The independent review on public data prepared by Stephan Shakespeare, chair of the Data Strategy Board, has just been published. Much of what Shakespeare recommends is very good stuff, and includes things that ORG has been proposing for some time. But we have some disagreements, particularly on the analyses and proposals around privacy.
We will not cover every recommendation. The full text including an executive summary can be found HERE.
Shakespeare looks at the big picture and proposes a National Data Strategy that overcomes the current fragmentation and piecemeal approach. This would be based on a clear principle of citizen ownership, and reach both government departments and the Trading Funds that sell high value data. The initial focus would be on education, health, economic and public administration data.
We will have to wait until the official response to know whether these recommendations are accepted by government. Previous attempts to crack the trading funds have been slow to progress. The review is accompanied by an economic study carried out by Deloitte that estimates the cost of opening the trading funds at £143 million. The benefits from opening all PSI are calculated at £1.8bn in direct value with wider social benefits of £6.8bn. This is not the first such report, and previous calculations have simply not been accepted by those responsible at BIS.
These proposals will inevitably be compared with changes in US policy. Obama’s recent executive order on Open Data sets the bar very high. The order sets clear guidelines for engagement, reporting and moving on from a similar cherry-picking approach. But both in UK and USA the problem has been implementation. The order from Obama demands that departments index all their data, but in the UK government bodies supposedly have had an obligation to build comprehensive asset inventories for some time, and failed to do so.
The recommendations do not explain how this will change. There are some excellent proposals to improve the governance of open data with a review of the complex structures. ORG has direct experience of engaging with the proverbial right and left hands, and has raised this issue with policy makers. But it may not be enough. The US seems to take a stronger line and will force departments to open.
Other positive proposals centre on the data from private companies. Shakespeare proposes an environment where public and private sector support each other and share data. We think this is good as long as it does not involve personal information. We support calls for companies to share data on private-public partnerships, but the proposed mechanism of procurement clauses may not be enough. Changes to FOI law would have been preferable.
Also very much in line with ORG’s thinking is the idea that private data derived from the activity of citizens is co-owned by them and should return value to citizens while respecting private investment. Midata is presented as an example, but this is a narrow understanding of the implications of this. We need wider governance models for both public and private data.
Less positive is the exclusive focus on economic growth, against transparency and accountability. This separation is artificial and problematic, and risks that if the economic benefits are disputed the whole policy could be endangered. Instead, transparency and accountability should be recognised as the basis for a public interest data policy, with economic growth building upon these.
The review does not completely avoid the topic. Calls for “systematic and transparent use of administrative data” in policy are very welcome. We agree that we should embed this in an improved democratic process of consultations and impact assessments.
It is good that privacy is given a lot of consideration, but we have to disagree on some of the analyses and recommendations. In the review the main privacy risks of public data can be divided into those affecting identifiable data and those around anonymous data. Shakespeare recommends a “pragmatic policy on privacy” based on two main pillars:
He proposes sandbox technologies with restricted access control for selected groups such as researchers. This implies that the data is not fully opened, as it would cover personal and pseudonymous data. While a good idea in principle, there are issues around governance.
Anonymisation is seen as the main vehicle to convert personal data into open data. Although the review acknowledges that anonymised data receives stronger protection in other European countries, it does not properly explore the implications of the growing mountain of evidence that anonymisation in itself does not provide long term protection. It simply refers to the work of the ICO, which has developed a Code of Practice of Anonymisation and an expert network.
There are good ideas for better complaints system - we propose a responsible disclosure framework - and some consideration of opt-outs, but these are not properly developed.
Self regulation with stronger penalties
It is slightly disappointing that citizens’ privacy remains being perceived a hurdle, instrumentally required in order to build trust rather than as a fundamental right.
According to Shakespeare, citizens have an “unrealistic degree of expectation” of the capacity of those who hold their data to truly protect it, and this inhibits innovation. He proposes a “privacy through accountability” model that would shift the responsibility to ensure that citizens are not harmed to the re-users rather than the primary holder of the data, which currently bears the main responsibility. This is proposed by Mayer-Schönberger and Cukier in their book Big Data.
These proposals follow a model similar to ICO Code of Practice of Anonymisation, where if the organisation holding the data follows procedures and tries its best, they won’t be held fully responsible for re-identification by third parties.
This self-regulation model would be coupled with stronger penalties for misuse, including criminal sentences. This has been a demanded for some time by the ICO and privacy groups, and it appeared again at the Leveson inquiry. The European Data Protection Regulation currently discussed in Brussels contemplates stronger fines based on revenue, rather than the paltry fixed amounts the ICO can currently adjudicate.
But a fundamental issue not tackled by these proposals is that citizens have to rely on the ICO for fines or punishment, and have no power to demand compensation. Allowing for class action on damages would be a good addition to fines and punishment. It would also be important lo look at the wider impacts, for example in relation to profiling and discrimination law, where no data breach will take place.
The review makes sensible proposals about better guidance and privacy impact assessments. Ethical guidelines for researchers, also proposed by Shakespeare, are certainly a good idea, but we cannot agree that “best practice guidelines should be enough”. Non enforceable systems should build on top of a strong baseline of statutory data protection. Also, rather than an industry self-regulation approach, we would prefer a multi-stakeholder governance model that involves the data subjects as well.
In any case, privacy regulation is a veritable legal supertanker and such fundamental changes to basic principles of accountability of data controllers will be limited both by EU level legislation and other international processes. The Shakespeare review may have benefitted from broader consultation with civil society groups.