Response to the post-publication consultation on the National Data Strategy

This blog post contains my personal response to the new post-publication consultation on the National Data Strategy based on reflections from my submission to the original consultation. I encourage as many people as possible to read the publication and respond via the online form before the closing date of 2/12/20.

Disclaimer

I previously worked for the Government Digital Service from 2013 to 2017 and currently work for Hackney Council in their Digital team.

I am responding to this consultation purely in a personal capacity.

I give full permission for all or any part of this document to be published. I am very happy to discuss the Strategy in either an individual or group setting.

I can be contacted at dave@bowsy.co.uk.

General

I am very interested in the phrase “move to implementation” used four times in the document. It would be very good to understand what this means. My hope is that not only will this mean a public backlog of related actions, similar to the Smarter London Together Report Card, but also regularly posted updates (perhaps in week-notes style but less often) as well as ideally an ongoing way to have conversations around this topic (a mailing list or slack for example).

My responses to the questions on the form

Question 1: To what extent do you agree with the following statement: Taken as a whole, the missions and pillars of the National Data Strategy focus on the right priorities.

• Somewhat agree
• I agree in general that these are useful lenses to approach the problems but each is a significant area of work in itself and may well benefit from it’s own specific leadership, commitment to transparent reporting of ongoing work and wide participation, etc.

Question 2: We are interested in examples of how data was or should have been used to deliver public benefits during the coronavirus (COVID-19) crisis, beyond its use directly in health and social care. Please give any examples that you can, including what, if anything, central government could do to build or develop them further.

• N/A

Question 3: If applicable, please provide any comments about the potential impact of the proposals outlined in this consultation on individuals with a protected characteristic under the Equality Act 2010.

• I defer to the response from Rachel Coldicutt.

Question 4: We welcome any comments about the potential impact of the proposals outlined in this consultation on the UK across all areas, and any steps the government should take to ensure that they take account of regional inequalities and support the whole of the UK.

• N/A

Question 5: Which sectors have the most to gain from better data availability? Please choose all relevant options, below.

• N/A

Question 6: What role do you think central government should have in enabling better availability of data across the wider economy?

• Further support the Data Standards Authority by giving them powers to enforce the use of pan-government agree standards in government organisations with monetary penalties for non-compliance.
• Require all government organisations to maintain a public list of datasets that have been requested by other government organisations or 3rd parties and the timescale in which they will be regularly published or reasons for not doing so.
• Implement a metadata standard for transferring data between organisations that contains the reasons for its collection and processing to prevent illegal reuse under the GDPR.
• Plan and implement a cross-government data sharing platform that records all instances of data sharing and makes that metadata available to impacted citizens.
• Create a national standard for Data Sharing Agreements and require all government organisations to record their DSA in a single national repository.
• Update the Government Service Standard to require services to separate the repository of the data collected by the service from the service itself to enable Data Stewards to be appointed for data repositories separate to Service Owners for the collecting service(s).
• Create a public system for recording intention to and actual publication of government data. Hold organisations that repeatedly fail to produce data according to their published intentions at PAC.
• Appoint an individual whose specific role is to communicate government use of citizen data to the public.

Question 6a: How should this role vary across sectors and applications?=

• N/A

Question 7: To what extent do you agree with the following statement: The government has a role in supporting data foundations in the wider economy.

• Strongly agree
• I strongly agree — but after the failure of the Register programme (of which I was part) it became obvious that this cannot work without a mandate for government organisations to conform to new standards.

Question 8: What could central government do beyond existing schemes to tackle the particular barriers that small and medium sized enterprises (SMEs) face in using data effectively?

• Mostly these are around lack of time and data skills in these organisations. Staff either don’t know what they don’t know or don’t have time to analyse their own or other data effectively. For the former a nationwide “data skills buddying” system with one experienced person (from any sector) leading a team of 2–4 people improving their data skills over a year could go a long way. For the latter building up supported communities of interest around different data types could go a long way.

Question 9: Beyond existing Smart Data plans, what, if any, further work do you think should be done to ensure that consumers’ data is put to work for them?

• Much of this is about trust. Consumers (citizens is a much better phrase please) need to both be assured about their data and be able to see how it is being used.

Question 10: How can the UK’s data protection framework remain fit for purpose in an increasingly digital and data driven age?

• There needs to be a standard for Data Sharing Agreements and a compulsory national repository for storing them.

Question 11: To what extent do you agree with the following statement: the functions for the Centre for Data Ethics and Innovation (CDEI) should be Artificial Intelligence (AI) monitoring, partnership working and piloting and testing potential interventions in the tech landscape?

• Somewhat agree
• I agree with this in principle but the work in this area needs to be considerably more transparent, not only in involving civil society groups but also in just regularly communicating what is happening in the different work streams,

Question 11a: How would a change to statutory status support the CDEI to deliver its remit?

• N/A

Question 12: We have identified five broad areas of work as part of our mission for enabling better use of data across government:

• 1. Quality, availability and access
• There should be a government officer whose responsibility includes providing a continually updated public record of significant data stores in government (with “significant” being decided by the CDO, not different organisations).
• 2. Standards and assurance
• Update the Government Service Standard to require services to separate the repository of the data collected by the service from the service itself.
• 3. Capability, leadership and culture
• I am heartened by the NDS supporting the role of a Government Chief Data Office, although this role has now been talked about for months (if not years) so more regular updates on this are needed. The level of seniority, the location with the government, the supporting Minister and above all the remit of this role needs to be made much clearer.
• Many of the issues related to data in government are due to different organisations working in different ways and to date there’s been little ability of anyone outside of those organisations to change that. For example, beyond email it’s still impossible to find a single cloud-based information sharing system that staff in different organisations can collaborate using.
• Cultural attitudes to data widely in different organisations and the CDO will need to specifically address this. Part of this should be via setting up a Data Advisory Council with membership from the major departments. However, this should be used as a consultation body — not a potential mechanism for blocking reforms.
• 4. Accountability and productivity
• Create a public system for recording intention to and actual publication of government data.
• 5. Ethics and public trust
• An serious investigation should be undertaken into Personal Data Stores including the market incentives that may be required.

Question 13: The Data Standards Authority is working with a range of public sector and external organisations to create a pipeline of data standards and standard practices that should be adopted. We welcome your views on standards that should be prioritised, building on the standards which have already been recommended.

• UPRNs
• Housing Data Standard (https://www.hact.org.uk/DataStandard)
• Develop a data standard to support citizens moving from one local authority to another
• Government should continue to support a mechanism for suggesting new data standards with a dashboard showing who is working on which and to what extent they have not only been completed (or approved) but also the level of adoption.

Question 14: What responsibilities and requirements should be placed on virtual or physical data infrastructure service providers to provide data security, continuity and resilience of service supply?

• I’m not qualified to be specific about this (NCSC and other organisations are experts in this area) but a set of standardised levels may be useful for external accreditation or purchase via the Digital Marketplace.

Question 14a: How do clients assess the robustness of security protocols when choosing data infrastructure services? How do they ensure that providers are keeping up with those protocols during their contract?

• Again, a set of standards from NCSC would be useful — but defence design in depth is often related to specific system architectures.

Question 15: Demand for external data storage and processing services is growing. In order to maintain high standards of security and resilience for the infrastructure on which data use relies, what should be the respective roles of government and data service providers, their supply chain and their clients?

• This is very hard to quantify and highly likely to quickly evolve. I’d be wary of prescribing it now.

Question 16: What are the most important risk factors in managing the security and resilience of the infrastructure on which data use relies?

• This is a question for NCSC

Question 17: To what extent do you agree with the following statement: The government should play a greater role in ensuring that data use does not negatively contribute to carbon usage?

• Strongly agree
• Third party services (e.g. cloud hosting, but also fully hosted COTS services) should be mandated to produce information on their carbon production / off-setting.

Question 18: How can the UK improve on current international transfer mechanisms, while ensuring that the personal data of UK citizens is appropriately safeguarded?

• Transfer is best via public APIs. Strong records should be kept of all data transferred (on both sides) including any named companies or individuals and reasons for sharing (under the GDPR).
• There are a number of trade agreements that may have a negative impact on this — especially any potential agreement with the USA. See : https://www.openrightsgroup.org/campaign/bringing-the-uk-us-digital-trade-deal-into-the-light.

Question 19: What are your views on future UK data adequacy arrangements (e.g. which countries are priorities) and how can the UK work with stakeholders to ensure the best possible outcome for the UK?

• N/A