Arrow DownArrow ForwardChevron DownDownload facebookGroup 2 Copy 4Created with Sketch. linkedinCombined-Shape Combined-Shape mailGroup 4Created with Sketch. ShapeCreated with Sketch. twitteryoutube
Kainos and Faculty are strongly in agreement with the need for a national data strategy to catalyse national productivity, improve public services, and assist our collective recovery from the ravages of COVID.Data has always been central to the effective operation and governance of the economy and society, but it has rarely been treated as a discrete topic of interest to policymakers, businesses, and the wider public. Yet this summer, as one isolated example, there were crowds on a British street shouting “Death to the Algorithm” in the context of A-Level exam results. Digitisation is now moving the conversation on data from the edges of politics and the economy to the centre. The UK’s National Data Strategy is a timely effort to focus and direct reform.

The internet is increasingly joining up our cars, our phones and homes, making them more digital. The way we shop, the way we work, the way we relax are all more dependent on digital technologies. Data is the lifeblood of digitisation. But a second aspect of digitisation is less well understood. While paper processes are being transformed, the ability to collect, store, move, share, and combine data through digitised processes creates new opportunities – for good and for ill.

This year, Kainos and Faculty have worked closely with the Government through COVID-19, both individually and in partnership.

Faculty helped the NHS to more accurately allocate beds, oxygen, and PPE to the hospitals that need them most, as well as more precisely forecast the likely development of COVID-19 in local areas through the NHS Early Warning System. The firm also helped the Government to gain access to rapid reporting of the condition in particular sectors of the economy to enable agile policy-making, such as the furlough scheme.

However, data has also been used to enable actions and activities that have been more concerning, both in the UK and internationally.

While Faculty and Kainos are technology companies, we both believe that the use of data should always be rooted in moral purpose, not merely technological potential.

We wholeheartedly welcome this National Data Strategy consultation, which provides the UK with the opportunity to adjust and clarify rights and responsibilities around data, assure the trustworthiness and legitimacy of data use, and earn a high return on its investment in our national data infrastructure. This “Data Transformation” called for by the National Data Strategy will extend the Digital Transformation revolution initiated by the UK government in 2010 – and the gains are potentially bigger. Providing clear guidelines and protections around the use of data will both protect citizens and allow the UK to use data to its full potential. If we get these reforms right, we will not only increase productivity, create jobs, and improve public services, the UK will also lead the world in having done so.

We believe Government Data Transformation can best be achieved through six actions:

  1. Leading by example for all UK sectors, not just defining policy.UK Government led digital transformation with the Government Digital Service’s focus on delivery. As a result, the public sector became an exemplar for the private sector. This is needed again to transform how government departments manage their data to support public services and the wider economy.
  2. Put purpose over process.Data security and data privacy processes are often used as a reason why data is not, and cannot, be shared more widely. While these processes can ensure that good questions are asked, often they become box ticking exercises. It should be the purpose to which data is being put that should govern whether or not permission should be granted, not merely whether the process is followed. Government needs to examine legislation and the interpretation of legislation such as the Data Protection Act to make it more specific and less risky for organisations to choose to share data where appropriate.
  3. Develop standards and certify tooling, don’t just issue guidance.Data interoperability across the public and private sector should be centrally defined and mandated so that technology doesn’t impede anyone using data where it is legitimate and beneficial. Data sharing is a difficult problem to solve, but it needs to be backed by authority and/or incentives if it is to succeed. Government can drive towards this consensus by leading the adoption of existing international standards, or funding the development of new data standards and tools where necessary.
  4. Use public sector procurement to support SMEs and startups to innovate.UK Government can stimulate a new ecosystem of SMEs and startups by increasing funding for programmes like Innovate UK and improving the existing efforts by the Department for Trade and Investment to support scaling of these organisations overseas. This should include programmes to support digital skills in organisations.
  5. Consider introducing data science to the school curriculum.Data is central to our economy and the delivery of digital services, and data science can make related academic disciplines like statistics fresh and relevant for students. By including data science on the curriculum it would increase the familiarity with analytical and computational techniques that will be central to so many areas of work and study.
  6. Introduce legislation to increase digital competition.Government can stimulate innovation and increase competition by introducing legislation that requires organisations to appropriately share consumer data with third-parties, with consumer consent. Open Banking has started this for bank accounts and similar measures could revolutionise, for example the Retail sector helping to level the playing field for smaller local retailers.

Somewhat agree.

Taken as a whole, the missions and pillars of the NDS include important concepts that will support developing the data economy. But this is only one side of the coin. The NDS does not include any principles, approaches or plans to achieve this. Without this delivery focus, it will remain a good policy that is unrealised. One critical decision not described in detail, for example is whether the government plans to legislate or merely offers guidance to enable the data economy.

We believe there are strong arguments for the government to describe a comprehensive delivery plan for enabling better use of data across itself – and lead by example for other sectors. This would combine clear guidance with a proven implementation approach that demonstrates the benefits of the approach to the UK.

Lessons on government leading by example can be learned from the digital transformation revolution, led by theCabinet Office with GDS. This created significant change because of strong ministerial support, the carrot (exemplar programme) and stick (spend control) approach, a strong team of delivery-minded civil servants and a strategy that was defined as “delivery”. The Exemplar programme kickstarted digital transformation across many departments, aiming to achieve cost savings from breakdown of legacy suppliers and technologies. This has had a positive impact on other governments across the world (e.g. Digital Nations originally the D5) and on organisations across the sector.

Given this, we would expect Mission 3 to be Mission 1: government should lead by example to demonstrate efficiency and improve public services both within departments, across departments and local government, and within the NHS. To succeed, it will need a strong Chief Data Officer and a “GDS for data” to drive implementation. Solving the data sharing problem within and across government departments will accelerate the data economy.

One missing Pillar is the power of data and its associated commercial or political value. We must protect data subjects from their data being used against them, which aligns with Pillar 4. This could perhaps be better enabled if the consultation started to more strongly distinguish between the definition of personal data (which has a high risk of misuse) and anonymous data (which has a lower risk of misuse). Instead of all missions and pillars referring to “data” they could instead address the different levels of risk/misuse inherent in different types of data. This would allow principles, controls and potential value to be treated differently between personal data and anonymous data.

One missing Mission is unlocking the art of the possible. Many owners of datasets may not understand the wide range of ways that these datasets can be used. Therefore one additional Mission (Mission 0) should be to educate buyers on the latest possibilities with Machine Learning, Deep Learning and Analytics.

We have been involved in many COVID-19 emergency responses with both government and healthcare.

The following are examples of a few of these projects that describe how data was used to deliver public benefits outside of healthcare:

  • Defra Food for Vulnerable service – this is a new cloud data sharing service, created with supermarkets and local authorities, that allows vulnerable people to be flagged centrally to supermarkets for prioritised services (e.g. delivery). It allows Local Authorities to submit lists of vulnerable people in their area, which supermarkets can cross-check with their customer lists. This use case was prompted by an emergency, but clearly indicates a long-term valuable role for the government, as a proxy to share important data with the private sector that can improve services.
  • Surrey County Council Vulnerable Person service – this is an existing service that we developed for Surrey County Council many years ago to support emergency planning for vulnerable persons. It collects data from many sources across the county (e.g. adult and social care) to be able to visualise and prioritise services. During COVID we worked with the Council to refresh its datasets so that it could better support emergency planning.
  • In a number of direct responses to the COVID-19 emergency, understanding the public’s perception and opinion of public services was a crucial component in delivering and developing those services. This was particularly important for our work on the Northern Ireland contact tracing services. Public attitude, perception and persona data needs to be made more widely available to accelerate delivery of services.

Each of these examples shows the benefit to UK citizens when Government offers services that aggregate datasets and share data more widely to allow new services to be delivered.

It is of critical importance that data protection and ethics is central to this strategy and that organisations are aware of their responsibilities under the Equality Act 2010. Trust is essential for adoption of data-oriented products and services.

Whilst the goal stated is to create a fairer society, in order to achieve this we must maintain protections afforded by GDPR in terms of both privacy and explainability. There is a real danger of introducing bias that contravenes the Equality Act without those protections.

Whilst there is risk here, with proper stimulation and funding there is also a significant opportunity to use data to develop and identify government policy in order to improve citizen services. There is also the possibility of creating a new ecosystem of world-leading startups focused on supporting equality and a fairer society.

Without investment decisions, delivery principles, an execution plan, concrete actions and enabling infrastructure, it is too early to comment on the potential impact of this consultation on all areas of the UK. This will be relevant when an action plan is published.

We recommend that explicit principles are incorporated to address regional inequalities, such as:

 

    1. Agree to have unified guidance that is developed with and adopted from the beginning by devolved governments. This could, for example, include a UK-wide benchmark for data maturity to ensure inclusion and consistency.
    1. Investment for change (e.g. Exemplar programme for government) that includes benefits for all levels of government: devolved government, local government and central government.
    1. Investment in data skills that targets re-employing and re-skilling those from our existing industries to higher value, higher productivity roles. This investment should also create new skills in deprived regions where unemployment is a challenge.
    1. Creation of data science as a new subject on the curriculum for schools. This would combine applied mathematics, data information and data visualisation and introduce data to a younger audience.
    1. Confirm quantifiable targets for inclusion, for example to ensure data sharing is available to startups and SMEs, not just larger organisations.
  1. Increase access to high-speed internet, embracing the potential of the remote working revolution and providing access from all regions to the new data economy.

All sectors will gain from better data availability, even if they have smaller datasets and fewer customers. Arguably those with the least data will benefit the most from data availability and increased data sharing. But those sectors who collect the most data and interact with high volumes of customers will stand to have a bigger impact on the UK economy:

  • Accommodation and Food Service Activities
  • Arts, Entertainment and Recreation
  • Central/ Local Government inc. Defence
  • Charity or Non Profit
  • Education
  • Electricity, Gas, Steam and Air Conditioning Supply
  • Financial and Insurance Activities
  • Human Health and Social Work Activities
  • Information and Communication
  • Transportation and Storage
  • Water Supply; Sewerage, Waste Management and Remediation Activities
  • Wholesale and Retail Trade; Repair Of Motor Vehicles and Motorcycles
  • Real Estate Activities

Central Government should enable better availability of data across the wider economy by creating a level playing field and setting an example by successfully implementing better use of data across Government departments.

It should define policy and guidance, influence major suppliers, set standards, remove legislative blockers and lead by example with its datasets.

Government can also choose to legislate to mandate specific standards for sectors, though in our view this should only be used to increase market competition. For example, the UK Government has led on the implementation of PSD2 EU legislation for Open Banking. This has ensured UK Financial Services organisations comply and share data through standard APIs for bank accounts to increase competition and innovation for UK consumers.

The UK Government has an opportunity to lead on data standards for Government data,working with and influencing other partners in the G7 to establish cooperation in this area in order to open up new markets for UK organisations.

Central Government should enable better availability of data across the wider economy by creating a level playing field and showing industry how to follow by implementing better use of data successfully itself:

    1. Leading by example for all sectors. Government collects and manages many valuable datasets that could be made available to other departments, other governments and industry using open data standards to deliver new services. Given this, it is important that the government does not just define policy but demonstrates how to implement it, showing the benefits to the wider economy. http://data.gov.uk is a government initiative to share open data, but it remains an isolated site rather than an exemplar default sharing mechanism for Government services. If the government leads by example, others will follow, as has been the case with the digital transformation agenda.
    1. Removing blockers. Government needs to protect citizens and their personal data, but it also should remove blockers to prevent better use of data for social good. We recognise this is a delicate balance between data protection and enabling a data economy. Government should re-examine the Data Protection Act and its interpretation by the ICO so that it can, for example, simplify guidance and clarify legitimate ways to maximise reuse of data.
    1. Defining guidance and certifying tools and data infrastructure services. The Government defines UK-wide guidance for data security (National Cyber Security Centre) and data protection (Information Commissioner’s Office), but not to our knowledge for data availability. Government can supplement this guidance with certificates of tools and platforms that meet the guidance to simplify implementation by UK organisations.
    1. Stimulate a data marketplace. There are technical barriers to sharing data securely while preserving privacy. The market will deliver better solutions for these when demanded by customers. Government can help to stimulate this data marketplace by influencing its suppliers to prioritise this and accelerating uptake with some of its datasets. In areas where legislation on standards and open access can stimulate competition, this should be actively pursued.
  1. Ensuring inclusion and equality of access for SMEs and larger businesses. Explicit policy to remove the technical or process barriers to entry that allow startups and other SMEs to compete should be written in early. Going further still and defining targets for SMEs will encourage positive behaviour.

 

This should apply across sectors, but sector standards will vary for a number of reasons, such as additional regulation. For example, Financial and Insurance Activities will have additional compliance demands that must be considered.

Strongly agree.

Government has an important role in supporting data foundations in the wider economy by,

    1. Defining standards to increase competition and ensure inclusion. Information Technology standards lag behind the maturity of Government-established standards in other industries. This is particularly true of data standards. Without new nationwide syntactic and semantic data standards for interoperability, data availability will be siloed. Government needs to drive this consensus.However, even with national or international standards, data sharing can still fail. This can be seen in NHS attempts to enable healthcare data interoperability – many standards attempts that have not yet successfully enabled universal data sharing such as HL7 v2, HL7 v3, HL7 CDA and HL7 FHIR. Standards on their own may not be enough.
    1. Providing guidance and assistance to help secure data for UK businesses against foreign threats. The National Cyber Security Centre (NCSC) was established to protect UK critical national infrastructure against cyber threats. The NCSC did well to adopt an open approach and publish strong guidance for data security and cloud cyber security. This is a vital role in protecting both government data assets and UK businesses. It will be important for NCSC in future to balance the wider aims of the UK government data economy with cyber security in a number of areas, for example secure data sharing.
    1. Encouraging cities to become strong data exchange hubs for their region through City Deals. This is already part of the smart city agenda for many UK cities, as cities join public and private datasets to improve local services for transport, mobility, safety, housing etc. By celebrating exemplars from existing city services, the Government can help to encourage other cities to become a foundation for the data economy.
    1. Creating legislation that will support UK economy aims while protecting UK citizens. Government has a duty to protect its citizens. Many of these protections can be perceived as significant barriers to its aims of stimulating a data economy. Government should examine legislation or interpretation of this legislation to ensure it does not conflict or become a barrier to entry.For example, the Data Protection Act defines EU-wide protection for UK data subjects and is interpreted and enforced by the Information Commissioner’s Office in the UK. Government should examine how the Data Protection Act prevents or is perceived to prevent legitimate data sharing as part of a wider data economy that also protects the privacy of its citizens.
  1. Remove barriers to entry for private organisations by making government data available. This will stimulate a new data-oriented economy and significantly increase digital and data skills at the top levels across all departments and agencies.

 

However, there are things we do not believe Government should be involved in, namely:

    1. Defining technical solutions. Government should avoid defining technical solutions or designs for the wider economy. These should remain the responsibility of businesses to choose, based on free-market conditions.
  1. Competing with the market. Government should resist delivering services to support data foundations that compete with businesses in the wider economy. For example, the government should not provide a national or regional data lake. Instead, the government should rely on the market to provide solutions.

Government could do the following to reduce barriers that prevent SMEs from using data effectively,

    1. Set published goals for successful inclusion and participation of SMEs in the data economy. This has worked well for SME inclusion in open procurement frameworks such as G-Cloud.

 

      1. Ensure data standards and guidance are as simple as possible. Data standards in particular can tend to be very complex and so expensive to adopt that they become a significant barrier for SMEs.  Ensuring the principle of simplicity is adopted and prioritised for any new standards will be a good step, as will providing tools to prove this simplicity.
      2. Reduce the barriers to entry in place for the cyber security marketplace and security clearance. There is a lack of competition for cyber security supplier organisations to provide pen testing, access sensitive government datasets and participate in closed procurement frameworks. Given the potential for malicious actors, it will still be important to certify organisations, but current barriers for cyber security could prevent government aims for data economy. For example, if the government introduced director-level accountability for data breaches while reducing barriers (similar to those introduced in the financial services sector), organisations would be strongly incentivised to comply and assure their quality levels.

 

The Smart Data Review in 2019 consulted on ways to make evolving schemes more coordinated across banking, finance, telecoms and energy. The focus of Smart Data is citizens asking their providers to share information about them with third parties.

The Smart Data consultation highlights the benefit to consumers of unlocking their data from just one organisation and making this available securely with consent to third-parties.

 

Open Banking has already started to demonstrate some of the benefits – though many of the examples described point to new dashboards for consumers which, although beneficial, are not transformative. The primary consumer benefit of Open Banking (and Smart Data as applied to other industries) is the increased competition and openness to innovation, especially from new organisations (as is the case with Fintech).

 

Given this primary benefit, the Government should validate that Smart Data will provide a competitive benefit to consumers in each industry. A blanket policy will cause significant change without providing commensurate benefit. We can see major benefits to consumers from innovative new services provided in the following sectors through Government regulated Smart Data:

 

    • Open Retail – This would seek to increase secure sharing of personal data in the retail sector by consumers. It would, for example, aim to allow a view of all retail purchases and share these with approved third-parties. This could allow smaller local shops to better optimise their stock and pricing to compete with larger supermarkets for local customers, or offer value-add services such as prioritised services for vulnerable persons. This same availability of data would also allow local shops to analyse the online buying habits of customers within their location and better compete or provide their own recommendations.

 

  • Open Government – This would seek to increase secure sharing of personal data in the public sector by consumers. Government needs to lead by making the personal data it holds on citizens available for increased competition and new services. In healthcare, for example, health records are typically held by one part of the NHS and so are not available in different regions, NHS Trusts or to private practice. Private companies have attempted to popularise Personal Health Records but this has largely failed. Government could legislate for the healthcare service to improve healthcare services by applying Smart Data.

The Data Protection Act is designed to protect the privacy of data subjects. GDPR has strengthened the level of protection citizens can expect when their data is collected across the EU. We believe this is an important protection for UK citizens, but with some changes could do more to support and accelerate use of secure and private data sharing.

Government can ensure its data protection framework is fit for purpose by considering the following:

 

    1. The DPA needs interpretation by the ICO for the UK. This need for interpretation and clarification needs to be accelerated to simplify implementation for UK organisations. For example, it was only recently clarified that car registrations are categorised as personal data. It would be more helpful if this interpretation could be clarified to enumerate an exhaustive list of personal data for the digital age.

 

    1. The DPA is vague when discussing anonymous vs. pseudo-anonymised data vs. personal data. If the ICO took an approach to certify market tools that anonymised personal data (or created synthetic data) safely, then UK businesses could use data with higher confidence. This would mean that businesses no longer need to take a risk by making a judgement call from ICO interpretation. Instead, businesses could use  industry-standard tools that remove personal data with high confidence and are underwritten by the UK government.

 

  1. The DPA could exploit the power of pseudo-anonymised data better with cryptography. If controls were defined for pseudo-anonymised data (encoded personal data) then this could also provide a good compromise position that allows data to be used for secondary purposes, e.g. via data sharing but with measures to prevent reverse mapping to individuals. In this way, the data controller/processor would have access to secure personal data for its primary purpose, while third-parties would have access via secure sharing mechanism to pseudo-anonymised data. Cryptography standards could be adopted to ensure pseudo-anonymisation can only be reversed with the keys kept securely by data controllers.

The CDEI represents an excellent opportunity to provide expert guidance for government, regulators and firms on how to safely and ethically use data and AI in their operations. For example, its recent report on how to identify and correct bias within algorithms was pro-innovation, but gave very specific and practical guidance on how to use those approaches safely and ethically. This is something that a traditional regulator will typically struggle to do, given their statutory enforcement role, and Government will often lack specialist technical skills required to do this well either.

A change to statutory status for CDEI should focus, not on enforcement (which should remain with sector regulators), but on access. Many organisations using data are understandably reluctant to expose their data practices to independent scrutiny; while CDEI will be able to champion best practices relating to data innovation and ethics, it should also have the statutory powers to insist on cooperation from organisations that are less willing to be transparent.

In our view the actions that will have the single biggest impact on transforming government’s use of data will be:

  1. Accountability and productivity, followed by
  2. Capability, leadership and culture

Currently, government policy defines departmental accountability for information risk as part of Government Security Roles and Responsibility. In practice this responsibility may fall to one role, e.g. Departmental Security Officer (DSO) or Senior Information Risk Owner (SIRO) but it ultimately rests with the Permanent Secretary as Accounting Officer.

If information risk is de-centralised to departments (and in some cases further down to agencies), implementation of well-meaning centralised government policy, standards and guidance will still rest with departments. Therefore clarification of accountability can have the biggest impact.

One of the major challenges the Government faces with its current accountability strategy is that information risk is bundled under Government Security. This will inevitably prioritise information security and privacy. In real-world application, security must be balanced with functionality. Appropriate controls must be deployed that are commensurate with identified threats.

The challenge arises because government departments are not required to prioritise sharing data and securing data equally. As a result, the pursuit of security will almost always take precedent, making advancement or innovation extremely difficult.

What is needed is a pan-government policy that commits departments to sharing data, supported by an accountable senior person in each department who must ensure that data is shared. This could be a Chief Data Officer, for example, who is a specialist in understanding data and whose success can be measured against pan-government commitments.

This will provide both strong departmental leadership and accountability for data sharing to support the data economy. Capability must be developed to support this, enabling departments and agencies to implement policy and realise the improved citizen services, data-driven analytics, permissive data sharing and AI/machine learning in order to provide new capability.

We were unable to find a published pipeline of data standards that the Data Standard Authority is working on so are unable to comment on these.

We do not consider that standards should be selected or prioritised separately from Government priorities for data economy and data sharing. Instead, standards to enable effective data sharing should be developed that fit the specific industry, domain, consumers etc. For example, if Open Healthcare was a priority. then the standards to develop would relate to syntactic and semantic standards for UK healthcare data – perhaps a specific FHIR version, with agreement on a corresponding set of FHIR profiles that codifies this for UK healthcare.

In any case, standards should strive to be the simplest they can be to reduce the technical barrier to entry for consumers. The Data Standards Authority should ensure that all developed standards are designed around the principle of user needs in order to increase inclusion and success for new standards.

The infrastructure on which data relies is the virtualised or physical data infrastructure, systems and services that store, process and transfer data. This includes data centres (that provide the physical space to store data), peering and transit infrastructure (that enable the exchange of data), and cloud computing that provides virtualised computing resources (for example servers, software, databases, data analytics) that are accessed remotely.

Many data infrastructure service providers already provide data security, continuity and resilience of supply. There has been significant improvement in the default services supplied by the major cloud providers in the past ten years and the market is providing greatly improved services year-on-year. These improved services should be defined by the Government as a baseline for new data infrastructure providers.

 

It should be the responsibility of an approved Government body, working with data infrastructure service providers to certify solutions or patterns for data security and resilience services that comply.  This explicit certification will provide a quick-start for consumers. Consumers will know that their data is secured and resilient with approved patterns on certified services by UK specialists, e.g. the National Cyber Security Centre.

 

It is this vertical integration sandwich of data infrastructure supplier platform services, successful patterns provided by Government specialists and tooling that will simplify the implementation and create confidence that guidance has been applied successfully. This would, for example, allow for not just secure collection of data and resilient data access across IT failure, but also enable automatically pseudo-anonymised or anonymised derivations of these datasets to be made available for secure sharing by default.

We are a consulting services organisation and so not directly a large consumer of data infrastructure services. Instead we support our customers to select data infrastructure services and use these to deploy new services. From this experience, our clients typically assess security protocols of new data infrastructure providers before first deploying any data to these – but rarely regularly assess throughout.

This assessment will typically include:

  • Review of security and compliance documentation.
  • Review of industry-standard compliance certificates, e.g. ISO27001.

This assessment does not typically include:

  • Physical inspection of data centres – this is usually unavailable to customers for security reasons.
  • Assessment of data infrastructure personnel who have access to data-centres and privileges access to services and/or data.
  • Red team testing of data infrastructure security to identify vulnerabilities.

The Government could do more to short circuit this assessment process for departments and UK organisations by certifying data infrastructure providers (e.g. National Cyber Security Centre) against new cloud security standards or against data protection controls (e.g. Information Commissioner’s Office). This certification from the Government would provide reassurance, increase trust with data infrastructure providers and lower the risk for customers.

However, this is only one part of the picture. Security protocols are a shared responsibility between data infrastructure provider and customer. Customer security protocols – including configuration of infrastructure, patches of unmanaged services and application design – are selected by customer delivery teams and approved by design authority or security accreditors.

To ensure high standards of security and resilience for data infrastructure,

  • It is a Government responsibility to work with data infrastructure service providers to certify solutions, tools or patterns that use their data security and resilience services. This explicit certification will provide a quick-start to consumers. Consumers will know their data is secured and resilient with approved patterns on certified services by UK specialists, e.g. the National Cyber Security Centre.
  • It is data service providers’ responsibility to proactively provide services to the highest level of data security, privacy and resilience. But more than this, Data Service providers by making data security, privacy and resilience simpler to implement (ideally to be provided by default) will dramatically increase protection.
  • It is the data service supply chain’s responsibility to maintain the same standards and processes for their design and staff as data service providers.
  • It is customers’ responsibility as data controllers or data processors to test data services themselves, but also to adopt similar security protocols in their designs and applications that use these foundational data services. This will include configuration of infrastructure, patching of unmanaged services and application design. It is particularly important that customers test this security continuously to identify vulnerabilities early, before they are discovered by malicious actors.

It is this vertical integration sandwich that is required from all parties to ensure consistently high standards.

It is not helpful to select the “most important” factors to manage the security and resilience  of data infrastructure. Instead all factors contribute to overall security. Malicious actors devote themselves to uncovering security vulnerabilities that allow them to exploit data or services. If one factor is prioritised over the others, this will just result in more opportunity for exploitation in other areas. The principle of “defence in depth” means that all factors should be applied.

It is worth highlighting that there is often a prioritisation of one area over another unknowingly. This can lead to an unconscious prioritisation and so result in increased risk. Instead, we would expect that the following areas are given equal consideration for their security and resilience risk:

  • Vetted staff and controls for applications administration
  • Vetted staff and controls for infrastructure administration
  • Information security controls for applications
  • Information security controls for infrastructure
  • Physical security controls for buildings
  • Multiple redundant locations for buildings

There is again an opportunity to lead by making strong commitments to addressing the challenge of the climate emergency. Through both bold legislation and commitment to international protocols, the UK government can connect the green revolution to the National Data Strategy on a number of fronts.

The Government can lead the way in connecting SMEs and startups to the challenges via targeted innovation funding that supports development of new technologies that leverage data, helping to achieve carbon neutrality at home and abroad by transforming industry.

The Government should also work with departments and industry to realise the benefits of aligning data and technology strategy to public cloud, where there is already significant investment in carbon negative data centres, creating a circular economy oriented around renewable energy, and low footprint efficient data platforms.

Third, the Government can help by encouraging adoption of a Smart City agenda through city deals; this will bring strong focus to local adoption of carbon usage in major population areas.

The UK could improve on internal personal data transfer mechanisms by providing more than just legislation and interpretation of the Data Protection Act. If the Government provided data protection tooling or certified market tools for data protection, then UK businesses could act with higher confidence when transferring personal data to/from the UK.

We will seek EU ‘data adequacy’ to maintain the free flow of personal data from the EEA and we will pursue UK ‘data adequacy’ with global partners to promote the free flow of data to and from the UK and ensure it will be properly protected.

The Government should determine priorities for future UK data adequacy arrangements by aligning these with UK economy trading priorities for data services.

    1. Multilateral data adequacy with the EU bloc is a priority to avoid introducing limitations on current services and working arrangements. This is essential to avoid setting back the UK economy many years by preventing access to current services by the UK’s largest trading partner.
    1. When considering which specific countries should be prioritised, Government should focus on data equivalence with trading blocs rather than individual countries.
    1. The export of data services from the UK is a priority if Government wants to encourage UK economy innovation. With a focus on export, the Government could prioritise unilateral flow of personal data into the UK (over data from the UK) by being recognised as a leader worldwide of the highest data protection standards.
  1. New trade agreements with specific countries should include data adequacy provision as part of the agreements.

Authors

Richard Sargeant

Chief Operating Officer, Faculty

Richard is the Chief Operating Officer at Faculty. He supports senior leaders across a variety of sectors to transform their business to use AI effectively. Before joining Faculty, he was the Director of Digital & Data Transformation at the Home Office and one of the founding directors of the UK’s Government Digital Service. Before that, he worked at Google, the Prime Minister’s Strategy Unit, and co-founded Engineers Without Borders UK. He is a non-exec director on the board of Exeter University, and the Government’s Centre for Data Ethics and Innovation.

Tom Nixon

Director, Government Practice, Faculty

Tom Nixon is the Director of our Government Practice at Faculty, responsible for overseeing all of our government and public sector delivery in the UK and internationally. He is thought leader and trusted partner in how government departments can utilise cutting-edge AI and ML in decision making, in building internal data science programmes and capability, and in achieving better data-driven policy delivery. In his time at Faculty, he has overseen complex delivery across Cabinet Office, GDS, BEIS, the Home Office, the Maritime Coastguard Agency, and the National Crime Agency, among others.

Nijma Khan

Principal, Government Practice, Faculty

Nijma is a Principal at Faculty. She is an experienced strategy director with a track record of driving complex, multi-stakeholder projects with blue-chip industry clients and non-governmental organisations such as the World Economic Forum and World Business Council for Sustainable Development. She has fifteen years’ experience building business strategies that address environmental and societal challenges and is now using that expertise to drive adoption of AI across multiple sectors. Prior to joining Faculty, Nijma was responsible for Strategy, Insights and Innovation at Accenture with a particular focus on the impact of automation on learning and work, and the practical application of AI and emerging technologies for good.

Peter Campbell

AI Practice Director, Kainos

Peter leads Kainos’ AI Practice and is responsible for helping customers solve their toughest challenges through data and AI/ML solutions. Peter has held a variety of progressively senior technical roles at Kainos, including Chief Technology Officer, delivering award-winning digital services for UK citizens.

Rory Hanratty

Chief Technology Officer, Kainos

Rory is accountable for Kainos’ development of technical expertise and innovation. He is a technologist with over 20 years’ experience encompassing AI, data, cloud, product management and agile delivery. Rory is passionate about technology for good, for everyone.

To find out more about what Faculty can do for you and your organisation, get in touch.