squarely addressing implementation, governance and capability gaps. The E‑Leaders community exists to translate the OECD’s digital government standards into practice and to share what works and what doesn’t across jurisdictions.

This focus is urgent. Australia’s cyber threat environment has intensified, with the Australian Signals Directorate (ASD) reporting more than 84,700 cybercrime reports in FY2024–25 (about one every six minutes) and more than 1200 significant incidents responded to — both increases on the prior year. Meanwhile, the Office of the Australian Information Commissioner (OAIC) recorded 1113 notifiable data breaches in 2024 — the highest annual total since the scheme began, with the Australian Government among the most affected sectors.

On the policy front, Australia has taken concrete steps: the Cyber Security Act 2024 introduced ransomware payment reporting and paves the way for IoT security standards, while strengthening incident review and information‑sharing protections. The Data and Digital Government Strategy (DDGS) sets a 2030 vision for simple, secure and connected public services and is now backed by an implementation plan and new whole‑of‑government experience standards. Together, these are the building blocks the E‑Leaders forum will stress‑test and refine — particularly around AI governance and the evidence base for outcomes.

Human‑centred AI with evidence: from principles to measurement

Delegates in Sydney explored how to measure the impact of AI in government — financial and non‑financial — including efficiency, productivity and outcome metrics. The OECD has long argued that robust governance is the difference between digital ‘projects’ and system‑wide transformation, providing a practical governance toolkit in ‘The E‑Leaders Handbook on the Governance of Digital Government’.

Australia’s posture has matured rapidly in the past year. The DTA’s Policy for the Responsible Use of AI in Government became mandatory for non‑corporate entities, setting requirements for accountability and transparency; it is complemented by a technical standard that operationalises AI governance end to end across design, data, training, evaluation, deployment and monitoring. New guidance on public generative AI tools clarifies when and how staff can use public models safely and responsibly — critical in a world where GenAI is embedded in browsers and productivity apps by default.

The measurement challenge is two‑sided: agencies need to show efficiency and productivity gains and prove trust, safety and equity. The DDGS Implementation Plan begins to do this, publishing scorecards and missions (including ‘Trusted and Secure’ and ‘Simple and Seamless Services’) and tracking progress against 2030 outcomes. The OECD’s Government at a Glance 2025 adds comparative indicators across digital, openness and integrity — useful for benchmarking what ‘good’ looks like within a Government 3.0 paradigm.

What to measure next? Beyond output metrics (eg, time saved per case), agencies should link AI use cases to service outcomes already regulated by the Digital Experience Policy (availability, accessibility, inclusion and performance), which phases in across services through 2026. This move aligns measurement with how people actually experience government, not just how systems perform.

Information management that earns trust: open data, identity and interoperability

The E‑Leaders meeting is running in parallel with the OECD’s Expert Group on Open Government Data — a reminder that AI value chains are only as strong as the data governance that underpins them. OECD’s 2023 OURdata Index shows consistent top‑tier performers combine strong strategy with real execution on accessibility and reuse; Australia’s task is to ensure open data and protected data can coexist within a coherent architecture for AI.

Identity is the other keystone. The Digital ID Act 2024 commenced late last year, enabling a regulated, privacy‑preserving, voluntary digital ID ecosystem and opening participation to states and territories now and the private sector by 2026. This matters because secure, reusable identity lets agencies minimise collection, reduce fraud and support phishing‑resistant authentication — addressing leading vectors in OAIC breach data and ASD threat reporting.

Australians are already voting with their thumbs: industry research suggests 73% of people have a myGovID and 91% report positive experiences — indicating that well‑designed identity can lift trust and adoption when safeguarded by law and standards. The DDGS enablers — common architectures, standards and investment oversight — are designed to connect these pieces so AI applications consume managed data from assured sources under consistent controls.

For New Zealand, the E‑Leaders platform complements its own open data and digital policy settings led by the Department of Internal Affairs and reinforces trans‑Tasman alignment on human‑centred, data‑driven government. That alignment is central to Government 3.0: proactive, anticipatory and platform‑enabled public services built on secure data sharing and strong identity foundations.

Cybersecurity you can count on: from Essential Eight to economy‑wide obligations

AI adoption without a commensurate uplift in cyber hygiene is a false economy. ASD’s latest Annual Cyber Threat Report highlights a rise in state‑sponsored activity and persistent ransomware, with the average cost of business cybercrime continuing to escalate. The government’s response mixes capability (eg, REDSPICE) and regulation (the Cyber Security Act package) to harden systems and lift incident transparency.

Three changes from the 2024–25 reforms are particularly relevant for digital leaders:

1. Ransomware and cyber extortion payment reporting within 72 hours creates a clearer national picture of attack patterns and responses.
2. IoT/smart device security standards will lift the floor on consumer and enterprise devices that increasingly sit at the public sector edge.
3. A Cyber Incident Review Board modelled on the US approach will extract system lessons from major incidents without blame, feeding continuous improvement.

These fit alongside established guidance — Essential Eight, PSPF, SOCI — and ASD’s current call to action: log well, replace legacy, manage third‑party risk, and prepare for post‑quantum cryptography. For AI systems, that means treating models and data pipelines as critical assets, ensuring model provenance, supply‑chain assurance, robust logging for inference and training, and scenario‑tested rollback plans: principles now reflected in DTA’s AI technical standard.

The OAIC’s breach statistics show why this matters for public trust: malicious or criminal attacks remain the main cause of breaches, with government agencies among the top reporting sectors and timeliness still a challenge. For citizens, especially those who must use government services, security is not abstract — it is the precondition for confident uptake of digital channels and AI‑enabled experiences.

From digital projects to citizen outcomes: investment, assurance and the last mile

One hallmark of Government 3.0 is disciplined investment governance that links money to measurable outcomes. Australia’s Investment Oversight Framework (IOF) and the Major Digital Projects Report increase transparency over cost, schedule and benefits, and (crucially) provide a centre‑of‑government lever to improve delivery performance across portfolios. The DTA’s Digital Experience Policy adds an outcomes lens — service inclusion, accessibility and performance — so that delivery teams scale what works and retire what doesn’t.

The OECD has recognised Australia’s leadership in digital investment governance, highlighting the IOF and related policies as global exemplars; useful validation as we tune these settings for AI‑heavy portfolios. In practice, that means applying the same rigour to AI initiatives — clear problem definition, test‑and‑learn, assurance gates, and published evidence of benefit realisation — not simply counting pilots.

What this looks like for citizens is:

• Fewer forms and duplicative identity checks as Digital ID expands across jurisdictions; reduced data handling lowers breach exposure and fraud risk.
• Faster, more accurate decisions where agentic AI automates low‑risk triage, leaving complex judgement to humans — under clear transparency and accountability rules.
• More resilient services because cyber baselines improve and incident insights are shared and acted on.
   

For New Zealanders, closer alignment on identity, open data and AI assurance eases trans‑Tasman mobility and cross‑border service design, lifting consistency for people and businesses that operate in both markets.

A pragmatic 12‑month agenda for E‑Leaders and the APS

Drawing on the E‑Leaders’ playbook and Australia’s policy settings, here are practical steps agencies can take over the next year to make AI, information management and cybersecurity work together for better outcomes:

1. Publish AI transparency statements and system cards for every significant AI use case — including objectives, data sources, evaluation metrics, bias checks and human‑in‑the‑loop controls.
2. Make measurement boring (in a good way): tie each AI initiative to Digital Experience Policy metrics and report benefits in the Major Digital Projects cadence.
3. Harden the data layer: apply the OAIC’s breach insights to your data architecture — minimise sensitive data storage, segment high‑value datasets, and accelerate passwordless, phishing‑resistant authentication as Digital ID scales.
4. Treat models as critical infrastructure: incorporate ASD’s four priorities into AI platform engineering — comprehensive logging, legacy remediation, third‑party risk management, and roadmap to post‑quantum crypto.
5. Adopt secure‑by‑standard devices: prepare procurement and architecture teams for IoT security rules foreshadowed under the Cyber Security Act.
6. Invest in skills and assurance: uplift AI fundamentals across the workforce; engage the DTA’s emerging AI assurance framework early.
7. Lean into open data with safeguards: prioritise high‑value datasets for release while codifying sensitive‑data protections for model training.
8. Show, don’t tell: pick two cross‑agency journeys and deliver end‑to‑end improvements using Digital ID, open data and safe AI — measuring the citizen time saved and errors avoided.

The bigger picture: Government 3.0 for Australia and New Zealand

The OECD’s message to digital leaders is clear: governance is what makes digital and data transformations stick. In practice, Government 3.0 is not a slogan; it is the disciplined fusion of human‑centred design, managed data, assured AI and defensible security — with investment governance that lets leaders reallocate effort to what demonstrably works.

If Sydney 2025 is to be remembered for more than good intentions, it will be because governments did three things:

• Set guardrails once, use them everywhere.
• Measure outcomes that matter.
• Design for everyone.
   

Do that, and the OECD E‑Leaders conversation in Sydney becomes a catalyst for better outcomes for Australians and New Zealanders — safer, simpler services, decisions that are faster and fairer, and a public sector that is confidently stepping into the Government 3.0 era.

Image credit: iStock.com/Supatman