UK data strategy 2021 - per ardua, ad nauseam

The UK launched its National Data Strategy last September, after more than two years of Brexit-inspired hiatus, bafflement, shoulder-shrugging, and pettifogging. Yet just a few months earlier in March, 2020's Westminster eForum on UK data strategy had presented an alarming picture of rudderless government.

At that event, Gaia Marcus, then UK Head of Data Strategy, said:

We knew that we had the solution [the data strategy], but we weren't clear on the problem. So, back in the Middle Ages of this project, when the team was focusing on the work, I commissioned a call for evidence to actually understand that, if we've all agreed that the national strategy is the solution to a problem, what actually is the problem?

This was the UK's Head of Data Strategy explaining that the government didn't know what its non-existent strategy was for, but did know that it needed one to solve an unidentified problem - though the details of the solution were missing. So, it is hard to see the strategy that then emerged last autumn (and is still a work in progress) as the output of visionary leadership with clear-sighted goals.

But a lot has happened in the 12 months since the 2020 eForum: Prime Ministerial advisor/dodgy autodidact Dominic Cummings became Dominic Goings, but not before grabbing some work for his developer mates; the UK's grace period with the EU ended and goods exports to it plummeted by 40 percent in January (according to figures released last week); data adequacy with Europe is still in the offing; and there has been the small matter of a lethal pandemic wreaking global havoc and human misery, pushing billions of people towards digital services.

And yet Covid offered one unexpected benefit to harassed policymakers: it gifted this reactive administration a hook on which to hang its digital hat. As Digital Secretary Oliver Dowden acknowledged at the Strategy's launch last year:

Our response to coronavirus has shown just how much we can achieve when we can share high-quality data quickly, efficiently, and ethically. [...] Our new National Data Strategy will maintain the high watermark of data use set during the pandemic: freeing up businesses, government, and organisations to innovate, experiment, and drive a new era of growth.

This was a ludicrous statement to make in the midst of one of the highest mortality rates in the world, widespread ‘chumocracy', and a £37 billion Test and Trace system that today seems dead in the water. But we must acknowledge the recent success of the UK vaccines programme, led by the private and academic research sectors.

In most cases, however, Whitehall had access to reams of data about the virus but failed to act on it quickly and decisively enough. The lesson is that hoovering up masses of data is a meaningless activity without systems to deal with it responsibly for mutual benefit. Unless the strategy is hoovering up data, of course.

Shouting about success

A rich context, then, for 2021's Westminster eForum on the National Data Strategy, which took place last week and sought to fill in the blanks from the previous year's event. But did it? It was an oddly low-key affair, shorn of political intrigue and full of bland statements about economic renewal that were delivered in a depressing monotone, as woes mount across many sectors. The audiobook of the dead, Covid and Brexit chapter.

Phil Earl, Deputy Director of Data Strategy, Implementation and Evidence, at the Department for Digital, Culture, Media and (for some reason also) Sport, tried to inject some uplift. A plucky move, as responsibility for data strategy has been taken away from DCMS and handed back to the Cabinet Office, where a new Central Digital and Data Office (CDDO) now resides.

(Soon there will be so many C-Level Whitehall jobs with ‘Data' or ‘Digital' in the title, and so many Offices, Services, and Committees with the same, that it will be impossible to know who's actually in charge.)

There are four pillars to the Strategy, Earl explained: to position the UK as a "global champion of data", ensuring data's continued, secured flow across borders (don't mention Brexit and data adequacy); a pro-growth narrative backed by responsible use and availability of data (don't mention precipitous economic decline); an alignment of "data-led work across government" (implying an alignment of data itself across government); and a commitment to action (rather than rhetoric, perhaps).

Earl also echoed Dowden's line about the government's claimed success in using data to tackle Covid:

That's really been emphasised by the experiences of the last year in the response to Covid and the use of data. It very much feels like we are trying to capitalise on that momentum. The Secretary of State has talked about the high watershed that's been set for the way that we use data. We want to think about how we take that forward when, hopefully, we will be in some sort of post-Covid world, whatever that looks like. We've really now seen the power of being able to capitalise on that.

Have we? Clearly this is now the official message from the government: Whitehall's supposed success in using data to tackle the virus - which most would argue is anything but a success - has proved the concept of data sharing in the government's eyes. The irony is that the government wants us to believe that everything is great, though the data itself says otherwise.

While it's true that there are countless, innovative ways in which open data can already be used to design better, greener, more sustainable cities, build smarter services, and help improve the lives of citizens - some of which were outlined in my recent reports on geospatial data and digital twins - the government's approach is troubling.

That's because what Earl and Dowden were really talking about is the crisis-led removal of some data protections and privacy restrictions in order to enable systems like Test and Trace to work. The problem is that the system hasn't worked.

Despite a £37 billion budget over two years, there has been no clear benefit from it, according to this BBC report. But a private contractor, Serco, has done well out of it, while consultants have been pocketing huge fees.

Capitalising on data at the expense of privacy?

If that is the government's model for a successful data strategy - jobs for the boys, but no measurable benefits to citizens from a vastly expensive scheme - then it will have to do better. Particularly as the incoming Information Commissioner (Elizabeth Denham steps down in the autumn) is apparently to have a new, more commercial remit under the government's stewardship.

Earl said:

That person will be asked by the Secretary of State to not just focus on privacy, but to be really thinking about how they are helping to unlock the value of data again.

That ‘again' suggests this government believes the ICO's current focus on privacy has somehow prevented organisations from capitalising on data in ways they had always been able to before. That's bunkum.

Privacy campaigners would point out that regulations such as GDPR/the Data Protection Act 2018 were introduced to protect citizens from the might of data superpowers, such as Google, Facebook, Amazon, and Apple. Even California - home of Silicon Valley - has introduced similar legislation. Greater privacy is the global direction of travel in regulatory terms, not the data free-for-all this government seems to favour, like some dysfunctional Etonian Facebook.

In fairness to Earl, he did identify some other areas where data has been used to help tackle the coronavirus:

We have TfL [Transport for London] using data to understand people's travel patterns during the pandemic, which then allowed them to understand where various hotspots might be. Communications and resources can be devoted, essentially, to making sure that in those hotspots they remain Covid safe.

Another example has been Citizens Advice. Being able to use data, and then share it in an anonymised way with energy companies to ensure that the most vulnerable customers are getting the support that they need in that space... lots of really interesting examples.

Net Zero presents another opportunity for a more ambitious, growth-centric data strategy, he said. That's true, but the feeling that what the government is really talking about is hanging onto a Covid-led removal of citizen protections so their data can be shared or tracked is hard to dispel. A single view of each citizen, perhaps, which is what China is reaching for.

If you're not convinced, then look at other moves in government for policy context. The Guardian's Defence and Security Editor, Dan Sabbagh, uncovered an example last week with his report on a Home Office bulk surveillance trial: mass citizen metadata collection in partnership with two unnamed internet service providers and the National Crime Agency.

Sabbagh's report talks of a "staggering lack of transparency" in the government's plans for trawling citizens' data. Meanwhile, chatter about scrapping the Human Rights Act, which contains citizen privacy protections, has intensified.

This morning (15 March), the government was slammed by Parliament's Public Administration and Constitutional Affairs Committee for its failures in handling and sharing Covid data. No 10 was warned that it must learn from its mistakes in order to rebuild public confidence - the Committee said it believes the government is neither open nor transparent about its use of data.

Michael Gove MP, Head of the Cabinet Office where UK data strategy now resides, was described as being "contemptuous of Parliament" for failing to appear before the Committee, sending junior staff in his place who were unable to answer questions, and for his "willful evasion of Parliamentary scrutiny".

But...it’s the law

Laura Lazaro Cabrera is Legal Officer of privacy organisation, Privacy International. She offered eForum delegates what she described as an "outsider view" of the National Data Strategy - which was ironic, as she essentially reminded government of the law:

The third pillar of the National Data Strategy, data availability, calls for data to be appropriately accessible, mobile, or reusable. These references indicate forthcoming changes, which are significant in data protection terms, repurposing of data and new data sharing agreements to prevent mission creep and ensure transparency.

Data protection principles and data subject rights should be a key regulatory priority and must be at the heart of any changes implemented pursuant to the National Data Strategy. You must remember that the personal data currently held by organisations was given under specific terms, a range of specific purposes, and for a limited number of recipients. This is in line with data protection principles such as purpose limitation and data minimisation.

It's important that these principles are carefully applied to the data strategy and balanced against the hypothetical benefits of more processing. Often less is more, and more data is not always the answer.

Covid is again in the frame, according to Cabrera:

Last week, it was revealed that the data from hundreds of millions of check-ins by people who had visited pubs, restaurants, and hairdressers before lockdown had barely been used by Test and Trace. This is a clear example of data processing which proves to be unnecessary and ultimately excessive, but which nonetheless triggered legal obligations for data controllers.

In other words, even when the benefit isn't clear there is a cost involved with gathering and processing vast data troves. The flip side of the problem is that local authorities have huge amounts of data about citizens, and yet have barely been consulted by Whitehall during the crisis. That data could have helped minimise the spread of the virus.

She continued:

Data subject rights must be respected. In particular, the right to be informed, the right to object, subject to some exemptions in the Data Protection Act.

As a general rule, explaining the purposes for which personal data previously given is used, or even adding to the list of entities that it is shared with, triggers an obligation for entities to update privacy information and communicate the changes to the individuals concerned before starting any new processing.

This notification is, in turn, crucial for individuals to be able to object to further processing that was not foreseen at the time their data was first processed. Necessarily, the implementation of the National Data Strategy entails an important commitment by government to ensure that the rights of data subjects are respected and enforced.

Making good on that commitment requires clarity, legitimacy, proportionality, and disclosure of the types and categories of data that will be, she said. Cabrera then added:

This information must be provided in the first place to the data subjects in as much detail and granularity is possible, prior to the data being repurposed and shared, so that they may consent. But it must also be made available to civil society at large to allow for public scrutiny and debate, as well as enforcement accountability.

The Strategy confidently asserts the potential for data to create a fairer society, she observed. But while data has the potential to improve delivery of services, it cannot be relied upon in itself to cure the problems that afflict the public sector.

We must remember that data is not neutral, and there is a risk of potential discrimination and bias in data processing, which must be acknowledged and mitigated.

Before we start thinking about the ways that data can be used in the future, we really must understand how data is used now. That means looking at the data that is gathered in practice, how it is gathered, and for what purposes, and whether current processing activities comply with existing standards and principles.

Having diverse concerns raised about existing data processing activities, and yet expanding on them without acknowledging those problems and concerns, is frankly irresponsible.

My take

Irresponsible: this government? Surely not.