better use of data
Jerry Fishenden
2016/17
why data matters – some examples
Improving the accuracy and quality of decisions
Improving the relevance, quality and timeliness of services
Providing an open resource for innovation
Data for informing legislation, regulation, policy and decision-making – socio-economic and related data, visualisation, maps, analytics, etc.
Personal, often sensitive, data relating to citizen biographics, circumstances, needs, status
Public data that are open, or available to license, to enable innovation and economic development – e.g. real time transport data, detailed data about public resourcing & expenditure, etc.
first principles
Not all data is equal
�
Train timetables
Personal medical record
Local Authority annual accounts
(partially)
Some is open and public ….
… and some private, personal and sensitive
At risk children
the challenge
How do you make effective, appropriate, use of data when it’s dispersed in many different places and has different levels of sensitivity and protection?
Organisation 1 data
Organisation 2 data
Organisation 3 data
the reality
Keeping data close to where it’s needed and separate from other data can be both efficient, and good security and privacy practice
Health records
Financial records
Education records
the reality
But data can also be fragmented because of poor organisational and service design, making it difficult to know whether someone is entitled to a service
Financial records
(HMRC)
Health records
(NHS)
Social care records
(DWP and local authorities)
Is Jo eligible for Meals on Wheels?
?
?
?
Jo’s story
Better use of data can help improve Jo’s services without invading Jo’s privacy, or risking fraud and security breaches
I want my services to be delivered to me quickly and easily. But I don’t want lots of people knowing all about my personal affairs.
“data sharing”
a recap
the paper-age legacy
Before computer systems, to ensure that more than one person or team could access data it was duplicated and physically shared with others – what has become known as “data sharing”
traditional approaches to data sharing
Hi, tell me what you know about John Smith
John Smith is 43. He lives at 123 The Street. He earned £14,300 last year.
traditional approaches to data sharing
John Smith is 43.
He lives at 123 The Street.
He earned £14,300 last year.
Everyone gets their own copy
traditional approaches to data sharing
John Smith is 43
He lives at 123 The Street
He earned £14,300 last year
Everyone gets together to share what they know
computer data sharing – traditional but digital
John Smith is 43.
He lives at 123 The Street.
He earned £14,300 last year.
Data shared / copied – partial or in full – via e.g. file transfer protocol (FTP) or secure file transfer protocol (SFTP). Or by USB stick, DVD, courier, carrier pigeon etc.
problems with data
The Deputy National Security Advisor, Intelligence Security and Resilience said in evidence:
“…we don’t have sufficiently specific guidance from the Information Commissioner’s Office on what should and should not be reported……There is some exact language…in the terminology used by the Information Commissioner, and you will see it is very broad. The latest guidance states, “If a large number of people are affected or there are very serious consequences, you should inform the ICO.” That is open to interpretation if one delivers services.”
He went on to say:
“…we are going with the Information Commissioner to work for clearer standards so that it is more straightforward for Departments, and frankly to improve conduct.”
The evidence session also revealed that no mandatory training of staff about how to handle data breaches currently takes place across government. There is no mandatory requirement to report a breach if it occurs.
evidence to the PAC hearing on the NAO report
problems with data – nothing new
problems with data
Using paper-age “data sharing” in the age of digital information is part of the reason for massive data breaches at pace and scale
– a better approach is needed
known issues with “data sharing”
John Smith is 44.
He lives at 321 Park Heights.
He earned £22,100 last year.
Oops. When the original data source is updated, copies become out of date.
Data rusts.
consent
Joan Smith is 43.
She lives at 123 The Street.
She earned £14,300 last year.
The citizen gave her data to one organisation for one specific purpose
Her data cannot be used for other purposes without her informed consent
consent “get around” – data sharing gateways
Joan Smith is 43.
She lives at 123 The Street.
She earned £14,300 last year.
The citizen gave her data to one organisation for one specific purpose
But data sharing gateways enable one or more organisations to share data subject to a specific agreement
“... provisions which authorise the use and sharing of information other than for the purpose for which it was originally obtained, although subject to restrictions and conditions…”
… but they can also undermine trust
… but 1-2-1 gateways don’t scale well …
known issues
Data handed to third parties is no longer under the original data owner’s control
John Smith is 43.
He lives at 123 The Street.
He earned £14,300 last year.
Data can be compromised – either through accident or intent – and without the original data owner knowing
known issues
Data handed to third parties – with the best of intent – can compromise the safety of the data subject. This can be a matter of life and death.
Joe is an at risk child. He is at a secure address. The details are …..
Joe
known issues
Personal data is often used for online security and authentication checks such as online banking
Mother’s maiden name
Date of Birth
Place of Birth
Memorable date
Sharing bulk data – civil registration data such as births, marriages, etc. – could compromise existing security assurance processes, automating and facilitating fraud
Parent’s names
Children’s names
Date of Birth
Place of Birth
etc.
first principles
What is “data sharing” trying to achieve? Perhaps we could better describe it as something like ….
�
“Ensuring timely, access to accurate data in order to make an efficient and well-informed decision with a high quality outcome”
first principles
We need to find better, more secure, means of achieving this outcome – which means better solutions than paper-age “data sharing”
�
“Ensuring timely, access to accurate data in order to make an efficient and well-informed decision with a high quality outcome”
digital systems can enable better use of data – whilst also ensuring more secure access and protection
We have things such as
Zero knowledge proof
APIs
Encryption
Authentication and authorisation
Attribute / claim confirmation
zero knowledge proof
a method by which one party can prove to another party that a given statement is true, without conveying any information apart from the fact that the statement is indeed true
I am entitled to discounted energy pricing
I am over 21
I am legally resident in the UK
Does not release e.g. full date of birth
Does not release e.g. details of financial circumstances
Does not release e.g. personal details such as passport information
A technique in existence since the early 1980s
APIs ...
… an abbreviation for Application Programming Interface
– an interface that lets one computer talk to another computer
Example: using APIs would enable a citizen to have a single view of their financial interactions with central government by bringing together their data from departments such as DWP and HMRC
APIs
Your account
Modern Web-based APIs have been in use since around 2000
encryption
a cryptographic means of protecting data at rest and in motion so that it can be accessed and used only by authorised people or systems
Data at rest – unencrypted. Anyone with access to the data can read and use it.
Data at rest – encrypted. Only authenticated and authorised users and systems can access the data to read and use it.
Data in motion – unencrypted. Anyone with access to the network or communications method or channel (such as USB stick or network) can access and use the data.
Data in motion – encrypted. No-one without the decryption key can access and use the data.
authentication and authorisation
authentication
a means of ensuring that people or systems are who they claim to be
authorisation
ensuring that an authenticated person or system only accesses the data or processes that they are authorised to access
We have successfully authenticated that this is Joe …
.. and that Joe is authorised to see this data ...
.. but Joe is not authorised to see this data
attribute / claim confirmation
a means of confirming something without unnecessary disclosure or sharing of personal information
Current “data sharing” practice – full records copied from one system or organisation to another
Give me a copy of Joan’s address so I can check where she lives
ORG2
ORG1
Data request
Shared data response
Joan
123 The Street
Anytown
B1 1B
attribute / claim confirmation
a means of confirming something without unnecessary disclosure or sharing of personal data
Joan
Local authority
DVLA
Is Joan a resident of this local authority?
Illustrative only … not necessarily legally compliant
YES / NO
Does Joan own a car registered at this address?
YES / NO
Resident’s parking permit automatically issued or declined
Data driven service
Data is not shared – details are confirmed without disclosure
the Digital Economy Bill
Part 5 - data sharing
DE Bill intent
to make better use of data – accurate, timely data will help improve our public services
DE Bill major proposals
DE Bill issues
DE Bill issues
DE Bill issues – conflicts with GDPR
GDPR requirement | Part 5 |
1. Data must not be used to monitor the behaviour of people in a way which could be seen as profiling. | Part 5 of the DE Bill wants to share data in order to “flag identified persons” entitled to receive assistance. This appears to be profiling, in conflict with the GDPR. Also, there is no mention of the emphasis that should be given to data minimisation. |
2. “Data held by public authorities should only be disclosed when a written, reasoned and occasional request has been made and should not be shared as a filing system in a way that could lead to the interconnection of filing”. | The general purpose of Part 5 of the DE Bill does not appear well aligned to the GDPR. It seems to default to the ability for organisations to share data without consent where the organisation, not the individual, makes the decision alone, and effectively seems to be proposing an approach analogous to a public sector wide file sharing system (the “data sharing” it proposes) – apparently in conflict with the GDPR. |
3. Pseudonymised data should be considered identifiable information. Also, Recital 26 states that “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” | Recital 26 raises the question of how well personal data can truly be anonymised – there is a body of research / evidence about the problems associated with truly anonymising data and hence the potential for re-identification. Such difficulties suggest that in practice the GDPR will apply where data can be, or proves to be, re-identifiable even if an organisation intends or believes the data to have been anonymised? De-identified data is not necessarily anonymised data: where are the de-identification regulations / frameworks? If any exist, they do not seem to be referenced in Part 5. |
4. People should be aware of the risks, rules, safeguards and rights in relation to the processing of their personal data. | If data is shared beyond the organisation or individual to whom it was originally provided and without their consent or knowledge, it is unclear how citizens will be updated on the additional risks inherent in opening up their data to additional organisations and people. |
DE Bill issues – conflicts with GDPR
GDPR requirement | Part 5 |
5. The exact purpose for the need of the data should be explained at the point the data is requested. | Part 5 appears to cut across the GDPR since it proposes to “data share” or “disclose” data meaning that it is, in such circumstances, no longer being used for the exact purpose for which it was originally requested and provided. “Data sharing” implies uses of the data other than that for which they were originally supplied. |
6. Processing should only happen if there is no alternative way. | There already exist other ways that the objectives of making better use of data can be achieved without copying it around more organisations. |
7. Data is only lawfully processed if consent has been given by the individual. The GDPR also gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing. | In the context of “data sharing” (undefined), the consent issues becomes problematic: for example, how will consent be withdrawn if data have been widely “shared” and dispersed across multiple organisations over whom the original data controller has no jurisdiction? |
8. The data controller should be able to prove that consent has been given (an automatically completed tick box is not considered consent) | Part 5 appears to be proposing a system of data sharing in which consent is not explicitly provided, but is determined by the decisions of “specified persons” rather than the citizen. This appears to place it in direct conflict with the GDPR. |
the Bill doesn’t solve significant issues such as …
… this …
… or this
it mainly seems to be a (clumsy) way of solving this ...
Replacing 1-2-1 “data sharing” gateways with …
… widespread “data sharing”
DE Bill Part 5 improvements?
Largely as House of Lords proposed amendments:
And also it needs to be brought into full compliance with the GDPR
… but it’s the Codes of Practice that need significant improvements – and to be mandated
better use of data – some potential improvements
DE Bill – how it could work (simplified)
GP
Has a valid medical condition? YES / NO
1. Jo authorises disclosure of minimal information for meals on wheels
Local Authority
DWP
Simplified … not necessarily legally compliant
Registered disabled? YES / NO
Is a council resident? YES / NO
2. If all checks are passed, Jo receives meals on wheels
Not “data sharing” – but better use of data with active citizen consent
meals on wheels
biggest issues
DE Bill Part 5 and related Codes of Practice / GDPR
Capabilities (Whitehall, supply chain)
No systematic mapping of data / existing landscape in government
No vision of where headed
No data strategy
No API strategy
Lack of a viable, trusted identity framework
acknowledgements
Icons / images from Freepik. Includes icons by Pixel perfect and madebyOliver
Other icons from the OSA Icon Library
“better use of data”
This work is licensed under the Creative Commons
© Jerry Fishenden, 2016/17