The Data Protection Bill reaches the Commons

Updated: 16 April: the Bill has been renumbered again. All clauses 185-188 are now numbered 183-186. No other meaningful changes…

Updated 11 March: short briefing for commons committee stage

The Data Protection Bill has reached the Commons. We have 3 briefings on the Bill and an annex on the proposal to make DCMS the lead department for data processing by Government:

(We were expecting 2nd reading this Tuesday/Wednesday, but it’s possible the Whitehall bickering over the DCMS data grab has delayed it; if DCMS has put the politics of empire building ahead of the legislative schedule is a really good indicator that they shouldn’t take over the GDS data function…). Those two links (which were published after the briefing was first circulated), confirm that what is the Cabinet Office’s ‘data science ethics framework’ may get rewritten by DCMS to become the ‘Framework for Data Processing by Government’. For that task, even the iteration that has been discussed is entirely unfit for purpose.

GDPR and Transparency in Government

The EU’s Article29 Working Party held a consultation on their transparency guidance, and with an efficiency that probably infuriates Boris Johnson, ignores late submissions.

For the UK’s NHS, the GDPR is generally just a restatement of the existing ethical good practice that medical bodies should have been following anyway – but it does provide an opportunity (and necessity) to review past decisions and bring them up to scratch (and blame the EU for having to do it).

The main new provision for the NHS, and the topic of A29WP’s recent transparency consultation, are the provisions about what transparency and provision of information to the data subject means. Even that isn’t that new – but it is something that Government has paid lip service to for some time (remember the care.data junk mail leaflets?). That leaves a simple question:

What should transparency look like in practice?

For the NHS, there must be an electronic report on how data was used. NHS Digital keeps track, and with a digital login to the NHS (via patient online), the patient can see where data went, why, and what the benefits of those projects turned out to be, and if they wish to read the published papers (and simpler explanations) that resulted from those uses.

The rest of UK Government lags behind the NHS and is far more murky. Clearly stated in the “Better Use of Data” section of the Technology Code of Practice is a requirement that “the service should clearly communicate how data will be used”, which is akin to the GDPR. Unusually for a GDS recommendation, there is no exemplar given – here is ours.

The best way for an ongoing transactional service to communicate how data will be used next month, is to show how it was used last month.  For any data derived from a digital service behind a login (e.g. any eIDAS compliant system, such as Gov.UK Verify), on any subsequent login, a full accounting of how data on that data subject was accessed, copied, analysed or disseminated, should be available to that data subject.

The best way to know how your data will be used next month is to see how it was used last month. Processes will change over time, but not that rapidly.

This information must also be accurate. It is unclear what the consequence of providing misleading information currently is, but there should be some in a post-GDPR world. Mistakes are a prime facie breach of fair processing, and potentially cause serious distress which is a clear breach of current law.

Taking an example of where information could and should be provided, let’s look at Universal Credit: How much burden is placed on the entire system by the fact that how data is used inside UC & DWP is clouded in secrecy and consequent distrust?

The transparency obligations from GDPR do not extend to investigation of fraud or crimes, so it is not universal, but there are many other consequences of the current system which can be mitigated by informing citizens. UC is already a fully digital service, where users login repeatedly, and access and reuse of data by DWP is already (mostly) logged.

UC used to have such a screen visible to claimants – but the DWP civil servants insisted it be turned off as the Minister might like it. Of course the Minister would like it, as it would be an evidence base of facts and accurate information for a citizen on what the Department actually did – the thing for which the Minister gets held publicly accountable.  With an audit trail, visible to those involved, there will be fewer scandals that land on the Secretary of State’s desk when the stated policy was one thing but the actions of the Department were contradictory.

It is only where ministers deliberately mislead the House that GDPR accountability is a negative…

Access to Individual level Data

As part of transparency, it must be clear how promises to citizens are met. While the NHS does audits on recipients of data, companies regularly fail them with negligible consequences

Population scale citizen level datasets include an administrative census such as the cancer registry (everyone with any cancer for the last ~30 years), HES (everyone who has been treated in hospital since the early ’90s), or the National Pupil Database (everyone who has attended a state school since the mid-90s), or other large scale sensitive datasets (the rest of the NHS data estate).

When population scale data (that does not respect dissent) is copied out of the infrastructure of the data controller, it is impossible to ensure that promises to patients are kept. There are no technical measures which can provide assurance that what should have happened, actually did. That assurance is what the ‘limited environment’ of an independently run safe setting provide.

It is already standard process to allow access to detailed (decennial population) Census data in a safe setting where queries can be audited. The transparency and information provisions of GDPR should be read as requiring that where queries on a dataset can not be audited, that state must be available to a data subject since it makes much more likely that the promises of a data controller may be broken – because the controller has no means to know they are kept.

The 2017 Annual Report from the National Data Guardian again calls for “no surprises”. As the GDPR brings more data controllers closer to the standards already required in the NHS, the best way to inform a data subject how their data is likely to be used next month, is to show how it was used last month. From accountability, can come trustworthiness.

As the Whitehall machine grinds on, as the opt out moves to DH from NHS England, and as data moves from CO to DCMS, the forgetting happens: institutions forget what happened, and institutional memory is what they wished happened. Care.data was just a communications failure, and not a policy failure; etc. Where they forget, we will have to remind them.