UK.gov oughta get its data-sharing house in order before Digital Economy Bill plans
If you show us yours, we might show you ours
Analysis The government has a funny notion of how to tackle failure. When it comes to contracts, suppliers that have routinely messed up are handed more deals. When it comes to policy, approaches that have proved unsuccessful get dusted off and pushed with renewed vigour.
The author who wrote "the definition of insanity is doing the same thing over and over again, but expecting a different result" probably had the UK.GOV in mind.
So it’s not surprising that in the same week as the National Audit Office slammed the government for its piss-poor infosec practices and handling of personal data; the second reading of the Digital Economy Bill went through Parliament. That Bill, among other things, intends to open up even more citizen data sharing.
Those proposals have already been criticised by experts as not having been thought through. What could possibly go wrong?
It seems the government approaches the prospect of getting its hands on more citizen data with a hoarder’s sense of glee – but is simultaneously bad at adequately recording and sharing its own information.
The NAO report – which incidentally slammed the government for its “chaotic” approach to reporting personal data breaches, with 9,000 reported data breaches last year – highlighted this point.
For example, the NAO could not identify the amount government spends on security, suggesting that the figure of £300m per year was, in fact, many times more. That is because departments do not "always collect or share robust expenditure or benefits data," it said.
"Prior to October 2015, the Cabinet Office did not collect information on or analyse government’s performance in managing the risks of protecting information on a routine basis. This means it has had little visibility of information risks in departments and has limited oversight of the progress departments are making to better protect their information."
The words “house” and “order” spring to mind.
Papering the cracks
The problem that increased access and sharing of citizen data is trying to fix has not adequately been outlined.
The legislative changes are intended to allow limited sharing of data to overcome legal barriers between public authorities, "where there is a clear need and benefit.”
However, the extent to which a clear need and benefit has been identified remains highly questionable. It will also "establish a framework, with appropriate safeguards" to share bulk registration information, such as "sharing birth data to help parents access early years services.”
The government already has a poor track record in this area, particularly with its execution of the failed Care.data programme.
This week Labour MP Chi Onwurah also criticised Part 5 of the Digital Economy Bill, which enables public sector data to be shared with external bodies if a “benefit” can be shown. She criticised the Bill for deciding what constitutes a benefit with almost no public scrutiny.
"The only measures on data seem designed to extend the current public sector data sharing chaos to a complete free-for-all. Our data are at risk with this Bill. We do not own the data and we are not safe. Anyone can take them and the government decide what others should see of them,” she said in a Parliamentary debate. As we saw with the failed care.data attempt at NHS data sharing, when the Government fail to set out a proper and transparent framework the cost is borne by a lack of public trust in those services."
She added: "The Bill is an excellent example of that old 'Yes Minister' trick of putting the difficult part in the title so it can be ignored in the document itself."
But digital minister Matt Hancock insisted: "The data-sharing elements of the Bill are designed to improve public services, to make sure that we can tackle fraud and to have better statistics in this country."
Technologist Jerry Fishenden has previously critiqued the data sharing proposals that have now found their way into the Bill. In a blog post he said applying “data sharing” to problems that actually frequently derive from inadequate organisational and service design, amount to papering over the cracks and inefficiencies of existing public sector organisations rather than fixing the underlying problems.
"In an increasingly digital economy, expanding access to useful personal data is more likely to increase the risk of fraud, not reduce it. There are smarter ways of tackling these problems – from improved service design to technical measures to protect data whilst enabling it to inform decision-making.”
There can be benefits from increased data sharing, providing there is proper governance in place. But to be blunt: how much can we trust the government to handle our data correctly?
Perhaps if it led by example and improved the management and access to its information first, there might be a more convincing case.
As one contact remarked: “If the idea of more open data sharing is such a good one, why not apply it to the civil service first? Let us see what they're doing, who's looked at our records and so on."
No doubt Sir Humphrey would love that idea. ®
Sponsored: Becoming a Pragmatic Security Leader