1) Anonymity is not just ‘fine’, it could be (the/a) key to getting the public sector to realise it doesn’t need to collect (so much) data. Aim for the ‘high hanging fruit’, so your driving problem is sufficiently challenging to make people/organisations reconceive the whole way they do things – rather than just pare back bits of existing systems, or bolt other bits on – and embrace the fact that it’ll shake out some of the stickiest problems first. Success (i.e. anonymous delivery) then illustrates a deep principle, and successes along the way (e.g. permanently excising a field of data) build momentum rather than serve as end points in themselves. Agree with Iain that data minimisation, though sensible and necessary, is not as good as *proper* privacy by design. Indeed, as espoused by Home Office, I’ve heard dm used as a ‘justification’ for the National Identity Register!

2) If it’s truly a principle, you need something stronger than ‘may’. Sorry. Also think double use of ‘proof’ is problematic, though I can’t quite put my finger on why (tautologous? limits the case too much?). How about ‘Declaration/establishment of entitlement should *never* require proof of identity’? People should always be able to find out what they qualify for (and if they qualify for that, what else they might also qualify for) without having to identify themselves. Only at ‘transaction’ time should credentials/actual personal data come into play. If government wants to act like a shop (and I don’t agree that it should) it has to allow people to wander around and try things on for size/colour/whatever before going to the ’till’…

3) Please seperate ownership from management and control. Though tremendously problematic, in all sorts of ways, ‘ownership’ of personal data should be inviolable. An analogy: though their lives/bodies are almost completely managed and heavily controlled, no-one would argue (I hope) that prisoners are *owned* by the state that has detained them. Law enforcement agencies may be ‘priviledged’ (preferably by court-issued warrants – strict constraints and proper independent oversight) to act in certain ways that override the control or consent of the individual, but they don’t ‘own’ the suspect or even stuff/items gathered in evidence – and should NEVER be encouraged to think that they do. Or you get more obscenities like the million innocent people’s data on NDNAD. Just because, in the course of discharging its duties, an agency paid to process some data shouldn’t mean it gets to own it.

Personal Data
Principles of Personal Data:
Clear benefit statement – 2 way
Benefits realisation for the customer:
Tell us once
Know what your entitled to
Stop Queuing
Prevent fraudulent use
Lowered service cost and reduced tax
Subject Access Request
Rapid Response Holistic view
Minimal disclosure
Transparency
People’s records should be accessible
Provide audit trail
Accepted and endorsed across government
Selective implementation
Explicit permission – citizen in control

Things to do (new)
Open up to receiving data streams from the individual – Rx rather than Tx
Monitor/control access to data streams

Things to stop doing
Stop breaking the law
Don’t build centralised databases

Things to continue doing
Get better on information assurance

That this outcome is inevitable anyway should held the argument, if its good enough for USA.gov it’s going to be that way for pretty much everyone (ok, maybe no China, yet….)

And rather than data minimisation, the wider ‘Privacy by Design’ as best espoused by the Canadian Privacy Commissioner trumps data minimisation.

A new and fundamentally different policy on personal data can save money and create vast new value. It’s a change comparable to the freeing up of public data, but the means are different. Instead of APIs to let public data out for the creation of new services, this is about new APIs which let personal data into government, so the individual can drive and personalise their services without loss of control or dignity.

Key principles:

1. Public services should collect the minimum data necessary for the specific purpose in hand. It’s fine for many services to be delivered anonymously.

2. Proof of entitlement may not require proof of identity.

3. As far as possible, the ownership, management and control of personal data should reside with the data subject. For all services purposes (ie other than law enforcement) the individual is the only possible or logical point of integration for data sharing or personalisation.

Things to do:

1. Announce (as the US has done) that acess to online public services will be through a range of third-party identifiers

2. Again, as the US is now doing, develop a “trust framework” so that different identifiers are accredited at appropriate levels for different purposes.

3. Abandon the National ID Scheme and instead allow the Passport Office to offer a voluntary online verification service.

4. Report rapidly on the potential to drive each sort of service on user-held records and volunteered personal information: health records which interface with NHS systems; personal portable education and career records which interface with education and jobs systems and other user-driven services (eg welfare, tax
census).

Initiate at least two live prototypes this year across multiple organisations where service users volunteer personal information to inform and drive a variety of public and private services.

Evaluate the role for emerging online verification services, from social-networks using OpenID or OAuth to online verified services from BT, credit-reference agencies, PayPal or the Post Office, banks and the Identity & Passport Service.

Resources: Kim Cameron in his “seven laws of identity”.
LSE Identity Project
Project VRM
The Mine!
Paoga
Mydex (WH declares an interest)