The government has just announced new data sharing legislation in the Queen’s Speech.
This is not a surprise, as the Cabinet Office has been preparing for over two years, with extensive discussions across government and with civil society groups under the Open Policy Making programme. The process culminated in a public consultation last month. We responded with quite a few critical comments, and over 160 ORG supporters wrote to the Cabinet Office to ask them to put privacy at the centre of any new measures.
As we have said before in this blog, ORG’s principles are that data sharing agreements should not lead to a widespread intrusion on people’s privacy; should be proportionate, limited in scope and enshrine fundamental rights; and carry strong safeguards against wilful abuse and unintended consequences.
However, some proposals we are expecting simply need to be withdrawn, particularly the bulk sharing of civil registration data across government. We are mainly concerned about births and marriages data. Notifications of deaths have lower privacy implications, but nevertheless should be handled sensitively.
Electronic access to individual certificates can be positive, avoiding the need for paper copies, but this is very different from bulk sharing. Spreading civil registration data across government will lead to common identifiers and data centralisation. The government is keen to stress that they do not wish to create a new “citizen database”, but this is not the point. The same level of intrusion can be generated by widespread data matching with a form of “ID card lite”. The core principle of ID is not the card itself but the uniqueness of the number or key and the centralisation aspects.
It is very likely that these proposals will be rejected by public opinion, as previous attempts have been in the past. The Conservative Party in opposition was against ID cards and the database state, and would need to explain in Parliament why they have reversed their position in Government. These proposals are not explicitly mentioned in the data sharing notes accompanying the Queen's Speech, as are several other initiatives under discussion, so it is possible the government has seen some sense and withdrawn them. More clarity would be welcome.
The wider proposals have been severely criticised by UK tech heavyweights such as Jerry Fishenden, who argues that the proposals are not well defined - lacking “detail about basic, fundamental areas (such as security, privacy, accountability)” - and remind him of previous initiatives such as the “Transformational Government (2005), the Identity Card Act (2006), and the Coroners and Justice Bill (2008)”. Even more worryingly for government, he thinks that the proposals may not deliver their stated benefits. The proposals to increasing data sharing on fraud could be “more likely to increase fraud rather than help mitigate it”.
The policy making process around these proposals started on a very positive note, with government bringing civil society in very early to discuss our concerns. The dialogue has continued to the last minute, but we are disappointed that the master lines appear to have been set in advance at the political level, with ministers believing that data sharing is the solution and must be increased. Only room for minor changes remains in our discussions with well meaning civil servants.
We foresee some trouble for the new proposals if they end up becoming yet another attempt to increase the volume of personal data flowing across government, with legal and social constraints being seen as something to be “managed” instead of positive features. The Cabinet Office should instead be looking at smarter uses of personal data that are doubly innovative in being both efficient and citizen friendly.
The Cabinet Office is also embarked in a parallel process to create an Ethical Framework for the use of Data Science in government, which will cover issues of privacy, data sharing, and algorithmic decision-making. This framework is guided by principles such as data minimisation and the need to build robust models and take public perceptions into account.
We will wait for the government to respond to the consultation before we fully set our views. In our submission we argued that key safeguards needed to be in the face of the bill, not in codes of practice of unclear enforceability. Those powers that are being piloted, such as fraud, need sunset clauses and parliamentary discussion, not revisions by the same ministers involved.
The half baked powers on data sharing to tackle debt need to be reconsidered as part of a proper national strategy on debt management involving relevant civil society groups and debt charities. There are dangers of stigmatisation as well as intrusion into privacy.
Overall, these proposals may contain elements that are acceptable, but the newer, less considered ideas simply need to go.