Digital Economy Bill

Written evidence submitted by medConfidential (DEB 08)

Submission to the Digital Economy Bill Public Bill Committee: Part 5 (Digital Government): Secret, invasive, & nasty.

This Part of the Bill allows Government to share data on citizens however it wishes, in secret, and use that data for operational decisions. Using data is neither good nor bad, nor is it neutral. It is how and why it is used that matters, and besides high level principles, the operational detail matters, and oversight of how these powers are used is essential.

Government claims it needs more powers to copy data without accountability, when existing powers seem to suffice - the main difference between now and this Bill is the reduction in transparency required at the operational level.

Just as every data disclosure in the NHS should be consensual, safe, and transparent; the same should apply for Government. Consent in many cases for central Government will be the statutory consent as the will of Parliament without individual dissent, but the principles still apply.

This Bill covers all data, across all levels of Government - central and local.

Health data is included in this sharing

While Cabinet Office claims about this legislation "not covering health data" have been loud, they doth protest too much.

There is no bar in s29 on health data - s29(3) covers "a public authority" or "a person providing services to a public authority" – which includes NHS bodies and suppliers. Additionally, improving "physical and mental health" sound very much like a health function.

Medical records are covered by almost all of this Part (except, perversely, the one Chapter where safeguards are strongest and being strengthened: Research). A bar does appear in s63(2) which narrowly prevents health data being used in research only, but does not prevent NHS medical records being copied for use in operational decisions by Government departments.

The claimed bar on health data should be across this Part of the Bill, which is reflected in medConfidential Amendment 1.

" Data Science "

Science requires a testable hypothesis – this Bill has nothing to do with Science. This Bill is about allowing alchemy - it is about supporting superstition, facilitating fear, and promoting prejudice, behind a "big data" illusion. Will there be a falsifiable hypothesis that can be tested? Or will the question be made up, based on what they found first? [1]

Policy based evidence making is not new. This bill creates a data smokescreen to justify preconceived ideas and ideological choices. This isn’t a digital economy with citizens, but it’s about the state doing things to people.

"" If you give me six lines written by the hand of the most honest of men,

I will find something in them which will hang him. "

- Cardinal Richelieu

In recent weeks, it has emerged that a citizen was stripped of housing benefits because data showed they were cohabiting with "Joseph Rowntree", [2] the 19th Century philanthropist whose modern legacy includes a Housing Trust which bears his name, and which was that woman’s social landlord. [3] The DWP contractors used just enough data to create "evidence" that reinforced their prejudice, but not enough to realise their "evidence" was lunacy – which would have been entirely evident if they had used one of the main tenets of scientific inquiry: a google search. This is not about critical inquiry.

Publicly funded scientists are required to have a hypothesis, satisfy peer review, critique, and accountability. "Data science" at the cabinet office is about copying data on the any citizen to anywhere that wants it. Science should not just be about finding data that agrees with hopes, but also evidence that disproves those superstitions. [4] To treat data as personal data, [5] the system has to see the individuals involved as people - something it is optimised to avoid doing.

Secret: stashing data in the dark dank depths

Currently, sharing data from one department to ONS requires approval of Parliament; and sharing between Departments effectively require some degree of transparency. This bill removes the requirement of transparency and enables full secrecy. It also puts local government into this fertile breeding ground of fraud and misery.

This arrangement is by choice.

medConfidential Amendment 1 creates a "Data Disclosure Register" which requires that all disclosures of data between data controllers to be logged in a public register, giving at the very least, a title, a description, and a web page to find out more. For new disclosures, of which the intent of this Bill is to create many, that should also include a set of hypothesis to be tested, a privacy impact assessment of the work, the data to be shared, and the outcomes of the work. If Government wish to claim their work as science, it must be held to that standard.

As Government gives taxpayers a summary of how their tax money has been spent, Government should give citizens information on how it has used data about them. Transparency on the sets of disclosures is the first step.

If there is transparency through a Register, there can be an informed conversation on whether a particular data disclosure will solve the problem it claims to. There has been data sharing to "prevent fraud" for decades; and a complete absence of audited and accurate results from that work. With additional powers comes additional responsibilities. The argument that current data sharing has not prevented fraud, so there should be more data sharing, could equally be doing the same thing over and over again and expecting a different result. 

Invasive: s29 - "Improving Public Service Delivery" (Collect it all and send it anywhere)

There is almost nothing the public sector does that is not covered by s29 of the Bill. As such, it allows any part of Government to send data anywhere for any purpose.

The bureaucratic priorities of Departments may be parochial and petty, but they are deeply protective of the data for which they are custodians. All aspects of this must be accounted for. It is the original data collector that will make promises to the public about how that data will be used, or, more importantly, how data will not be used. Those promises can easily be broken with data sharing agreements, where the recipient department does not consider itself bound by promises made by another Secretary of State.

A minor "improvement" in one public service should not be at the expense of a wholesale loss of trust in another. It is unwise to expect those focussing on a particular task to also recognise the big picture.

It is entirely logical for a Home Office official tasked with preventing sham marriages to believe that accessing NHS data that GPs may have on marital happiness would help them do their job. That the Cabinet Office were expecting that to be an example in their public consultation shows how easy it is to misunderstand the public interest. Care.data style mistakes are not an isolated incident in the public sector - it was only the first. 

The folly of omnipotent perfection

Is there anything that "for the purpose the improvement of the well-being of individuals or households" (s29(9)) or improving the "contribution made by them to society" (s29(10) ) doesn’t cover? For now, those purposes can be entirely in secret, and cover any data anywhere in the public sector, without citizens involved having any knowledge or approval of such processing.

The example often raised is of one Department sharing the health state of a vulnerable citizen with another. There are obvious benefits to this. Perhaps DWP would wish to start by honouring the fitness for work assessments of the NHS? Or is this only to apply when the information shared is what the receiving department wishes to hear?

One example, repeatedly used by the local government advocates of expansive information sharing, is of a alcoholic woman placed in social housing above an off licence - clearly not an ideal outcome. However, sharing data on everyone to protect the few will cause significant harm to those who do not wish everyone to know their health conditions. In both cases, the bureaucracy can do the right thing, if it asks the individual involved what information should be passed on, and respecting their wishes. Sending large data sets to many organisations, solely because they might be useful, is far less helpful to front line public services than giving them the information they need to do their jobs with those in front of them, and trusting them to have sensitive conversations with those they help.

Sending all data may cause more harm than it prevents; and reduces the likelihood of individuals who need help asking for it, as they don’t know who will get to find out that they asked. 

s38 - Disclosure of information by civil registration officials (the ID card database returns)

The publicly stated policy intent of this section is to allow a citizen, interacting with a Department, to allow that Department to confirm their civil registration information electronically.

As drafted, the legislation also allows copies of the entire civil registration databases to be copied to arbitrary locations for arbitrary purposes. This is not the same thing as a citizen allowing access when using digital services.

MedConfidential Amendment 2 requires that any disclosures under this provision are with the consent of the citizen or their legal representative (especially relevant given birth/death registration), and thereby prevents disclosures or all entries in bulk [6] under this legislation. Other bulk powers will continue to exist, but a digital economy can not be build by copying bulk personal datasets around Whitehall without oversight. 

Chapters 3 & 4 - Fraud and Debt

We will address these provisions further when specialists groups have expressed their views at the Committee stage.


In short, given the vulnerable nature of individuals who will be involved in this area, it is far more likely that confidence will be gained by asking for permission (ie consent) or whether they object (ie dissent) than doing such "assistance" in bulk automatically.

Perverse incentives abound, and the Government’s debt collectors are not the soft and warm arm of Government from which unsolicited assistance is likely to be most welcomed.

While citizens should be given the option of opting into the debt provisions, they should not be given the option of opting out of the fraud provisions, however there must be suitable scrutiny of the success of programmes to identify repeats of bureaucratic abuses.

Chapter 5 - Research and Statistics

s67 45(B) 2 allows the Board to have a "right of access" to data.


As the Statistics Board may specify what data it wishes, in a time of shrinking budgets, the economically rational approach of the Board is to collect all the data from the source department, and handle it all internally. The target Department appears powerless to prevent such copying. That health data is excluded from research but not statistics is perverse.

It is for this reason that transparency over the scope of all data disclosures is vital.

45(B) 9 leaves whether the request and response shall be laid before Parliament up to the Statistics Board. Publication should be mandatory, especially when the exchange concerns scope of requests and disagreements between departments.

When the Statistics and Registration Services Act 2007 has been amended, the bar on privacy protections for health data will be easy to be missed as it will not be visible in the legislation that gets amended by s66, s67, and s68. The explicit bar on health data should be included in each of those sections also.

We are aware of other conversations ongoing about how this clause should be amended, to remove compulsion, but to maintain the ability of ONS to request and justify appropriate data for their goals. We will reassess the efficacy of this clause after such amendments have been laid.

Nasty - the combined effects of a plain reading of the Bill

Is "Bad Science" to become the basis of policy across Government?

As drafted, this Bill would make it easier for the Department of Health to revive care.data within itself, would compel all care providers to hand data over, bar researchers from using it, and do so entirely in secret. While this doesn’t match what Ministers said they intended, but it is what a plain reading says is entirely possible. [7]

The current Government has made many claims to privacy. This Bill reflects none of them. The Cabinet Office’s Verify programme allows citizens, whose identity is proven, to share validated attributes of themselves, in a manner which gives Services the information they need to know, with the assertion of correctness and sourcing in a manner which is highly reliable.

The powers in Section 1 of Part 5 disregards all that work, and allows copying of databases on populations simply because it makes a civil servant’s life easier. The justification of improving the "the well-being of individuals or households" or the "contribution made by them to society"" is an absurdly low bar that covers data disclosing all details that Government has on its citizens to anyone who wants it, including the most sensitive health data. This legislation gives another route for NHS England to restart care.data with exactly the same problems as they had previously - the civil service has ignored all lessons that would require change from the civil service.

Ministers claim that this legislation resulted from the "open policy making process". From our involvement, that claim stands up to no more scrutiny than the benefits blunder in footnote 1. The Cabinet Office misled everyone involved, wasted a vast amount of time and goodwill, and went ahead with doing what they were going to do anyway. At the very last minute, they vastly expanded the scope of the work, with the only material provided in non-aural form being the presentation title and the department of the civil servant presenting. The process ignored the hard problems, and did whatever the Cabinet Office wished to do in the first place. A potemkin process may have operated identically.

If all the problems above can not be addressed, then this Part of the Bill should be removed, properly addressed by the Government, and when it can be adequately described to the public, return in next year’s Digital Innovation Bill currently under discussion. As drafted, this Part is incomplete, incoherent, and incompetent.

MedConfidential Amendment 1

Intent: Create a Register of disclosures data around Government, and move privacy protections from s63(2)-(5) to cover the whole Part.

Part 5 - New Chapter (0) - Transparency and Privacy

Transparency provisions

sXX Public Register of Data Disclosures

1) No disclosure under this Part shall be lawful unless described by an entry in a Public Register.

2) For disclosures lawful under this Part alone, the Register shall contain, or include a Uniform Resource Locator to information containing,

a) The name of the purpose of disclosure,

b) A description of the purpose for disclosure,

c) A description of the data to be disclosed,

d) The data controllers and data processors involved,

e) One or more hypotheses to be tested,

f) Any outcomes of those hypotheses that have be published,

g) Any convictions under s33, s34, or s58,

h) Any exchange of letters on the disclosure as published,

i) Any other information deemed relevant.

Privacy Provisions

sXX+1 - Exclusion of Health Data

1) Neither of the following is a public authority for the purposes of this Part -

(a) a person providing health services;

(b) a person providing services for the purposes of adult social care.

2) In subsection (1)(a) "health services" means-

(a) services which must or may be provided as part of the health service as

defined by section 275(1) of the National Health Service Act 2006 or section 206(1) of the National Health Service (Wales) Act 2006,

(b) services which must or may be provided as part of the health service as defined by section 108(1) of the National Health Service (Scotland) Act 1978, or

(c) services designed to secure any of the objects of section 2(1)(a) of the Health and Social Care (Reform) Act (Northern Ireland) 2009.

3) In subsection (2)(b) "adult social care" includes all forms of personal care and other practical assistance provided for individuals aged 18 or over who, by reason of age, illness, disability, pregnancy, childbirth, dependence on alcohol or drugs, or any other similar circumstances, are in need of such care or assistance.

Notes: for the avoidance of doubt, this is not a register [8] for every personal record shared, but for every disclosure of a description of records, however many there may be, for how often that may repeat.

medConfidential Amendment 2

Intent: Explicitly require that citizens have consented to their civil registration information being shared by the registration authority.

Insert at end of 38 (2) 19AA (2),

"and the disclosure is with the consent of the citizen, or their legal representative, to which it relates."

October 2016


[1] As no details are published by Cabinet Office, we have Freedom of Information Act requests pending.

[2] http://www.thetimes.co.uk/edition/news/mother-hit-by-benefits-blunder-v57fz2m0k

[3] Another part of that legacy is the Joseph Rowntree Reform Trust Ltd, which funds our work on this Bill.

[4] For a longer discussion, see the book " Bad Science " by Dr Ben Goldacre.

[5] https://medconfidential.org/2016/when-is-personal-data-not-personal-data/

[6] This would constitute a bulk personal dataset under the Investigatory Powers legislation.

[7] https://medconfidential.org/2016/fertile-breeding-ground-for-fraud-and-misery/

[8] https://gds.blog.gov.uk/2015/10/13/the-characteristics-of-a-register/

 

Prepared 10th October 2016