National Data Strategy Consultation Response

We have been involved in many COVID-19 emergency responses with both government and healthcare.

The following are examples of a few of these projects that describe how data was used to deliver public benefits outside of healthcare:

• Defra Food for Vulnerable service – this is a new cloud data sharing service, created with supermarkets and local authorities, that allows vulnerable people to be flagged centrally to supermarkets for prioritised services (e.g. delivery). It allows Local Authorities to submit lists of vulnerable people in their area, which supermarkets can cross-check with their customer lists. This use case was prompted by an emergency, but clearly indicates a long-term valuable role for the government, as a proxy to share important data with the private sector that can improve services.
• Surrey County Council Vulnerable Person service – this is an existing service that we developed for Surrey County Council many years ago to support emergency planning for vulnerable persons. It collects data from many sources across the county (e.g. adult and social care) to be able to visualise and prioritise services. During COVID we worked with the Council to refresh its datasets so that it could better support emergency planning.
• In a number of direct responses to the COVID-19 emergency, understanding the public’s perception and opinion of public services was a crucial component in delivering and developing those services. This was particularly important for our work on the Northern Ireland contact tracing services. Public attitude, perception and persona data needs to be made more widely available to accelerate delivery of services.

Each of these examples shows the benefit to UK citizens when Government offers services that aggregate datasets and share data more widely to allow new services to be delivered.

Without investment decisions, delivery principles, an execution plan, concrete actions and enabling infrastructure, it is too early to comment on the potential impact of this consultation on all areas of the UK. This will be relevant when an action plan is published.

We recommend that explicit principles are incorporated to address regional inequalities, such as:

1. 1. Agree to have unified guidance that is developed with and adopted from the beginning by devolved governments. This could, for example, include a UK-wide benchmark for data maturity to ensure inclusion and consistency.

1. 1. Investment for change (e.g. Exemplar programme for government) that includes benefits for all levels of government: devolved government, local government and central government.

1. 1. Investment in data skills that targets re-employing and re-skilling those from our existing industries to higher value, higher productivity roles. This investment should also create new skills in deprived regions where unemployment is a challenge.

1. 1. Creation of data science as a new subject on the curriculum for schools. This would combine applied mathematics, data information and data visualisation and introduce data to a younger audience.

1. 1. Confirm quantifiable targets for inclusion, for example to ensure data sharing is available to startups and SMEs, not just larger organisations.

1. Increase access to high-speed internet, embracing the potential of the remote working revolution and providing access from all regions to the new data economy.

All sectors will gain from better data availability, even if they have smaller datasets and fewer customers. Arguably those with the least data will benefit the most from data availability and increased data sharing. But those sectors who collect the most data and interact with high volumes of customers will stand to have a bigger impact on the UK economy:

• Accommodation and Food Service Activities
• Arts, Entertainment and Recreation
• Central/ Local Government inc. Defence
• Charity or Non Profit
• Education
• Electricity, Gas, Steam and Air Conditioning Supply
• Financial and Insurance Activities
• Human Health and Social Work Activities
• Information and Communication
• Transportation and Storage
• Water Supply; Sewerage, Waste Management and Remediation Activities
• Wholesale and Retail Trade; Repair Of Motor Vehicles and Motorcycles
• Real Estate Activities

Central Government should enable better availability of data across the wider economy by creating a level playing field and setting an example by successfully implementing better use of data across Government departments.

It should define policy and guidance, influence major suppliers, set standards, remove legislative blockers and lead by example with its datasets.

Government can also choose to legislate to mandate specific standards for sectors, though in our view this should only be used to increase market competition. For example, the UK Government has led on the implementation of PSD2 EU legislation for Open Banking. This has ensured UK Financial Services organisations comply and share data through standard APIs for bank accounts to increase competition and innovation for UK consumers.

The UK Government has an opportunity to lead on data standards for Government data,working with and influencing other partners in the G7 to establish cooperation in this area in order to open up new markets for UK organisations.

Central Government should enable better availability of data across the wider economy by creating a level playing field and showing industry how to follow by implementing better use of data successfully itself:

1. 1. Leading by example for all sectors. Government collects and manages many valuable datasets that could be made available to other departments, other governments and industry using open data standards to deliver new services. Given this, it is important that the government does not just define policy but demonstrates how to implement it, showing the benefits to the wider economy. http://data.gov.uk is a government initiative to share open data, but it remains an isolated site rather than an exemplar default sharing mechanism for Government services. If the government leads by example, others will follow, as has been the case with the digital transformation agenda.

1. 1. Removing blockers. Government needs to protect citizens and their personal data, but it also should remove blockers to prevent better use of data for social good. We recognise this is a delicate balance between data protection and enabling a data economy. Government should re-examine the Data Protection Act and its interpretation by the ICO so that it can, for example, simplify guidance and clarify legitimate ways to maximise reuse of data.

1. 1. Defining guidance and certifying tools and data infrastructure services. The Government defines UK-wide guidance for data security (National Cyber Security Centre) and data protection (Information Commissioner’s Office), but not to our knowledge for data availability. Government can supplement this guidance with certificates of tools and platforms that meet the guidance to simplify implementation by UK organisations.

1. 1. Stimulate a data marketplace. There are technical barriers to sharing data securely while preserving privacy. The market will deliver better solutions for these when demanded by customers. Government can help to stimulate this data marketplace by influencing its suppliers to prioritise this and accelerating uptake with some of its datasets. In areas where legislation on standards and open access can stimulate competition, this should be actively pursued.

1. Ensuring inclusion and equality of access for SMEs and larger businesses. Explicit policy to remove the technical or process barriers to entry that allow startups and other SMEs to compete should be written in early. Going further still and defining targets for SMEs will encourage positive behaviour.

This should apply across sectors, but sector standards will vary for a number of reasons, such as additional regulation. For example, Financial and Insurance Activities will have additional compliance demands that must be considered.

Strongly agree.

Government has an important role in supporting data foundations in the wider economy by,

1. 1. Defining standards to increase competition and ensure inclusion. Information Technology standards lag behind the maturity of Government-established standards in other industries. This is particularly true of data standards. Without new nationwide syntactic and semantic data standards for interoperability, data availability will be siloed. Government needs to drive this consensus.However, even with national or international standards, data sharing can still fail. This can be seen in NHS attempts to enable healthcare data interoperability – many standards attempts that have not yet successfully enabled universal data sharing such as HL7 v2, HL7 v3, HL7 CDA and HL7 FHIR. Standards on their own may not be enough.

1. 1. Providing guidance and assistance to help secure data for UK businesses against foreign threats. The National Cyber Security Centre (NCSC) was established to protect UK critical national infrastructure against cyber threats. The NCSC did well to adopt an open approach and publish strong guidance for data security and cloud cyber security. This is a vital role in protecting both government data assets and UK businesses. It will be important for NCSC in future to balance the wider aims of the UK government data economy with cyber security in a number of areas, for example secure data sharing.

1. 1. Encouraging cities to become strong data exchange hubs for their region through City Deals. This is already part of the smart city agenda for many UK cities, as cities join public and private datasets to improve local services for transport, mobility, safety, housing etc. By celebrating exemplars from existing city services, the Government can help to encourage other cities to become a foundation for the data economy.

1. 1. Creating legislation that will support UK economy aims while protecting UK citizens. Government has a duty to protect its citizens. Many of these protections can be perceived as significant barriers to its aims of stimulating a data economy. Government should examine legislation or interpretation of this legislation to ensure it does not conflict or become a barrier to entry.For example, the Data Protection Act defines EU-wide protection for UK data subjects and is interpreted and enforced by the Information Commissioner’s Office in the UK. Government should examine how the Data Protection Act prevents or is perceived to prevent legitimate data sharing as part of a wider data economy that also protects the privacy of its citizens.

1. Remove barriers to entry for private organisations by making government data available. This will stimulate a new data-oriented economy and significantly increase digital and data skills at the top levels across all departments and agencies.

However, there are things we do not believe Government should be involved in, namely:

1. 1. Defining technical solutions. Government should avoid defining technical solutions or designs for the wider economy. These should remain the responsibility of businesses to choose, based on free-market conditions.

1. Competing with the market. Government should resist delivering services to support data foundations that compete with businesses in the wider economy. For example, the government should not provide a national or regional data lake. Instead, the government should rely on the market to provide solutions.

Government could do the following to reduce barriers that prevent SMEs from using data effectively,

1. 1. Set published goals for successful inclusion and participation of SMEs in the data economy. This has worked well for SME inclusion in open procurement frameworks such as G-Cloud.

1. 1. 1. Ensure data standards and guidance are as simple as possible. Data standards in particular can tend to be very complex and so expensive to adopt that they become a significant barrier for SMEs.  Ensuring the principle of simplicity is adopted and prioritised for any new standards will be a good step, as will providing tools to prove this simplicity.
      2. Reduce the barriers to entry in place for the cyber security marketplace and security clearance. There is a lack of competition for cyber security supplier organisations to provide pen testing, access sensitive government datasets and participate in closed procurement frameworks. Given the potential for malicious actors, it will still be important to certify organisations, but current barriers for cyber security could prevent government aims for data economy. For example, if the government introduced director-level accountability for data breaches while reducing barriers (similar to those introduced in the financial services sector), organisations would be strongly incentivised to comply and assure their quality levels.

The Smart Data Review in 2019 consulted on ways to make evolving schemes more coordinated across banking, finance, telecoms and energy. The focus of Smart Data is citizens asking their providers to share information about them with third parties.

The Smart Data consultation highlights the benefit to consumers of unlocking their data from just one organisation and making this available securely with consent to third-parties.

Open Banking has already started to demonstrate some of the benefits – though many of the examples described point to new dashboards for consumers which, although beneficial, are not transformative. The primary consumer benefit of Open Banking (and Smart Data as applied to other industries) is the increased competition and openness to innovation, especially from new organisations (as is the case with Fintech).

Given this primary benefit, the Government should validate that Smart Data will provide a competitive benefit to consumers in each industry. A blanket policy will cause significant change without providing commensurate benefit. We can see major benefits to consumers from innovative new services provided in the following sectors through Government regulated Smart Data:

• • Open Retail – This would seek to increase secure sharing of personal data in the retail sector by consumers. It would, for example, aim to allow a view of all retail purchases and share these with approved third-parties. This could allow smaller local shops to better optimise their stock and pricing to compete with larger supermarkets for local customers, or offer value-add services such as prioritised services for vulnerable persons. This same availability of data would also allow local shops to analyse the online buying habits of customers within their location and better compete or provide their own recommendations.

• Open Government – This would seek to increase secure sharing of personal data in the public sector by consumers. Government needs to lead by making the personal data it holds on citizens available for increased competition and new services. In healthcare, for example, health records are typically held by one part of the NHS and so are not available in different regions, NHS Trusts or to private practice. Private companies have attempted to popularise Personal Health Records but this has largely failed. Government could legislate for the healthcare service to improve healthcare services by applying Smart Data.

The Data Protection Act is designed to protect the privacy of data subjects. GDPR has strengthened the level of protection citizens can expect when their data is collected across the EU. We believe this is an important protection for UK citizens, but with some changes could do more to support and accelerate use of secure and private data sharing.

Government can ensure its data protection framework is fit for purpose by considering the following:

1. 1. The DPA needs interpretation by the ICO for the UK. This need for interpretation and clarification needs to be accelerated to simplify implementation for UK organisations. For example, it was only recently clarified that car registrations are categorised as personal data. It would be more helpful if this interpretation could be clarified to enumerate an exhaustive list of personal data for the digital age.

1. 1. The DPA is vague when discussing anonymous vs. pseudo-anonymised data vs. personal data. If the ICO took an approach to certify market tools that anonymised personal data (or created synthetic data) safely, then UK businesses could use data with higher confidence. This would mean that businesses no longer need to take a risk by making a judgement call from ICO interpretation. Instead, businesses could use  industry-standard tools that remove personal data with high confidence and are underwritten by the UK government.

1. The DPA could exploit the power of pseudo-anonymised data better with cryptography. If controls were defined for pseudo-anonymised data (encoded personal data) then this could also provide a good compromise position that allows data to be used for secondary purposes, e.g. via data sharing but with measures to prevent reverse mapping to individuals. In this way, the data controller/processor would have access to secure personal data for its primary purpose, while third-parties would have access via secure sharing mechanism to pseudo-anonymised data. Cryptography standards could be adopted to ensure pseudo-anonymisation can only be reversed with the keys kept securely by data controllers.

The CDEI represents an excellent opportunity to provide expert guidance for government, regulators and firms on how to safely and ethically use data and AI in their operations. For example, its recent report on how to identify and correct bias within algorithms was pro-innovation, but gave very specific and practical guidance on how to use those approaches safely and ethically. This is something that a traditional regulator will typically struggle to do, given their statutory enforcement role, and Government will often lack specialist technical skills required to do this well either.

A change to statutory status for CDEI should focus, not on enforcement (which should remain with sector regulators), but on access. Many organisations using data are understandably reluctant to expose their data practices to independent scrutiny; while CDEI will be able to champion best practices relating to data innovation and ethics, it should also have the statutory powers to insist on cooperation from organisations that are less willing to be transparent.

In our view the actions that will have the single biggest impact on transforming government’s use of data will be:

1. Accountability and productivity, followed by
2. Capability, leadership and culture

Currently, government policy defines departmental accountability for information risk as part of Government Security Roles and Responsibility. In practice this responsibility may fall to one role, e.g. Departmental Security Officer (DSO) or Senior Information Risk Owner (SIRO) but it ultimately rests with the Permanent Secretary as Accounting Officer.

If information risk is de-centralised to departments (and in some cases further down to agencies), implementation of well-meaning centralised government policy, standards and guidance will still rest with departments. Therefore clarification of accountability can have the biggest impact.

One of the major challenges the Government faces with its current accountability strategy is that information risk is bundled under Government Security. This will inevitably prioritise information security and privacy. In real-world application, security must be balanced with functionality. Appropriate controls must be deployed that are commensurate with identified threats.

The challenge arises because government departments are not required to prioritise sharing data and securing data equally. As a result, the pursuit of security will almost always take precedent, making advancement or innovation extremely difficult.

What is needed is a pan-government policy that commits departments to sharing data, supported by an accountable senior person in each department who must ensure that data is shared. This could be a Chief Data Officer, for example, who is a specialist in understanding data and whose success can be measured against pan-government commitments.

This will provide both strong departmental leadership and accountability for data sharing to support the data economy. Capability must be developed to support this, enabling departments and agencies to implement policy and realise the improved citizen services, data-driven analytics, permissive data sharing and AI/machine learning in order to provide new capability.

We were unable to find a published pipeline of data standards that the Data Standard Authority is working on so are unable to comment on these.

We do not consider that standards should be selected or prioritised separately from Government priorities for data economy and data sharing. Instead, standards to enable effective data sharing should be developed that fit the specific industry, domain, consumers etc. For example, if Open Healthcare was a priority. then the standards to develop would relate to syntactic and semantic standards for UK healthcare data – perhaps a specific FHIR version, with agreement on a corresponding set of FHIR profiles that codifies this for UK healthcare.

In any case, standards should strive to be the simplest they can be to reduce the technical barrier to entry for consumers. The Data Standards Authority should ensure that all developed standards are designed around the principle of user needs in order to increase inclusion and success for new standards.

The infrastructure on which data relies is the virtualised or physical data infrastructure, systems and services that store, process and transfer data. This includes data centres (that provide the physical space to store data), peering and transit infrastructure (that enable the exchange of data), and cloud computing that provides virtualised computing resources (for example servers, software, databases, data analytics) that are accessed remotely.

Many data infrastructure service providers already provide data security, continuity and resilience of supply. There has been significant improvement in the default services supplied by the major cloud providers in the past ten years and the market is providing greatly improved services year-on-year. These improved services should be defined by the Government as a baseline for new data infrastructure providers.

It should be the responsibility of an approved Government body, working with data infrastructure service providers to certify solutions or patterns for data security and resilience services that comply.  This explicit certification will provide a quick-start for consumers. Consumers will know that their data is secured and resilient with approved patterns on certified services by UK specialists, e.g. the National Cyber Security Centre.

It is this vertical integration sandwich of data infrastructure supplier platform services, successful patterns provided by Government specialists and tooling that will simplify the implementation and create confidence that guidance has been applied successfully. This would, for example, allow for not just secure collection of data and resilient data access across IT failure, but also enable automatically pseudo-anonymised or anonymised derivations of these datasets to be made available for secure sharing by default.

We are a consulting services organisation and so not directly a large consumer of data infrastructure services. Instead we support our customers to select data infrastructure services and use these to deploy new services. From this experience, our clients typically assess security protocols of new data infrastructure providers before first deploying any data to these – but rarely regularly assess throughout.

This assessment will typically include:

• Review of security and compliance documentation.
• Review of industry-standard compliance certificates, e.g. ISO27001.

This assessment does not typically include:

• Physical inspection of data centres – this is usually unavailable to customers for security reasons.
• Assessment of data infrastructure personnel who have access to data-centres and privileges access to services and/or data.
• Red team testing of data infrastructure security to identify vulnerabilities.

The Government could do more to short circuit this assessment process for departments and UK organisations by certifying data infrastructure providers (e.g. National Cyber Security Centre) against new cloud security standards or against data protection controls (e.g. Information Commissioner’s Office). This certification from the Government would provide reassurance, increase trust with data infrastructure providers and lower the risk for customers.

However, this is only one part of the picture. Security protocols are a shared responsibility between data infrastructure provider and customer. Customer security protocols – including configuration of infrastructure, patches of unmanaged services and application design – are selected by customer delivery teams and approved by design authority or security accreditors.

To ensure high standards of security and resilience for data infrastructure,

• It is a Government responsibility to work with data infrastructure service providers to certify solutions, tools or patterns that use their data security and resilience services. This explicit certification will provide a quick-start to consumers. Consumers will know their data is secured and resilient with approved patterns on certified services by UK specialists, e.g. the National Cyber Security Centre.
• It is data service providers’ responsibility to proactively provide services to the highest level of data security, privacy and resilience. But more than this, Data Service providers by making data security, privacy and resilience simpler to implement (ideally to be provided by default) will dramatically increase protection.
• It is the data service supply chain’s responsibility to maintain the same standards and processes for their design and staff as data service providers.
• It is customers’ responsibility as data controllers or data processors to test data services themselves, but also to adopt similar security protocols in their designs and applications that use these foundational data services. This will include configuration of infrastructure, patching of unmanaged services and application design. It is particularly important that customers test this security continuously to identify vulnerabilities early, before they are discovered by malicious actors.

It is this vertical integration sandwich that is required from all parties to ensure consistently high standards.

It is not helpful to select the “most important” factors to manage the security and resilience  of data infrastructure. Instead all factors contribute to overall security. Malicious actors devote themselves to uncovering security vulnerabilities that allow them to exploit data or services. If one factor is prioritised over the others, this will just result in more opportunity for exploitation in other areas. The principle of “defence in depth” means that all factors should be applied.

It is worth highlighting that there is often a prioritisation of one area over another unknowingly. This can lead to an unconscious prioritisation and so result in increased risk. Instead, we would expect that the following areas are given equal consideration for their security and resilience risk:

• Vetted staff and controls for applications administration
• Vetted staff and controls for infrastructure administration
• Information security controls for applications
• Information security controls for infrastructure
• Physical security controls for buildings
• Multiple redundant locations for buildings

The UK could improve on internal personal data transfer mechanisms by providing more than just legislation and interpretation of the Data Protection Act. If the Government provided data protection tooling or certified market tools for data protection, then UK businesses could act with higher confidence when transferring personal data to/from the UK.

We will seek EU ‘data adequacy’ to maintain the free flow of personal data from the EEA and we will pursue UK ‘data adequacy’ with global partners to promote the free flow of data to and from the UK and ensure it will be properly protected.

The Government should determine priorities for future UK data adequacy arrangements by aligning these with UK economy trading priorities for data services.

1. 1. Multilateral data adequacy with the EU bloc is a priority to avoid introducing limitations on current services and working arrangements. This is essential to avoid setting back the UK economy many years by preventing access to current services by the UK’s largest trading partner.

1. 1. When considering which specific countries should be prioritised, Government should focus on data equivalence with trading blocs rather than individual countries.

1. 1. The export of data services from the UK is a priority if Government wants to encourage UK economy innovation. With a focus on export, the Government could prioritise unilateral flow of personal data into the UK (over data from the UK) by being recognised as a leader worldwide of the highest data protection standards.

1. New trade agreements with specific countries should include data adequacy provision as part of the agreements.