Councils want medical records to feed government ID scheme

Blue Badge.jpgGovernment identity experts want to tap NHS medical records to tell if people are entitled to get benefits and use public services.

Warwickshire County Council has been in talks with NHS England and other public bodies that hold data it needs for a local government trial of the government’s next generation ID scheme, with backing from the Cabinet Office, which has overseen development of the scheme and branded it “Verify”.

The NHS plan is part of an effort to get the ID scheme adopted nationally, so all private companies use it to check people’s credentials, as well as public bodies. But the government needs to persuade private companies and public bodies not only to use it, but to participate in it as well, by helping create an “ecosystem” of databases that all share data about who’s who and who’s entitled to what.

Ian Litton - Warwickshire County Council.pngIan Litton, programme manager at Warwickshire, which has led development of data sharing for Verify, demonstrated a prototype of the system at an identity software sales conference in London’s Russell Square Hotel on Wednesday 11 November. But it would only work partially unless it could make checks against NHS patient records, he told the audience.

The prototype, which made almost instant database checks on people applying to get ‘Blue Badge’ concessions for disabled car parking, showed how councils could use Verify to cut costs.

Blue badge

Some in the audience of technocrats and industry suits gave an audible gasp of amazement when Litton demonstrated his Blue Badge system making instantaneous checks against Department for Work and Pensions databases, and tapping the Driving and Vehicle Standards Agency database for an applicant’s photograph.

He told them how the ID scheme would help councils do the “transformation” the government had proscribed to accommodate its budget cuts: transforming from Town Halls employing people who process forms like Blue Badge applications and check over proofs of address, driving licenses and other casual tokens of people’s identity, to a public-private ecosystem of chattering databases.

But the prototype could only verify the disabled status of about 40 per cent of people because its assessment relied solely on DWP records of those already registered disabled, Litton told the conference. The other 60 per cent of Blue Badge applications might be processed automatically if they could get confirmation of someone’s disabled status from NHS records.

Warwickshire was leading the Cabinet Office effort to get the NHS and other government departments to sign up to the scheme under the umbrella of the Open Identity Exchange, a US body that has overseen development of the ID system in the UK and other countries so that, ultimately, people would be correctly identified with the same credentials shared wherever they travelled among participating countries. Those credentials – snippets of personal data called attributes, which said someone had blue eyes or was a member of the cricket club and had a history of exam cheating and expulsions in a regression of schools – would make the ID system tick.

Whitehall Media - CROPPED.png“There are ongoing discussions with NHS England at the moment around what we can do with NHS data,” Litton told the conference, “because we reckon that of the 60 per cent of people who don’t meet the eligibility criteria from DWP, there will be a significant number who could be eligible based on their medical history.”

“We are having active discussions with [Cabinet Office] Government Digital Service, with the Department for Transport, who owns the Blue Badge process, DWP, who owns the attributes required for Blue Badge eligibility, and we are also talking to the Department of Health and the Department for Communities and Local Government.”


The NHS had already agreed to join the data sharing scheme before January 2011, when the Cabinet Office published its first blueprint, and was to become one of the first public bodies to start using it, in 2012. But the system wasn’t ready. (Cabinet Office had originally intended to use it for electoral registration in this year’s general election. That was one IT bodge the coalition government managed to slip past the electorate).

Warwickshire was nonetheless leading talks to get a variety of government departments to connect their databases to the ID ecosystem, according to Litton.

“That would feed into a whole number of other local government services around housing, council tax benefits and those sorts of things,” he said.

Part of Litton’s job, he told Computer Weekly after his demonstration, was to promote the identity data system to other local authorities. His sales pitch, to his peers at the conference, was a journey through the reasoning that led an ID ecosystem to be conceived.

20151026 - Prime minister David Cameron - opening Chiltern railways and Network Rail line at Oxford Parkway station.pngBut speaking as news spread that prime minister David Cameron had berated the Conservative leader of his native Oxfordshire County Council for neglecting its own transformation, Litton’s pitch relied on a pretence.

That was that Warwickshire had been been working through the problems of how to do transformation and had come to the conclusion, in collaboration with the Cabinet Office and other departments, that they might crack it by some carefully-managed data sharing and some form of online identity verification like the one built into Verify.

Warwickshire was however merely implementing an ID system designed long ago and elsewhere. The mechanism wasn’t even original in 2011 when the Cabinet Office published its blueprint. It was first described in detail formally by a working group chaired by then US president George Bush, in the 2008 report of an Identity Management Task Force for the US National Science and Technology Council (NSTC), then already after many years of concerted effort by US government and industry; and picked up again in April 2011, in president Barack Obama’s  National Strategy for Trusted Identities in Cyberspace (NSTIC).

Warwickshire and the Cabinet Office built their system of attribute exchange using software developed by ForgeRock, a US/Nordic software company that also powered the US federal next-gen ID system on its launch this year and is being deployed elsewhere around the world. Verizon, the company that implemented the Warwickshire/Cabinet Office prototype, has been prominent among those building the identity ecosystem infrastructure for the US government.

Blue blood

US President George W Bush.jpegThat did not necessarily mean Warwickshire’s story was complete hokum. US reports recounting ongoing work companies such as Verizon have done to develop the US identity ecosystem note that development is ongoing. Verizon played a leading role in developing the system of attribute exchange under direction from the US government. Litton claimed to be leading development of attribute exchange for the UK. It was not inconceivable that the Warwickshire pilot would inform Verizon’s reports back to the US NSTIC about its latest insights into the problem of implementing Bush’s ID programme.

Nor was the true origin of Warwickshire’s ID system cause, necessarily, to reject it as the infrastructure of a colonial administration. The US premise was that a universal ID system was a necessary development for the internet, at a time when 50 per cent of people close a website when it asks them to enter yet another password.

And the next-gen assumption was that some countries are so alike in trade, culture politics, security and catastrophic, offensive military interventions that it would be sensible to knit their populaces together in an interoperable ecosystem of citizen identity and management as our real-world structures of social administration and security are rendered in software, lest they separate into “stovepipes” (to pick a phrase from Bush’s 2008 strategy) of incompatibility that prevent people’s medical records, financial history and security risk-rating travelling with them from country to country. As Europe’s Schengen system shakes on its foundations, a different sort of free-movement regime is being created.

But Litton’s story about the way Warwickshire came to its own conclusion about attribute exchange might be given salesman’s license.

His pitch, repeating much of the one Bush made in 2008, went like this:

Councils need to do transformation to cut costs. That involves putting services online. Online services need good data. But other organisations have the data you need. You can’t just get them to share their data with you. Because data sharing has long been a toxic political issue, and a staple of tabloid stories. So you must do data sharing carefully. That means primarily knowing who you are dealing with online. You need an identity assurance system to do that. And because you are nice, you will create a system that puts people in control. So you always ask people’s permission before using the identity data system to check their credentials against DWP records or medical records and so on. And you make sure you always grab only enough data for immediate purposes, such as checking someone is entitled to a Blue Badge. But the system would have to be universal or you would end up having to develop bespoke software and legal agreements every time you wanted to get data from a different organisation. So you do attribute exchange. And you ask people for direct consent for pulling their attributes from the ecosystem when they come to you for some service. They want a Blue Badge, you say okay but I need to get your data to process your application: Yes/No?

Attribute Exchange Network - AXN - 20130618 - ICAM Day Attribute Exchange Panel.pngLitton pitched the ID ecosystem architecture set out by Bush in 2008 as well, which the software, telecoms, banking, security and military industries have been building ever since and since long before, and was instilled in government ID systems launched in the UK, US and elsewhere this year. He didn’t quite put it that way.

Oxfordshire leader Ian Hudspeth and prime minister David Cameron at election 2015 vote count.pngEfficiency was the big sell for next-gen ID. Litton’s Blue Badge transformation would save only a modest £12m a-year if all councils took it up. But Litton reckoned there were 50 local government services that could be similarly transformed. He reckoned they could save millions of pounds. That was the business case Cameron was making when he admonished Oxfordshire leader Ian Hudspeth, his election campaign buddy, in press leak that day: why accommodate Conservative cuts to council budgets by closing children’s centres when you could transform your back office? For councils, the Verify ID scheme would drive the transformation.

Blue light

Just imagine the the possibilities, Litton urged his audience. Think about where this might lead: “Think about the right to work”.

Employers have been forced to check people’s identity papers since 2008 when the government made it illegal for them to employ foreigners without checking they had a permit. But it was always part of the ID plan to do these checks against Home Office databases, ever since the Labour government proposed identity cards in 2002, and again put the ID Cards Bill before parliament in 2005, when the Crosby review made the case in 2008 for a market of private companies to operate the ID scheme, and again when the coalition Cabinet Office published its plan for market-based ID in 2011. Officials had a desire to track foreigners no less urgent in 2002 when the UK helped launch the belligerent wars that continue to today.

In keeping with the US strategy, Litton reckoned the system would be monetized, and would have “huge benefits” for the private companies doing the work as well as the public companies reaping the cost savings. The case for next-gen ID was then not merely that it would help the government administer the subjects of its civil intelligence system more efficiently, but it would tighten national security and create wealth for private companies.

Bus lane sign.gifFor people though, this world of automated checks and balances might be a different matter. For anyone who has while driving strayed into a bus lane and subsequently found a road camera notice on their doormat, with its no-mercy demand from their local council for payment of a Waitrose-class fine with barely more than few days to pay, with no accommodation of misunderstandings of a confusing road system and poor signage and obscure, inconsistent rules; and no courtesy, concession, discretion, protest, and *or else* the state gets really heavy, will learn how humanity is being designed out of the system as it gets more efficient and more secure. It leads far from the days where you would drive the wrong way up a one-way street and someone would shout, ‘It’s a one-way street!’, and you and your passengers would gasp in cheerful alarm as you do when you breach of some commonplace rule with which you have no disagreement and which ultimately justifies little concern and rarely any penalty. “Oh no!” you would cry. “Thank you!”. And relieved, you would stop the car and turn it round. These days though, you would have to pay near enough a hundred pounds in fines, drawn up automatically by the security software behind some unblinking camera.

Bush’s ID plan, and the UK’s own later versions of it, had from its earliest iterations in 2002 always stressed it would protect people’s privacy. That’s what they say now in Warwickshire and Whitehall as well. So theoretically, you shouldn’t worry about your medical records getting poked by the ID system.

Feelin’ blue

But they never professed to want a system that preserved those parts of a human administration that made it tolerable to be governed. That is, its humanity: the compassion and mercy latent in human discretion. They would make government administration more efficient by removing discretion. As Bush’s principles of civil security were implemented in places like Warwickshire, that would mean people who ticked boxes would be passed more efficiently, as though they were containers on a well managed trade route. But simplistic, software-driven logic, combined with petty officialdom and private sector profiteering would make it more likely that those anomalous cases who didn’t fit what the system architects had determined to be patterns of normal behaviour, or behaviour deemed least obstructive to the efficient running of the system, would be taken as verminous: to be dispatched efficiently, and sharply, with severe penalties.

220px-Vehicle_activated_sign_(VAS)_speed_limit_enforcement.pngThey might have put as much effort into building a software administration that helped people avoid penalties in the first place: the difference between courteous traffic speed management on rural roads in Wales, where digital signs are effective in reminding drivers when they drive over 30 miles per hour in a 30 mile zone, and the penal road cameras somewhere like the Canterbury ring road in Kent, where cameras trap people unawares in obscure speed spots and punish them with penalty points on their driving licence and an uncomfortable fine.

So flashing indicators might warn drivers they had strayed onto a part of the road where they were not permitted. Parking indicators might sent a friendly text message reminding your car had over-run its parking permit where you had put it – ‘better go and move that’! People who ignored the courtesy would get warnings; people who ignored the warnings would get poked; people who dodged the poke would get fined. That is how a civil authority would do it. But the system was designed for security and sold as efficiency. It was built by security contractors, implemented by petty bureaucrats, and managed by accountants. It assumed mistrust and leaves the wrongfully penalized to beg their case afterwards. It is the pernicious instinct of booted officialdom rendered in software. It strove for the same sort of efficiency by which the banks implemented a direct debit system of automated payments that fined people when they didn’t have money to pay their bills that month: it fined people who interrupted the efficient running of the payment system, when there was no sound reason why the payments software could not check again later and no cost or loss to anyone. The penal nature of the direct debit system became so instinctive to others with petty powers that companies who don’t receive a payment scheduled by direct debit will issue sharp fines as well. Everybody takes their cut. Everybody takes their spiteful little bite. Direct debit fines like parking and traffic fines were always a scam.

Whitehall Media - CROPPED 2.pngJust think of the possibilities, Litton told his audience.

Computer Weekly had been thinking about the possibilities and asked Litton after his talk if he would stop to answer some questions about them. He was rushing to see a talk ForgeRock was giving about how its system would respect people’s privacy. Litton said he was happy to talk later.

But a few moments later, conference organiser Whitehall Media arrested your correspondent with an unusual request: would you ask our permission before you speak to anyone else? Refusing to be held to despotic terms, and wondering about the possibilities of digital government, your correspondent was shown the door.