Opinion: The Digital Economy Bill will move control of personal data away from citizens to the state, writes Jerry Fishenden
Governments around the world want to make better use of data to improve public services and to become more efficient, modern and ‘digital’. They are in an ideal position to lead by example, applying best legal and technical practices to make better use of data without mimicking the sloppy data-invasive practices and growing cyber fraud of the worst of the private sector.
This desire to be make smarter use of data is behind Part 5 of the Digital Economy Bill, currently working its way through Parliament, which gives Government ministers new rights to share our personal information with public and commercial bodies. If the bill is passed in its current form, personal data you give to the Department for Work and Pensions, for example, can be shared with a commercial organisation such as an energy company without your knowledge or consent.
These new powers weaken the existing consent based approach for protecting personal data with the aim of improving public services (although there is remarkably little detail on how these service improvements will actually happen).
Reducing rights
They will reduce the rights and privacy of individuals at a time when the public is increasingly concerned about information security and data protection, flying in the face of the fact that a survey for the Information Commissioner’s Office (ICO) has shown that 70% are worried about the risk of their personal information being shared with other bodies without their consent.
The Government’s intention is admirable – to improve the wellbeing of the most vulnerable in society, and to identify and prevent the opportunity for fraud. However, removing citizen control over the use of their own personal data is inconsistent with existing and upcoming data protection law (the Data Protection Act and the General Data Protection Regulation).
It runs the risk of increased data misuse and fraud – the very opposite of the outcome intended. We already know from the recent National Audit Office report, Protecting information across government, that government struggles to protect information, with nearly 9,000 data breaches recorded by the 17 largest departments in 2014-15 alone.
The data proposed to be shared appears to be almost limitless, potentially including details such as name, address (current and previous), birth certificate, ethnicity, passport number, driving licence number, marriage or civil registration certificate, children’s names, income, credit history, DNA and genetic information, tenancy records, education records, police files and social work records.
Sharing such sensitive personal data is likely to create significant new security and fraud headaches elsewhere. For example, personal information such as date of birth, family details, current and previous addresses, place of birth, passport number, and postcode are regarded as privileged personal information, commonly used for securing access to online bank accounts and online identity proofing.
Raising risks
Opening up the pool of organisations and people with access to citizens’ sensitive personal data ironically runs the risk of increased cyber-attacks at the time the Government is also making significant investments in the new National Centre for Cyber Security.
The decision on what personal data to share and when will be made by Government ministers who are required to advise the information commissioner, but with no clear right of veto or amendment by the commissioner.
There is also no provision in the bill to require Parliament to take action on advice from the information commissioner. Even if it takes such advice seriously, it will be unable to amend the data sharing, with the commissioner only able to exert an influence before new personal data sharing is enacted.
Although the bill and related codes may be intended to strike a fair balance between unilateral intervention by the Government and the interests of the people affected, its current wording contains inadequate detail of the legal and technical controls for personal data sharing. The related codes of practice are similarly lacking. It is also well known that de-identification of personal information is not the same as ensuring anonymity: by linking data, which this bill will permit, re-identifying an individual becomes highly likely.
The Government has recently signalled its intent to implement the EU General Data Protection Regulation (GDPR), and there are numerous areas of the bill in contention with the GDPR.
Different rules
For example, the regulation requires that personal data is used only for the purposes for which it was provided, and can only be used for other purposes with the knowing consent of the individual or individuals concerned. It will become cumbersome for our digital economy if organisations need to apply one set of rules for UK citizens’ data and another for that of EU citizens in order to prove the UK is compliant with the GDPR.
Moving to digital government should be about finding smart ways to reduce the burden of red tape and simplifying compliance, not about complicating it.
The bill will take control of personal data away from the citizen and move it to the state, but without providing a strong technical or legal case for this major change. It creates a significant risk to the principle of informed consent that sits at the heart of good data security.
It also sets a poor example to the commercial sector at the very time when government should be showcasing how best technical and legal practice can deliver the upside of better use of data without compromising security and privacy.
We already have a good code of practice on data sharing from the Information Commissioner’s Office. Government’s policy objectives can be better achieved through a more effective, digitally literate approach that enables secure, citizen trusted use of data that is entirely compliant with the GDPR and DPA, and which applies best technical practice to minimise the risk of security breaches caused by insiders and external antagonists.
Proper scrutiny
Where there is a clear need to permit the sharing of citizens’ personal data without their consent (such as to combat fraud), the Government’s intentions, including the necessary legal and technical safeguards, should be set out in primary legislation to enable proper scrutiny and public understanding.
Doing so will establish a set of security guidelines for officials and bodies to comply with, and to be held accountable, when using our personal data. And we should follow the Estonian Government’s lead and let citizens see which officials have accessed their personal data, helping ensure transparency and trust.
It is essential that we get these provisions to make better use of data right. We need to ensure they benefit the UK’s digital economy, rather than losing public trust by repeating the NHS care.data debacle on a much larger, and more damaging, scale.
The UK Government should not be emulating the worst, data-invasive and insecure practices of the private sector: digital government should be about empowering citizens, not sidelining them. So let’s rethink Part 5 of the Digital Economy Bill and seize the opportunity to become a world leading, trusted exemplar of data driven, citizen centred public services built on best technical and legal practice.
Jerry Fishenden is Co-Chair of the Cabinet Office’s Privacy and Consumer Advisory Group and co-author of the best-selling book Digitizing Government.