One leap forward …

Alan Mitchell
Mydex
Published in
4 min readMay 31, 2022

The UK Government has just published a landmark policy on data sharing. It represents a breakthrough in thinking, policy and strategy. Not just a step forward, but a genuine leap forward.

At the same time however, Its new Data Sharing Governance Framework is badly bungled. So badly bungled that, if implemented as it stands, it would actually result in three leaps back. Fortunately, this damaging outcome can be avoided.

The positive bit

The genuine leap forward is that the Government has, at last, recognised that a personal data ecosystem based solely on different, separate organisations each collecting and using data for their own purposes, in isolation to one another, guarantees that the full potential of this data will never be unleashed. It has recognised that we need to move from an outdated ‘One User, One Use’ approach to personal data to a ‘Many Users, Many Uses’ approach.

Some passages in the Framework couldn’t be better written. Here’s an example:

“Data is essential to delivering good public services, developing and evaluating policy, and a wide range of government operations. The data needed to do this well is often held in different parts of government and needs to be shared so that it can be used … clear and common governance standards are needed to deliver data to the right place at the right time.”

Clear, simple and absolutely spot on (as far as it goes).

The Framework also introduces a series of practical measures that are essential if data sharing is to be improved. These include organisations committing to developing data sharing strategies (instead of ignoring the issue as most have done until now), making it easy to start data sharing (by providing a first point of contact for example), building data inventories so that others can see what sorts of data you are holding, and developing common standards so that data sharing is made easier.

In our own work for the Scottish Government, on its strategy for Smart Entitlements, we recommended the same sets of measures. So far, so good.

Three leaps back

The three leaps backwards are as follows. First, the Government’s vision of data sharing is purely inter-organisational. Personal data held by one organisation will be shared with another organisation without any citizen involvement. At first glance, direct organisation-to-organisation data sharing might seem sensible. But it’s not. It’s a recipe for a cost, complexity, security and trust catastrophe.

That’s because, in any system of organisation-to-organisation data sharing, as more organisations take part, the number of connections that are needed between them rises exponentially. If just three organisations are involved, data sharing between them requires just three connections. That’s manageable. If 8 organisations are involved, the number of connections jumps to 28. If 50 organisations are involved, the number of connections that are needed jumps to 1,225. Completely unmanageable. This blog outlines the logic and the risks of inter-organisational data sharing.

If the UK Government continues with this approach, it will quickly discover that as it attempts to make it scale it runs into a nightmarish thicket of complexity. We’ll be publishing a White Paper on this and the design requirements of a positive way forward in the next few weeks.

Second, the Framework does not mention citizen consent. It does say that Government departments should comply with data protection regulations. But what it doesn’t say is that with its ‘bold’ plans to reform these regulations, it intends to all but abolish citizen’s rights to be asked for consent before their data is shared. If the Government’s plans for data protection reform go through, it’s not even clear that citizens would even be informed that their data is now being shared willy-nilly across Government departments. This is a recipe for a catastrophic loss of trust.

Third, the Framework is silent about the actual purposes for which citizens’ data should be shared. The Government says civil servants working for Government departments should “make sure that you are sharing data responsibly” but (as with its proposals in Data: A New Direction) it never defines what ‘responsibly’ might mean. In doing so, it places 100% of the burden of deciding what is ‘responsible’ on ‘senior leaders’ in Government departments. Civil servants. That’s not fair and is a recipe for ducking, diving and confusion.

A better way forward

There is a simple way for the UK Government to preserve its genuine leap forward without also making three leaps back — and that is to organise data sharing via the citizen whose data it is.

If Government shared the data it holds about citizens with these citizens by placing their data in citizens’ own independent personal data stores:

  • the cost, complexity and security catastrophe created by inter-organisational data sharing would be avoided
  • citizens would remain in control of who they share their data with (thus enhancing rather than destroying trust)
  • citizens could decide what purposes they want to put their data to (thus taking the burden of making these decisions off civil servants in Government departments).

This is the approach already embedded in the Scottish Government’s planned Scottish Attribute Provider Service — which represents a genuine leap forward without any of the drawbacks. As it stands, the UK is in danger of turning what could have been a genuine breakthrough into a damaging debacle.

--

--