Spy Blog - SpyBlog.org.uk

Of particular concern was the use of focus Groups interviewed by market research firm OPM. There were 7 groups comprising a total of 67 people !

Surely such a tiny sample size cannot be statistically valid ?

The report mentions problems with the public perception of the trustworthiness of Government departments and the complexity and perception of the Data Protection Act.

The report calls for dialogue and engagement with the public and, inevitably, it also calls for more research into privacy enhancing technologies etc.

However this is all largely contradicted by the examples of exisiting and future "data linkages" e.g.

Box 1 – a snapshot of existing database linkages A number of information gateways exist to enable data-sharing where vires are not thought sufficient; for example: between HM Customs and Excise and the Inland Revenue; between DfES and the General Teaching Council; and between Home Office and the Police and HM Customs and Excise. There is also:

The Police Information Technology Organisation (PITO): which is the guardian of the Police National Computer and the Police Fingerprinting Database which link to other databases to allow the police, Customs and Excise and other law-enforcement agencies to carry out their duties.

Work and Pensions Longitudinal Study (DWP): government has legislated to open up Inland Revenue databases to provide better information on movements from welfare into work. It links Jobcentre data with claims for child benefit, employment and tax credits. Longitudinal data is used to prevent fraud, errors and as a basis for government statistics. It provides the basis for the research agenda into the long-term outcome of DWP policies, and greater efficiency of DWP operations as well as to track leavers from the Armed Forces.

Census and Crime: DWP is also linked with the Inland Revenue and the ONS to allow the necessary management and research in advance of the 2011 census. The Home Office’s Crime Analysis Unit (CAU) - and the British Crime Survey - have links with other government Departments such as ONS and the Office of the Deputy Prime Minister to access data and carry out research

Health: the NHS Information Authority has links with ONS to provide information on blood donor and cancer registers, and it has links with Home Office and MoD to provide health records of staff. NHS organisations have links with other organisations to communicate information on national health issues.

Education and Skills: DfES has developed a protocol on data-sharing8. It is implemented through DfES’s Common Basic Data Set which supports a shared technology infrastructure. DfES has links with Ofsted, the Learning and Skills Councils, QCA etc, and has a National Pupil Database containing information on all pupils in England (but with access safeguards in place).: the NHS Information Authority has links with ONS to provide information on blood donor and cancer registers, and it has links with Home Office and MoD to provide health records of staff. NHS organisations have links with other organisations to communicate information on national health issues.

Similarly the Case Studies are heavily weighted in favour of the alleged benefits of increased data sharing, whilst paying lip service to Privacy concerns.

• Case Study 1: Using data linkage to develop new approaches to detecting adverse drug reactions (ADRs) in routine clinical practice
• Case study 2: Using data linkage to address health inequalities and develop disease registers to improve targeting
• Case Study 3: Use of data linkage to improve risk assessment for health effects associated with environmental pollution
• Case Study 4: Dynamic Traffic Management
• Case Study 5: The Citizens Information Project

The impression that these give is that Privacy objections are seen as an important "problem" , but one which can be "managed" by the "boiling frog" approach of introducing the controversial measures gradually.

There is no acknowledgement of the possibility that some or all of these projects should never be implemented in the first place, as it is simply beyond current or future management techniques and technology to keep the concentrated data from being abused.

There is no criticism, constructive or otherwise, of the current Government data sharing projects and plans cited above, none of which apply the principles of extensive informed public consultation, government transparency, cost / benefit and risk analysis, which the report suggests are vital for public trust and to address our privacy fears.

"This report was prepared for the Council for Science and Technology by a subgroup comprising Professor Janet Finch, Professor Wendy Hall and Dr Mark Walport (convenor). We are grateful to all the people who participated in our two workshops, and to the authors of the case studies for allowing us to use them."

Recommendations

General recommendations

1. We consider that there are major benefits to be delivered from developing better linkages between, and wider access to, personal datasets provided the risks are carefully assessed and managed. In order to realise these benefits, there is a need to:

• engage in dialogue with the public and stakeholders on the full range of benefits and risks, in particular to individual citizens as well as to society and to government;
• carry out risk analyses with a balanced approach to the benefit-risk equation to strengthen the evidence base for policy formulation and enable improved service delivery;
• have a focal point within government to think through, plan and co-ordinate joined-up working across different datasets. Access to personal data for research and statistical purposes

2. Government should put in place mechanisms to ensure that the linkage and use of personal datasets is achieved in a much more co-ordinated, coherent and transparent way across the public sector. We consider that this should be done on the basis of three linked principles:

• personal data must be anonymised whenever this is possible, or pseudonymised in the case of linked datasets1;
• there should be a general presumption that access to data should be facilitated where that access is for research or statistical purposes;
• appropriate safeguards and transparent governance structures should be in place before personal data can be accessed and used.

3. In order to command public trust, we believe it is critical for government to have open standards and protocols for the conditions under which data can be shared. This should involve:

• conducting risk analyses and establishing risk reduction processes among organisations and individual citizens sharing data;
  
• addressing real and potential conflicts of interest, and any specific issues – such as involvement of vulnerable groups;
  
• putting in place formal data handling policies for researchers or statisticians accessing the shared data.

4. Government should introduce a quality mark or accreditation scheme for the operation of government databases in order to promote greater trust. Monitoring compliance must be through third-party audit, in which the Information Commissioner or an equivalent person or body, must have a central role with agreed delegated authorities.

Non-compliance with statutory safeguards must result in severe penalties.

Technological research needs

5. Government should promote research into knowledge technologies that facilitate the benefits of linking personal datasets. A key focus here is research on privacy-enhancing technologies. Government should work closely with business experts from the private sector (such as the banks) in identifying future needs regarding privacy-enhancing technology. In addition, government should:

• initiate a technology road-mapping exercise to identify what technologies will be available when, and plot these against relevant socio-economic and other drivers
• stimulate more interdisciplinary R&D – involving computer scientists, engineers and social scientists - in techniques for anonymising and pseudonymising data, encryption, and anti-virus devices;
• encourage private sector organisations which are involved in privacy to share R&D ideas on security modelling;
• develop more explicit and proportional confidentiality requirements in its procurement specifications;
• promote greater trust through encouraging greater levels of investment by business into IT security.

Dialogue and communication

6. Government should engage in dialogue with the public and opinion-formers to inform its policy developments on data-sharing and access to personal datasets, and the privacy safeguards that need to be in place. It should use the principles set out in the CST report Policy through dialogue and build on the work done for us by OPM Ltd published as part of this Report.

7. As key components of its public engagement work, the government should:

• sponsor interactions between different stakeholders and the public; and educate individual citizens – especially young people – about personal data and its use in order to promote understanding on how individual citizens could better take responsibility for managing their personal data. Schools and universities would have an important role here;
  
• encourage better articulation of, and debate about, the risk–benefit equation that must be analysed and understood in order to promote or restrict greater sharing of personal data;
  
• determine where responsibilities lie, and how rectification and recompense will be provided in cases where the security of personal data held by government is compromised. Regulatory framework

8. Government needs to ensure there is clarity on how the regulatory regime for data-sharing and data protection operates; in particular it should:

• consider carefully what legislative changes might be necessary to promote sharing of, and access to, personal datasets between public sector bodies;
  
• review the guidance which different parts of government have issued - for example on the operation of the Data Protection Act - to ensure there is the necessary consistency. Implementing these recommendations

9. As part of the government response, CST would welcome an action plan including timetable on how government proposes to address each of the recommendations in this report, followed by a progress report on achievements against this plan in a further 18 months time.

We got an unspecific hint about this report last Friday, through an email from a BBC researcher, who seemed to be preparing an item for the "Westmisnter Village" flagship BBC Radio 4 Today programme on Monday. How are people meant to comment on a report which had not yet been published ?.

This was the usual sort of last minute (17:28 on a Friday) desparate ring around by a radio programme researcher, trying to fill a time slot. Despite emailing back and phoning the next day, we still have not been able to get through back to rge researcher.

Presumably other short term weekend news events such as the murder of the Policewoman in Bradford and the death of a former Today programme presenter seem to have pushed this strategic view item off the BBc's news agenda.

Will the BBC actually explain the implications of this report to the public, or is this "news and currentn affairs" story now no longer considered to be important ?