The recent Queen's Speech announced a Digital Economy Bill, promising reforms to the way government uses data to help improve public services, and strengthened protection for citizens in the digital world. These welcome aspirations will doubtless build on existing UK government policy for citizens to have access to and control over their own personal data, and ensure compliance with the new General Data Protection Regulation (GDPR).
To make this happen, citizens will need to be able to prove who they are when they're online and that the personal data they want to access is theirs. Presumably the default way of proving who they are will be the GDS Verify identity assurance programme, which has recently come out of beta and entered live service.
However, providing citizens with access to and control over their own data across multiple public sector organisations using multiple formats and technology stacks is another order of complexity entirely. Sorting out a viable, secure, information assurance and access management model will take time to crack.
To fulfil its aspirations, the Bill will need to remedy the failings of the "better use of data in government" consultation and to work seamlessly to ensure stronger security across multiple levels including:
- Policy: ensure existing government policy is understood and complied with. Recent unwarranted breaches of policy such as the NHS/Deepmind revelations suggest there's a mountain of work yet to be done here;
- Principles: establish consistency around user consent, data protection, information and identity assurance, security and privacy;
- Technology: enforce policy and principles in software so that personal data cannot be accessed or used without explicit authorisation, consent and audit. It's time to eradicate the fraud and security vulnerabilities of sloppy "data sharing" and focus on approaches such as attribute exchange;
- Governance: ensure all of the above have unambiguous senior level accountability and responsibility, with protective monitoring for the most sensitive data (such as that relating to at risk children, undercover law enforcement officers etc). Any abuses should trigger meaningful sanctions, not fines – which merely deprive public services of precious funds, punishing citizens twice-over for incompetent management. There must be personal accountability, with those who fail in their duty disciplined or prosecuted: the era of no-one being held personally accountable must end.
There is a pressing need to reduce fraud and the growing abuse of often sensitive personal data. This will partly depend upon assuring citizens who entrust their data to others that it cannot be used for anything other than the specific purpose for which it was provided.
The aspirations outlined in the Queen's Speech will take time to implement. In the meantime, we need a default assumption that citizens are "opted out" not "opted in" to personal "data sharing" to help re-establish trust. Implementing stronger security will also enable the public sector to reduce fraud and improve the way it uses data better to deliver services. By applying best practice and strengthening protection for citizens and businesses alike, the government can help establish the UK as a world leader in the digital economy.