Centre of Excellence for Information Sharing
How the new regime of data protection regulation could be a boon to government, helping it build trust with citizens so it can safely share their data and improve public services.
Over the last year, the Information Commissioner’s Office (ICO) has issued record £400,000 fines to nuisance callers and telecoms providers. Anyone who has received unsolicited calls will likely be grateful to the ICO for acting on it. It is not just private organisations which come within the ICO’s purview; they also work to uphold personal information rights in the public sector. In 2016 the ICO carried out a survey of data protection attitudes in the UK, which found that only 36% of people said they trusted government departments with their information. It is hardly surprising, then, that public discourse around data protection is dominated by fear and risk. It need not be. There are surely many in local authorities, who, after their initial bewilderment at the new regulatory regime, will bang out privacy impact assessments with a distinct sucking of teeth. That is certainly one way of seeing the ‘prohibitive’ Data Protection Act 1998 and – dare I utter the name of the ultimate bogeyman – the ‘formidable’ EU General Data Protection Regulation (GDPR). Having written an impact assessment or two and acted as an FOI officer myself, I can certainly sympathise. I would argue, though, that government should wear its data protection compliance like a badge of honour to win the trust of the citizens it is there to serve.
How did we get here? We humans – ‘political animals’ to our very core if you believe Aristotle - have always shared information, albeit in small networks of trust. This is something attested to by ancient cave paintings such as in Lascaux, France. Even other social animals such as bees and ants share relevant information by use of movements, vibrations and chemical signals – and Koko, a female western lowland gorilla shares her thoughts quite fluently with her handlers using sign language. The problem is Moore’s Law has meant our accelerating technological advances and increasing complexity, such as in instantaneous data sharing, have outstripped our abilities to understand and manage the consequences together. This has happened to the extent that the debate around our behaviours and ethics around information sharing has been left trailing far behind our raw abilities to do it.
Government, in its modernisation of public services, has been landed with mountains of information on its citizenry. It has done this on the assumption that the usual contractarian relationship of government by consent has held, and it can appropriate whatever data it needs to in pursuit of supporting and improving public services (which, if it has a statutory duty to do so, is legally correct). So what has changed? For one thing, the age of deference is over. Even medical expertise, until very recently the sole preserve of human institutions in white lab coats, has been democratised by Google search. Information is being stored and shared at volumes and rates incomprehensible to someone from ten years ago, let alone 10,000. The trusted network of confidantes has been replaced with an almost complete alienation of your own information to goodness knows where. What is so desperately needed now is a change in public discourse, and there are some practical ways we can start to shift it.
The first step along this journey for public servants should be to build trust through proactive self-restraint; arguably one of the cornerstones of our liberal democracy. Other forms of government are characterised by leaning to the extreme ends of their powers, and their relationships with citizens are those of fear; not trust. Just because you could do something hardly means you should – and conversely you could demonstrably go the extra mile for the welfare of your citizens too. Let’s play to our strengths here. Take a case study we did on Wigan’s SharetoCare programme. They asked for consent from GP patients in order to build trust, although they did not necessarily need to in order to provide direct care. Instead of seeing consent as a barrier – why not use it as an icebreaker to start the conversation on a positive footing?
A second step that is sorely needed is a shift in thinking around whom information belongs to and how we communicate around that. All levels of government have seemingly adopted a view that data on its citizens belongs to the state. I call this informational neo-feudalism. In reality it belongs to its originator - the citizen. At best it should be viewed as on loan to the government for particular beneficial purposes. Government can change the debate here by harkening back to the liberal contractarianism and consent-based government which underpin our modern political order. We need to get better at how we communicate the benefits of collecting citizens’ information, and should not be taking citizens’ consent and deference to government for granted. Some private organisations such as Healthbank in Switzerland offer to host your personal health data, but allow you to control who can access it, even letting you ‘sell’ it for personal reward. What they and other such organisations do so well is clearly outline the benefits to the ordinary citizen. There is a lot government can learn from this approach. Instead of demanding “give us your data”, we should be saying “here are the benefits to you of us holding and processing your data, would you mind please giving us your consent to collect it.” Medical professionals call this ‘good bedside manner’.
The third step and biggest shift in thinking that is required from government, however, is a more positive turn in our attitudes towards regulation. I mentioned above that the shift from cave to Canary Wharf has produced complexities that are now beyond our understanding – but the human brain has a secret trick up its sleeve: heuristics. We use symbols to categorise and group complex sets of information to make sense of the world. Brands like Coca Cola use consistent labelling in order for people to recognise them, their particular product standard and quality level in the blink of an eye. Likewise, we use accreditation such as university degrees, professional qualifications and bodies in order to provide abridged assurance to employers and potential business partners or clients that we have attained a particular standard of professionalism or service. The recently introduced Food Hygiene Rating Scheme stickers, much in evidence in high street food outlets these days, offer potential customers assurance that the food is of a certain standard, and this in turn encourages them to provide their custom. A piece of regulation has been turned into a powerful tool of marketing because both the regulatory agency (the FSA) and local restaurateurs have recognised the benefits of using it to assure customers and attract them.
Back on the data protection front, authorities up and down the country should be falling over themselves to advertise the fact they comply with the new regime of regulations. The most forward thinking of these already see their citizens as ‘clients’ or ‘customers’, and they should be attracting them into their ‘shop’ by certifying and advertising that they will treat their information carefully and to the highest standards.
Will citizens ever fully trust anyone with their most personal information? Will there ever be an end to trust-busting data breaches, leaks and mishandling? Even with new encryption technologies such as blockchain, it’s unrealistic to answer ‘yes’ to either question for the near future. The best we can do is openly advertise that we comply with all the necessary regulation and are doing our best to protect the information of those who give it to us, and that will go the furthest in winning their trust so we can improve public services together. If government saw compliance with data protection regulation the same way they saw awards or accreditation's, they would likely find the public a lot more willing to share their information with them.