Patryk Kosmider - Fotolia

Government privacy advisor quits and slams Cabinet Office for lack of support

Co-chair of Privacy and Consumer Advisory Group resigns and criticises officials for ignoring its advice and attempting to smuggle “inadequate proposals past ministers”

A top government advisor on data privacy has quit claiming a lack of ministerial support and slamming government officials for failing to ask for or take advice on board.

Jerry Fishenden has resigned from his position as co-chair of the Cabinet Office’s Privacy and Consumer Advisory Group (PCAG), which was set up by then-Cabinet Office minister Francis Maude in 2011 with the aim of providing government with independent advice on how to provide users with trusted and secure ways of accessing public services. For example, PCAG set out the privacy principles that are meant to govern the controversial Verify identity assurance system

Announcing his departure on his blog, Fishenden said over the years, the group has reviewed several government initiatives, including the disastrous scandal and “the inadequacy and fraud risks of data-sharing”, but that since Maude’s departure from government, the group has had less support and encouragement at a ministerial level. 

“Without such backing, those officials who find the group ‘challenging’ have found it easier to ignore it, attempting instead to smuggle their inadequate proposals past ministers without the benefit of the group’s independent expert assistance,” he said.

He cited Part 5 of the Digital Economy Bill (now Act), which relates to data sharing, as an example of the PCAG’s advice being ignored.

Fishenden was part of a group of experts who last year criticised  the bill for failing to provide enough detail and scrutiny around its data-sharing commitments, saying it was changing the relationship between citizen and state by putting government ministers “in control of citizens’ personal data”. 

“In Francis Maude’s day these problems with Part 5 of the Digital Economy Bill and its associated codes of practice would have been highlighted and fixed with the help of the group, rather than causing ministerial embarrassment and confusion when they were published in a disappointingly amateurish and technically illiterate state,” Fishenden said in his blog announcing his resignation.

He added that PCAG was set up to be a “canary that could flag and help fix policy and technological issues before they got too far down the policy/Bill process”, but that despite repeatedly trying to ensure continued engagement and backing following Maude’s departure, it has had little response and backing from subsequent ministers.

Read more about UK government and technology

The group has sent letters to previous Cabinet Office minister Matt Hancock, and the now-minister Ben Gummer inviting them to meet with PCAG, which have all gone unanswered and unacknowledged. 

“Despite repeated attempts by GDS to chase a response from the Cabinet Office minister's office, there has been no acknowledgement or response to either letter,” he said.

“I can only assume that PCAG’s canary function is either no longer understood, or no longer wanted. And if the group is no longer wanted – well, surely it would be much better all-round if someone just said so openly?”

In response to the criticism, a Cabinet Office spokesperson said that members from the Government Digital Service (GDS) has met with PCAG seven times in the last 12 months and that the group is one of several being consulted.

 "Views from many groups, including PCAG, were taken into account when establishing the Digital Economy Act 2017," the spokesperson said. 

.. ... ... ... ... ... ... ... ... ... ... ...

Read more on IT for government and public sector

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Sadly, my experience has been similar recently around digital, ICT and cybersecurity skills. I was invited in for a meeting, but came away from it with the feeling that nothing much would happen as this area falls between 2 ministers who are in different places in their journey of understanding this, and those I met seemed resigned to not making much progress. It is a sorry state of affairs when a small niche company with an HQ in the U.K., that is acknowledged as been at the forefront of helping governments and organisations use a globally accepted skills framework which originated in the U.K., is proactively approached by other governments and is able to help them get significant value, and can't seem to get traction from the UK government to help it be the global leader it really should be. We're here and willing to help guys, we just need an attitude adjustment and some pragmatism and urgency.
I am surprised that Jerry lasted so long before he resigned. We can probably expect the rest of the expert advisors to follow unless their is a reset after the Brexit election purdah because their concerns have been ignored. For example Verify still cannot handle people with more than one legal identity e.g. married women who may do transactions under either their married or their maiden names and lacks robust processes for handling impersonation - e.g. after it has been found/alleged that the identity of a pensioner has been registered by a fraudster and the first they suspect anything is when their benefit stops arriving. Hence the reason neither DWP nor HMRC will use it.
Verify cannot handly people with more that one legal identity because the Verify concept is flawed. As Philip points out, identity is socially constructed and not unique. In the physical world it is possible to relate multiple identities in different social contexts (eg using married name or maiden name in different circumstances) to a single instance of a person. In the digital world there is no equivalent single instance of an entity, just multiple digital identities. A digital identity can never be tied unequivocally to a unique physical individual, although there may be a preferred and sufficiently trustworthy digital identity that is accepted in a given social context such as credentials provided for interactions with a specific government department, or digital credentials provided for an employee to access the employer’s IT systems. Mathematically, attempts to tie an individual’s preferred credentials for government (which are held by a commercial third party under the Verify model) to a physical individual by algorithmically investigating and comparing that individual’s multiple online identities will automatically result in a significant proportion of failures, however much digital personal data is collected. The unacceptably high proportion of failures observed in Verify's performance data is a direct result of Verify’s design. As Jerry says - it is time for a rethink!