Employees, or the public?
The article seems to suggest that the reports are mostly about protecting data of government employees. Or is that a wrong assumption?
Certainly an important first step is to look at the data of the system users -- government employees -- given the number of them. It also provides some leadership, and possibly some changes to supplier policies, that can be very useful for other employers (I know that my employer, for example, has concerns about employee privacy when mandating business use of cloud and mobile apps).
What is not clear is whether the reports have looked at the privacy of the data being processed which, by the nature of government, contains masses of private data about people. Whether it is a spreadsheet of people asking a local government to supply a cleaner for a disabled person, or the country's income tax system, it is essential that none of that data finds its way to the vendor for "diagnostics" or "performance analysis".