Thoughts offered to the Policy Exchange for its government tech research

The Policy Exchange is doing a major review of government and technology, and asking various bodies for input. Mydex did a written submission, and spoke to their researcher. Here’s what we said in the interview.
Some things are going well. The open data initiative has survived from the previous administration’s “Power of Information” policy, and been taken forward with the new Open Data Institute. Martha Lane Fox’ Digital by Default agenda is spot on. The Enterprise and Reform Group set up by Ian Watmore and now under Stephen Kelly in Cabinet Office provides essential focus for getting more done for less. The new Government Digital Service under Mike Bracken brings a welcome and wholly different culture to the heart of public service IT, with the gov.uk single platform, the GCloud IT services shop, and its commitment to strong design and privacy principles, to open source and to non-reinvention of the wheel.

The key new point going forward is understanding the role of personal data. Specifically this means unleashing the latent power of personal data controlled by individuals, not by organisations.

There’s still a need to understand and accept what we could call “the Power of Personal Information”. This starts with how personal data differs and is complementary to the Open Data covered in the “Power of Information” policy. Open data — about stats, geography, organisations or money — is a good thing and we need more of it: postcode address file, full release of public sector org charts. Many of us would like to see Freedom of Informaiton as the default setting. People’s personal data about their health, education, job seeking, tax or welfare is also full of potential, perhaps far greater. It must be treated differently as a matter of law. It requires different policy and practice. This can be achieved with simple further development of largely existing technology.

This needs to be clearly recognised, restated, universally accepted, implemented and enforced.

For clarity: so-called anonymised personal data must still be treated as personal data. You can remove obvious personal identifiers, but if there is anything unique in a record, then in an era or increasingly available and searchable universal data sets, you have to assume the individual behind the unique data can be discovered. Get this wrong and you forego trust and fall foul of the law.

Our input to the Policy Exchange process focusses on the opportunities afforded by personal data stores such as Mydex. They offer the potential for immense cost savings, far greater convenience and safety for individuals, and privacy-friendly personalisation of a range of public services, including seamless cross-boundary services such as health, social services and housing.

Several initiatives necessary to make this work across public services are already under way. They include

• the new-style ID Assurance programme, which assumes individuals will use a third-party identifier to access digital-by-default public services
• the BIS midata programme which builds momentum for businesses such as utilities, telecomms, loyalty schemes and card firms to give structured data back to the individual
• similar data giveback momentum for health records and health-related admin data

Mydex is one of HMG’s accredited ID Assurance providers. This holds the door open to the individual holding under their own control the proofs and identifiers they need to get things done. Letting DVLA check your MoT and insurance to give you a tax disc works quite well. Letting the individual hold their own electronic proof of insurance and of MoT in a personal data store (PDS) may at first sound not dissimilar. But the differences in effectiveness and efficiency as the PDS model scales are monumental.

Putting individuals in control, and letting them acquire and control their own proofs of verified address, that the pay council tax or hold a valid driving licence, is the basis for rebuilding a foundation of trust in what we do online with government and with business.

It doesn’t need new laws, because giving individuals control and a basis to informed consent to specific and limited data sharing is wholly in keeping with the spirit and letter of European data protection legislation. Privacy by design will come easily and naturally to government. It will save money, and bring convenience to empowered individuals.

To bring this about what Ministers need to make happen, in addition to the good work above they are already doing, is

• have officials revise what online proofs are necessary for an individual to access each type of online service (health, education, welfare, licences)
• require that each agency that issues such proofs on paper also issues secure and unforgeable electronic versions (of the passport, driving licence, right of residence or to vote, eligibility for welfare etc)
• and require that the services in question accept the electronic versions of proofs of claims.

As well as ID Assurance (and single sign on) working with Mydex-enabled individuals brings the benefits of a secure “digital letterbox”. In raw terms this means individuals and public services can make 10 years’ unlimited use of an enduring two-way encrypted connection for less than the cost of sending one single letter. Working on this basis will bring immense savings to public services, and remove a colossal amount of inconvenience for individuals and those trying to do help them by doing case tracking on their behalf. You don’t get lost in the system of call centres, letters and faxes with a bilateral digital connection from the individual to the service.

So if Policy Exchange wants to point the way towards significant savings, privacy-friendly personalisation and restoration of control and power to individuals in their administrative dealings with the state we recommend it put personal data stores at the heart of its new wave of policy recommendations.

What do you say?