Memorandum by Trevor Bedeman
This evidence is in the form of a paper provided
as part of a briefing on data sharing to an invited audience held
at at Lovells law firm, London on 5 June 2007. The paper in no
sense represents Lovells' views.
It addresses the current developments in both
public and private data sharing, and is provided to the Constitution
Committee for the comments contained on private development, comparisons
between the two, and possibilities for their interchange. The
comments just on the development of public sector data sharing
are mostly drawn from the DCA Vision Statement and are thus not
There is, arguably, a great deal to be learnt
from the private sector data sharing developments, some of which
are either very mature, or very technically advanced, or both,
and I would draw the committee's attention to the brief comments
on private sector governance.
I am an independent consultant, specialising
in data and information sharing. My past experience is as the
lead author and negotiator of the "Principle of Reciprocity"
which continue to govern the UK credit data scheme, and as previous
Chairman of Insurance Database services Ltd, and Chair of the
initial development of the Insurance Fraud Bureau. During this
period I was an employee of LloydsTSB Group, latterly of the Risk
and Compliance Department.
Data sharing development in the retail private
Data sharing across the private sector has developed
in more non-competitive areas of operational risk management,
such as credit, insurance claims and financial fraud. Derivatives
of that data support this processing, such as identity scores,
and credit scores. Identity provides a common thread, and has
been developed to a high level of sophistication.
Some of these schemes are very mature, for example
the UK credit scheme dates from the late 1970s and shares 800
million records amongst 500 participating companies, with major
economic impact upon retail credit and the larger economy. Some
are highly advanced technically, for example in the derivation
of identity, and the searching of the combined insurance claims
and policy databases for networks of claims signifying organised
Within major retail groups such as those of
the financial sector, the customer relationship management programmes
of the 1990s on have meant that customer data is shared internally
across many diverse constituent companies, and matched-merged
into a single source for the entire group. Their ideal is that
the entire individual customer relationship is available on demand
at all customer touch-points and to the central analysis functions.
These data sharing schemes can cover tens of millions of customers,
and thus major fractions of the UK population.
Across competing private companies this commercial
competition is an inhibition on the sharing of many forms of data.
Companies are also under commercial pressure to handle this information
safely. Individuals have some choice of processor through competition,
and lapses of security are highly publicised.
The initial collector of the data has a key
responsibility for the entire potential chain of use over the
whole period that the data is held in any form.
This sharing is typically reciprocal, meaning
that all available data within a defined sector must be provided
before any other shared data can be accessed. The private sector
has developed various models of sharer (and some wider stakeholder
governance). The governance varies from the banking reciprocity
committee SCOR, to trusts and companies such as the UK fraud avoidance
scheme CIFAS, the Motor Insurer's Database, Insurance Database
Services Limited, and the Insurance Fraud Bureau.
The next five years in the private sector
Credit data sharing is developing worldwide,
with Experian as the first global scale reference agency, and
there are various regional providers in development as well as
nationally owned databases. The World Bank has assessed the UK's
credit data sharing as the most effective, with the highest score
of any scheme for the combination of availability of data (though
not 100%) and efficacy of the regulatory framework.
Credit databases have developed in a similar
way in the UK as in the US, though without access to a national
identifier as in the US. There are some restrictive national databases
in individual European countries, such as France, and other countries
with models similar to the UK. It may be that the UK scheme will
adopt the UK national identity when that is available; it will
depend whether the quality of that identity is higher than that
the banks already have through the current account and related
Individuals are increasingly searching their
own data via the internet from the credit reference agencies.
The uses are changing from those just driven by a failure to obtain
credit, to a much more general need to regularly inspect the data
held, for example as a protection against fraud. As in the US,
it is likely that this shared data will come to be increasingly
seen as also the property of the data subject, and not just of
the contributing financial institutions, and thus the reference
agency as also the individual's service provider.
Data sharing in and with the public sector
Cabinet committee MISC 31
This committee meets regularly at ministerial
level to advance data sharing, with the aim of improving service
efficiency. The terms of reference for this committee are: "To
develop the Government's strategy on data sharing across the public
The most complete statement of this strategy
so far, and of public sector data sharing projects is contained
in the document:
DCA Government Information Sharing Vision Statement
"This Government wants to deliver the best
possible support to people in need. We can only do this with the
right information about people's circumstances. We are determined
that information sharing helps us better target support to the
most disadvantaged in our society. The Social Exclusion Action
Plan shows how Government will achieve this through agencies working
together to focus on the unique needs of any one person or family.
The information needed to make this happen already exists, but
it is not always being shared.
That is why Government is committed to more
information sharing between public sector organisations and service
We recognise that the more we share information,
the more important it is that people are confident that their
personal data is kept safe and secure. This Government has an
excellent track record of strengthening individual's rights to
privacy and the legislative framework, provided by the Data Protection
and Human Rights Acts, offer a robust statutory framework to maintain
those rights whilst sharing information to deliver better services".
Catherine Ashton, DCA, September 2006
Existing examples of public sector data sharing
The Homelessness Act 2002 requires local authorities
to review homelessness and share information. The Benefits have
been assessed as including a 75% reduction in rough sleeping since
1998, and ending bed and breakfast accommodation for families
with young children.
GMAC, Greater Manchester Against Crime, shares
statistical information from a range of partners including health
service, police, fire and transport, probation, and local authorities
used to identify and map crime hotspots and determine how best
to target resources across partner agencies. Example of benefits:
75% reduction in arson in some areas.
NFI, is the National Fraud Initiative run by
the Audit Commission. It is a biennial data matching of housing
benefit and employment records. 1,300 bodies took part in NFI
2004-05. The estimated value of fraud and overpayments in 2004-05
exceeded £111 million.
DVLA offers electronic re-licensing and off-road
notification through internet and by telephone. The customer uses
the renewal reminder sent by DVLA, or the reference number from
the car's logbook and the vehicle registration number to identify
the vehicle. DVLA links to MID, the Motor Insurance Database to
check the vehicle is insured, and to the computerised MOT Test
Certificate Database where necessary.
HMRC, DTI, DEFRA, FSA, and busness.gov are developing
ITSW, the International Trade Single Window Project. The aim is
that UK businesses will be able to provide information once, and
ITSW will share this information with the main Government departments
involved in authorising exports and imports. Initial phase estimated
to save time for 150,000 small and medium-sized businesses and
encourage others to trade internationally.
DWP uses HMRC income and capital information
to contact those people who could potentially claim pension credit.
The Social Exclusion Plan will provide for sharing
across silos for the disadvantaged. Pilots will assess what information
needs to be shared, such as police, housing and employment information.
In May 2006 the Police and Justice Bill was
amended to allow information on the recently deceased to be shared
New Powers against Organised Crime and Financial
Crime (Home Office July 2006) set out proposals for allowing public
sector membership of CIFAS. The public savings have been estimated
to be between £136-272 million per annum.
The Hampton Review recommended a principle be
established that businesses do not need to give the same piece
of information twice.
Sir David Varney's work on Service Transformation
will consider the role of information sharing in improving the
quality of service and result in efficiency savings for government.
DCA will be promoting better understanding of
the DPA so that front line practitioners in particular understand
that the DPA is not a barrier to appropriate information sharing.
DCA will explore how we might provide citizens
with more information about which public sector bodies hold information
and what they use it for.
The Serious Crime Bill 2007 has provisions in
part 3 for the creation of Anti Fraud Organisations designated
to share data on fraud between the public and private sector,
such to and from CIFAS, a reciprocal fraudster reporting scheme,
based traditionally in the retail financial sector.
Codes of practice
The Information Commissioner is developing guidelines
against which information sharing proposals involving personal
data might be assessed, and a framework Code of Practice which
will help public sector organisations ensure that their sharing
of personal information respects personal privacy.
Existing examples recommended as models include
those of the Audit Commission 206 and NHS Confidentiality 2003.
"Sleepwalking into a Surveillance Society"
This phrase was originally coined by Richard
Thomas August 2004 in response to the initial proposals for Government
ID Cards. The "Surveillance Society" and the term "Privacy"
have come to represent in part concerns over the wider sharing
of personal data, especially by government, but also potentially
by other parts of the public sector, and also within the private
sector such as the risk schemes of credit and fraud. Both terms
link visual records with symbolic data, and thus data sharing
and visual surveillance are conflated. "Privacy International"
recently ranked the UK along with a number of asian countries
including China for very high levels of visual surveillance.
The Bulger case in February 1993 provided a
public endorsement for CCTV cameras and so far for visual surveillance
generally. In August 2002 the Data Protection Act had a close
call with the Soham murders, when the act was initially claimed
as a justification for not sharing information. The DCA Vision
Statement advice to front line public sector practitioners shows
that these issues are still live.
Street cameras are undergoing steady development,
they can be miniaturised, and thus hidden; they may incorporate
loudspeakers, as in a trial currently running in Middlesborough,
and also sound receivers, to record conversations. Public acceptance
of open air surveillance is not automatic, as speed cameras have
shown, as has their vulnerability to a determined minority.
The private financial sector, too, has had a
close call with public confidence, in this case over extreme debt.
Concerns on over-indebtedness were led by press and Parliament;
in this case extra data sharing has formed part of the solution,
overriding commercial concerns over the sharing of valuable current
account transactional throughput information by banks.
In both Houses of Parliament there are currently
committees separately looking at issues of data sharing in the
context of surveillance. The Commons Home Affairs committee is
including a review of the extent and impact of credit data sharing.
The Lords Constitution committee focuses on constitutional implications.
Time will tell what models data exchange between
public and private will follow. It is likely there will be more
examples of a data flow from private to public. The DVLA example
brings many benefits to the individual in terms of time saved
and efficiency of service, but no direct data flow in return to
the contributing insurance companies, though all benefit from
better vehicle licensing and the information flow can be inferred
from the presence of a vehicle licence. The reciprocal data sharing
scheme with associated governance has been the private sector
answer to the balance of commercial advantage; the Serious Crime
Bill provision for public sector data sharing with CIFAS is an
example of the public sector joining in with an existing reciprocal
scheme, and accepting its governance.
So far the public and private data sharing schemes
are largely distinct, but as the public sector becomes far more
interlinked, then it seems likely there will be greater interchange
in addition between public and private, with implications not
just for the commercial interest of affected companies, but of
their staff and customers too.
Privacy and Data Sharing. The way forward for public
services. Cabinet Office April 2002.
Public sector Data Sharing : guidance on the Law
Government Information Sharing Vision Statement September
Code of Data Matching Practice 2006 (Audit Commission
Confidentiality: NHS Code of Practice (Department
of Health 2003)
"Privacy International" National Privacy
Ranking 2006 visual surveillance UK ranks 1 along with
Phillipines, Singapore, Malaysia and China.