Skip to content | Skip to comments

Personal Data

Personal data at first glance looks like an asset. But it can be a dangerous liability – both to governmental organisations and to the individual subjects of the data. Once collected, personal data is difficult and expensive to maintain and update, store and keep securely. Yet a failure to do so brings significant risks.

Recognising this reality, government should collect and keep as little personal data as is necessary to deliver services. To turn that principle into practical benefit, government needs to recognise that there are often different ways of achieving the same public policy outcomes without the costs and risks of collecting and keeping personal data. Government needs far less personal data than is generally assumed: the culture and mindset of personal data collection needs to change.

To enable improved public service planning, government needs to analyse and understand the information assets that it needs – and those it currently holds. This analysis will be provided by the information architecture recommended in Architecture. Once that is delivered, government will be able to identify what assets it needs to retain or acquire itself, which it no longer needs and who else it can co-operate with to enable a more citizen-centric approach to personal data. One that places the citizen at the centre of controlling their personal information.

Key principles

  1. Minimise personal data collection and storage
  2. Find alternative ways of providing services that require less central collection and storage of personal data

Other points/clarifications

Where subjects themselves have the opportunity to see, comment on and even control their personal information, some of the difficulties reduce or even disappear. There is no reason that delivery of a service requires an independent record for an individual controlled and kept within the walls of a government department. Technology can enable transactions with surprisingly small amounts of information to be passed. For example, individuals can prove their eligibility to access a service (over 65, unemployed, employed) without needing to identify who they are. Where service design takes into account the principle of data minimisation from the start, the personal data liability – and often a great deal of cost – can be dramatically reduced.

There is no fundamental reason why storage of personal information for public services needs to be inside the public sector. Government databases are already stored by third parties in most cases on behalf of the government rather than the individual. With the right frameworks, third party services can store information on behalf of individuals for their interaction with public services. Citizens should be able to move their data around, choosing their provider according to need.

There will be situations where government needs total control over information, where responsibility and access is shared or unequal, or where even the existence of the information is confidential. However, there should be a basic assumption of mutual aligned interest in the quality and safety of information for the individual and the state, unless proven otherwise.

Specific recommendations

  1. Map and understand personal information use across government and for each service
  2. Make data minimisation a default design criteria
  3. Make use of third party services where appropriate, giving individuals the choice of what to use

Things to do

  1. Publish a high level personal data map for government
  2. Develop and publish an information strategy for each department or service
  3. Plan the shutdown of unnecessary/legacy databases

Stop, challenge or review

  1. Challenge assumptions on data collection, storage and use



RSS feed of comments 7 Responses to “Personal Data”

  1. Fraser says:

    Hold personal data, personally (e.g. Google Health)

  2. william says:

    Yup, I think we’re going to beef this up to give it a VRM dimension….

  3. william says:

    I think this needs a rework, eg

    A new and fundamentally different policy on personal data can save money and create vast new value. It’s a change comparable to the freeing up of public data, but the means are different. Instead of APIs to let public data out for the creation of new services, this is about new APIs which let personal data into government, so the individual can drive and personalise their services without loss of control or dignity.

    Key principles:

    1. Public services should collect the minimum data necessary for the specific purpose in hand. It’s fine for many services to be delivered anonymously.

    2. Proof of entitlement may not require proof of identity.

    3. As far as possible, the ownership, management and control of personal data should reside with the data subject. For all services purposes (ie other than law enforcement) the individual is the only possible or logical point of integration for data sharing or personalisation.

    Things to do:

    1. Announce (as the US has done) that acess to online public services will be through a range of third-party identifiers

    2. Again, as the US is now doing, develop a “trust framework” so that different identifiers are accredited at appropriate levels for different purposes.

    3. Abandon the National ID Scheme and instead allow the Passport Office to offer a voluntary online verification service.

    4. Report rapidly on the potential to drive each sort of service on user-held records and volunteered personal information: health records which interface with NHS systems; personal portable education and career records which interface with education and jobs systems and other user-driven services (eg welfare, tax
    census).

    Initiate at least two live prototypes this year across multiple organisations where service users volunteer personal information to inform and drive a variety of public and private services.

    Evaluate the role for emerging online verification services, from social-networks using OpenID or OAuth to online verified services from BT, credit-reference agencies, PayPal or the Post Office, banks and the Identity & Passport Service.

    Resources: Kim Cameron in his “seven laws of identity”.
    LSE Identity Project
    Project VRM
    The Mine!
    Paoga
    Mydex (WH declares an interest)

  4. Iain Henderson says:

    Yes, you need the more radical approach referred to in comments to a) have the necessary impact, and b) ultimately run at much lower cost and higher levels of effectiveness.

    That this outcome is inevitable anyway should held the argument, if its good enough for USA.gov it’s going to be that way for pretty much everyone (ok, maybe no China, yet….)

    And rather than data minimisation, the wider ‘Privacy by Design’ as best espoused by the Canadian Privacy Commissioner trumps data minimisation.

  5. robbie says:

    Agree with Iain that the principle should be one of privacy by design. Other resources could include the concept of information sharing ‘licenses’ was floated fairly widely around the public sector at least in Scotland e.g. http://bit.ly/9odVZ7 – also privacy panels e.g. http://bit.ly/aXUdqh should advise ministers and review specific policy proposals…

  6. william says:

    from industry unConference

    Personal Data
    Principles of Personal Data:
    Clear benefit statement – 2 way
    Benefits realisation for the customer:
    Tell us once
    Know what your entitled to
    Stop Queuing
    Prevent fraudulent use
    Lowered service cost and reduced tax
    Subject Access Request
    Rapid Response Holistic view
    Minimal disclosure
    Transparency
    People’s records should be accessible
    Provide audit trail
    Accepted and endorsed across government
    Selective implementation
    Explicit permission – citizen in control

    Things to do (new)
    Open up to receiving data streams from the individual – Rx rather than Tx
    Monitor/control access to data streams

    Things to stop doing
    Stop breaking the law
    Don’t build centralised databases

    Things to continue doing
    Get better on information assurance

  7. Phil says:

    RE. your revised key principles:

    1) Anonymity is not just ‘fine’, it could be (the/a) key to getting the public sector to realise it doesn’t need to collect (so much) data. Aim for the ‘high hanging fruit’, so your driving problem is sufficiently challenging to make people/organisations reconceive the whole way they do things – rather than just pare back bits of existing systems, or bolt other bits on – and embrace the fact that it’ll shake out some of the stickiest problems first. Success (i.e. anonymous delivery) then illustrates a deep principle, and successes along the way (e.g. permanently excising a field of data) build momentum rather than serve as end points in themselves. Agree with Iain that data minimisation, though sensible and necessary, is not as good as *proper* privacy by design. Indeed, as espoused by Home Office, I’ve heard dm used as a ‘justification’ for the National Identity Register!

    2) If it’s truly a principle, you need something stronger than ‘may’. Sorry. Also think double use of ‘proof’ is problematic, though I can’t quite put my finger on why (tautologous? limits the case too much?). How about ‘Declaration/establishment of entitlement should *never* require proof of identity’? People should always be able to find out what they qualify for (and if they qualify for that, what else they might also qualify for) without having to identify themselves. Only at ‘transaction’ time should credentials/actual personal data come into play. If government wants to act like a shop (and I don’t agree that it should) it has to allow people to wander around and try things on for size/colour/whatever before going to the ’till’…

    3) Please seperate ownership from management and control. Though tremendously problematic, in all sorts of ways, ‘ownership’ of personal data should be inviolable. An analogy: though their lives/bodies are almost completely managed and heavily controlled, no-one would argue (I hope) that prisoners are *owned* by the state that has detained them. Law enforcement agencies may be ‘priviledged’ (preferably by court-issued warrants – strict constraints and proper independent oversight) to act in certain ways that override the control or consent of the individual, but they don’t ‘own’ the suspect or even stuff/items gathered in evidence – and should NEVER be encouraged to think that they do. Or you get more obscenities like the million innocent people’s data on NDNAD. Just because, in the course of discharging its duties, an agency paid to process some data shouldn’t mean it gets to own it.

Your feedback

Comments are now closed.