Digital Economy Bill lacks clarity on data sharing, experts say

Transparency key to public trust

Jerry Fishenden, co-chair of the Cabinet Office’s Privacy and Consumer Advisory Group, told the committee that the bill failed to include a definition of what data sharing means.

“I find it surprising the bill doesn’t have definition of what data sharing is, both practically and legally,” he said.

“I’d like to see some precision around what’s meant by data sharing. The lack of detail is concerning.”

In his written evidence provided to the committee, Fishenden said the bill seems “to imply an approach to ‘data sharing’ modelled on the era of filing cabinets and photocopiers when the only way to make data available to others was to send them a duplicate physical copy”. 

“Modern technology has rendered the need for such literal 'data sharing' obsolete: data can now be used without copying it to others and without compromising security and privacy,” he said.

Jeni Tennison, CEO of the Open Data Institute (ODI), said it’s difficult to understand the measures the bill sets out in the context of the existing data sharing agreements in the public sector.

“We’d like to see more transparency around what existing measures there are inside government for data sharing and how these measures fit with existing ones, so people can really get to grips with the way data is flowing through government,” she said.

These views are also echoed by former Government Digital Service (GDS) boss Mike Bracken – now chief digital officer at the Co-operative Group.

When asked by Louise Haigh, shadow minister for the digital economy, if he thought the bill was clear enough in its proposals on data sharing and privacy, Bracken answered, “In short, no”.

He went on to explain that while the “sentiment behind the bill is to be applauded, there are many complicated issues in this space”.

He said government departments already share data in many different ways, but the sharing arrangements used by departments are “opaque at best”. He added that the government relies on bulk data sets too often, instead of simply asking for the individual data set pertaining to the information needed.

Avoiding another Care.data scandal

One of the reasons why it’s so important to be clear on data sharing arrangements is that the government has a long way to go in building public trust.

The government is keen to avoid another Care.data debacle, which arguably set back data sharing in the health sector by several years.

One of the main reasons behind the failure of the programme, which aimed to extract anonymised patient data from GPs to a central repository held by NHS Digital, was a lack of transparency.

The programme was accused of pushing through Care.data without explaining the implications for highly sensitive patient records.

This was followed by a disastrous education campaign, consisting of leaflets being posted through letterboxes that failed to include any information on the risks of the data being shared. The backlash eventually caused the programme to be scrapped. 

Tennison told MPs on the committee that the bill lacks the transparency needed to avoid another Care.data scandal. “I think it could be strengthened by putting some provisions around transparency,” she said.

In his written evidence, Fishenden said the bill fails to clarify how proposals to “data share” fit in with the government’s policy that citizens control their own data.

“Instead, it appears to weaken citizens’ control over their personal data for public bodies and other organisations to 'share' their data around,” he said.

Fishenden added that the weakening of individuals’ control of their data is “likely to undermine trust in government and make citizens less willing to share their personal data”.

The bill gives little detail around security and safeguards of data. For instance, if a citizen wants to revoke previously given consent for their data to be shared after that data has been given to a third party, there is no information of whether that would be possible.

“This is the type of organisation-centred, rather than citizen-centred, approach that characterised the failure of the top-down imposition of Care.data in the NHS,” said Fishenden.

Newly appointed information commissioner Elizabeth Denham told the committee that the data sharing envisioned in the bill was not based on a “consent regime”. 

She added, however, that while consent is not a silver bullet, if you’re “not using consent as a basis for sharing information” then other obligations – such as the need for safeguards, scrutiny and independent oversight – become more important.

“Trust and transparency go hand in hand and the focus need to be around transparency and trust,” said Denham, adding that the government should be breaking down data sharing by types of data and its purpose.

She said while the approach is right, “strengthening of the bill” could go a long way in ensuring public trust.

“We have an opportunity for this bill to support data and privacy. If no amendments are made, we’re slipping behind,” she said.

No mention of GDS work

Fishenden said this focus on the “organisation” rather than citizens is far from the emphasis being put on user needs and better public services, which is the focus of the Government Digital Service.

The work GDS is doing seems to be disregarded in the bill – something civil liberties pressure group Big Brother Watch has also pointed out.

In its written evidence, the group said the Gov.uk Verify scheme – an identity assurance platform which aims to become the central way to establish your identity when interacting with government services – has been completely overlooked by the bill.

“[GDS] has been working for the past five or so years to establish a model of attribute exchange sharing, based on the government not centrally storing data and ensuring that there is no unnecessary sharing of information,” the group said. 

“Verify adheres to strong privacy principles and is based on the premise of asking the citizen for limited access to their data for a secure reusable identity verification process to be established. 

“There is no mention of Verify in the bill or in the supporting documents. We think this is cause for concern as it shows a lack of communication with experts working in government on data sharing,” said Big Brother Watch..