May 18, 2010 | William Heath

Personal Data: reclaiming individual control

In the fifth of our series on the challenges the new government faces, William Heath, looks at personal data. William is the founder of Mydex CIC and of Ctrl-Shift Ltd, is ORG founder #427 and former chair of Open Rights Group.

A vital key to reforming public services for the new coalition administration will be provided by a new approach to personal data.

On public data Labour's legacy is a promising start. Thanks first to Ed Mayo & Tom Steinberg (Power of Information Review), then and substantially to Tom Watson and Richard Allan, finally to Gordon Brown and TBL the policy of opening up public data is taking hold. Data about inanimate objects: maps, finance and statistics paid for by the taxpayer is being set free for our greater utility and economic benefit.

But authoritarian New Labour's legacy on personal data is lamentable: ineffectual, wasteful, unjust, often arguably illegal.

A decade ago the same government's policies were quite good. But by 2005 the "Transformational Government" policy was a mutant child of the post 9/11 War on Terror and what was recently described to me as "the big Siebel lie".

The first fallacy is that amassing unthinkable amounts of data – the US wants a Yottabyte of Sigint by 2015 – delivers public safety better. Many of us would rather see a sound economy and just society based on respect and equality.

The second fallacy is that organisation-centric "customer relationship management" gives people what they want cheaply, without active participation or control by the individual. It doesn't: it disempowers and frustrates people, who are turned off and walk away from such so-called "relationships" in droves.

The new administration has emphatically said "enough of this nonsense".

It has started by cancelling the benighted ID Scheme and childrens' database ContactPoint, tightening policy on DNA retention and ruling out the unreasonable level of global data retention that the proposed Intercept Modernisation Progamme would require. The NHS national programme, vetting programmes, intrusive transport databases can all expect careful scrutiny and substantial revision.

Assuming the "No to" in No2ID will now prevail, what do we say "Yes" to?

Remember: the challenge is to save a great deal of money – 40% per department seems to be the benchmark; to protect and even improve essential services, above all health and education; and not to go soft on law & order.

Martha Lane Fox is right to say this means making everything available online, and switching off the offline alternatives. It sounds harsh, but it's not. Where people depend on intermediaries, the carers can use the online service.

Having cancelled the ID Scheme, we need to grasp the nettle of on-line identifiers for public services. This should include a capability for online power of attorney. The way forward needs to conform to Cameron's laws: consistent and convenient, under the user's control and without shedding data where it does not belong.

This world is moving very fast, as those behind OpenID, OAuth and the Open Information Exchange OIX are aware. There's now a valuable range of verified online identity and authentication service providers: credit reference agencies and account-based services from banks, payment services and phone companies.

The new UK administration can draw on the rapid policy improvements in the US. First it withdrew government from online ID provision and instead invited third parties to act as online ID providers for all online public services. Now it is evolving a "trust framework" so parties are appropriately accredited. Next it is drafting an ambitious National Strategy for Secure Online Transactions in which government will act as catalyst for a trusted identity framework nationwide based on independently verified but individually controlled personal data.

Of course the UK's Lib-Con coalition should copy this. But it can also leap-frog it.

The turning point is the simple but radical acceptance of a deep truth: people should own and control their personal data, including how it drives public services. UK public services need to reflect the reality that individuals know their own circumstances, preferences, needs and future intentions best. In the end it's always down to the individual or the carers on whom they depend to sort it all out anyway.

As well as the sort of third-party online IDs policy now at work in the US this requires:

  • deployment of personal data stores
  • the ability to invoke external verification for claims; not just ID but quualifications and licences
  • selective disclosure, either sharing a snapshot for a specific purpose, or in the context of a user-permissioned relationship.

That adds up to more than "tell us once" for a selection of public services. It's tell anyone once, or many times just what you want to tell them and no more. Plus you can stop when you want.

Technically this is not a huge task given contempory tools. Several UK entrepreneurs have done it (including one in which I declare an interest). The real task is starting the network effect, where organisations agree to start to receive valuable feeds of data from individuals.

The UK needs now to do a couple of trials of this. There are huge benefits to be had if we can learn the right lessons in time.

The underpinning for this thinking comes substantially from Doc Searls and his Project VRM at Harvard. But we've barely begun to work out the implications for UK public services. How should the NHS best work with user-held and controlled health records? Remember - these will be real "health" records, featuring exercise and diet as well as episodes of illness. How should education and the jobs market work to best effect with user-driven records of life-long learning and experience? 

User-driven records and "volunteered personal information" will have profound impact on welfare, travel, censuses, policy formation, consultations. That's just in the public sector. Research by Ctrl-Shift suggests the market for "volunteered personal information" arising from the individual overtakes the national market for display advertising in 2017 to become worth £20bn a year by 2020: ten Google UKs. And it's the same for Europe, the US and the world.

There's a specific task of working the implications of such a change through every sort of public service that depends on personal data. Will it work? What is involved in taking it forward? What are the risks?

The potential rewards are immense. It's not just that, like BP, we need to stem the toxic leakage, in our case of personal data from government. Nor that we need to cut the cost of maintaining government's huge data sets, and restore people's trust in what goervnment does with personal data. The real wins come when public services are driven more directly by more accurate data sets, and can be more closely aligned only to needs which really exist. Imagine the "just in time" revolution of 1970s car manufacturing applied to public services. But the saving we have to make mean we'll need nothing less than that.

The key is to invite individuals to help government do it: participatory public services.

ORG founder Dan O'Brien always said "they stole our revolution; now we're stealing it back". Computers started at the centre. But it was only when they were also put in the hands of individuals, and the two worked together, that we started to see what is really possible. That's where we're headed: a Big Online Society.