Data sharing in the Government Transformation Strategy
There are a lot of good points in the Government Transformation Strategy on the subject of data and trust:
- Ensuring that public sector workers understand the ethics of data sharing will make it easier for the policies they design and deliver, to meet the higher standard that government should hold itself to.
- The commitment to be more transparent about how data is used to develop policy and run services could, if done right, provide an international exemplar of how algorithmic accountability could work.
- A new Chief Data Officer, along with a Data Advisory Board, can ensure that government departments are forced to work together to meet the needs of, and maintain the trust, of the public.
But I want to talk about data sharing, which features heavily in the Strategy. It bothers me.
Data sharing is often presented as the only alternative to the current silos of government data. ‘Removing the barriers to effective data use’ has become the only policy lever to pull on to achieve it. But it’s not the only alternative.
‘Data sharing’ worries me because it’s such an unhelpful term. It’s so general. Without any technical specification it could mean any number of different techniques that have wildly different implications for people’s privacy. And because the mechanics of data sharing aren’t specified in the strategy it’s not clear if the public will be involved in deciding how data is shared. What makes the problem worse is that any opportunity where the strategy could describe the technical and legal safeguards of data sharing, it instead points to the Digital Economy Bill:
"Removing barriers to effective data use in government by all parts of government through the data sharing provisions of the Digital Economy Bill, once it is passed by Parliament."
That’s the same Bill heavily criticised for putting ministers, rather than citizens, in control of citizen data. The same Bill that omits key information that specialists expected to see describing the kind of privacy safeguards needed for product teams to build government services. In fact, back in October last year I gave evidence for part 5 of the Bill in Parliament (the section that deals specifically with digital government). I spoke about the issue of data sharing then, and the issue remains much the same. In its current form, the Bill permits personal data to flow freely between departments and civil servants.
This really matters, because the data in question is deeply sensitive. Like data on your ‘physical, mental health, emotional, social and economic’ wellbeing amongst other things. Without good legal and technical safeguards in place, we’ll see more unethical data sharing across government departments.
It gets worse. Since I gave evidence, the codes for the Digital Economy Bill have been published. The gist of the Draft Digital Government data sharing codes of practice is that departments should refer to the Data Protection Act (DPA) to make sure their data sharing adheres to legislation. That’s probably ok now, but within the next couple of years the DPA will be superseded by the General Data Protection Act (GDPR), a piece of complicated but progressive EU legislation that gives citizens new digital rights. Rights directly at odds with some of the content of the Digital Economy Bill.
The GDPR and Digital Economy Bill have significantly different approaches to data sharing. The GDPR puts an emphasis on people being in control of personal data, whereas the Bill puts government ministers in control. This conflict of interest has been previously identified, and in a recent study respondents recognised a need for “greater clarity at national and regional government levels on the need to consider grounds for data sharing”. This is unresolved.
It’s hard to judge the Strategy when it is so dependent on the Digital Economy Bill, an unfinished piece of legislation that remains the centre of massive debates about privacy and ethics. In a time of such global, diplomatic uncertainty it would be irresponsible to be complacent.
So how could the Strategy be revised?
Instead of ‘data sharing’, the government should be thinking about ‘data access’. It should be thinking about ways the public can have the opportunity (either directly or via trusted third-party organisations) to understand what is happening to their data at the point-of use of a public service, and be able to control access where relevant. It should also start thinking about what options people should have for recourse when things go wrong (because things will go wrong, and one of the measures of good service design is whether a service takes that reality into account).
This will be the fundamental challenge of the Chief Data Officer & Data Advisory Board. Failure to do so will mean failure to meet the aims of the strategy: