ALDES Submission to the National Data Strategy Consultation

ALDES Submission to the National Data Strategy Consultation

Lord Wallace, Lord Clement-Jones and David Chadwick have submitted a response to the much-anticipated National Data Strategy consultation, published in September. The National Data Strategy will have wide-ranging effects across industry, across the public sector, and on your rights as data subjects.

Response to the National Data Strategy Consultation

As Liberal Democrats we welcome the government’s initiative to introduce a National Data Strategy (NDS). An improved data estate can improve the provision of digital public services, assist in returning the economy to growth and ensure the UK has adequate legislation to both empower and protect its citizens. In relation to the use of public data, the government has a duty to maintain openness and safeguard privacy. We acknowledge that this is not a straightforward task.

One of the few positive consequences of the response to Covid-19 has been the acceleration in digital transformation. However, the pandemic has highlighted numerous weaknesses in the UK’s state of digital affairs, not least in highlighting the need for public trust in collection and use of public data. There have been shortcomings in the sharing of data between various parts of the health service, care sector, local government and national government. The U.K.’s data estate certainly requires urgent remedy. We have provided answers to most of the consultation questions but would also like to stress 10 considerations for the NDS to consider. Please find these below:

1 – Security a Data Adequacy Decision from the EU is vital for British businesses and jobs.

Research by the New Economics Foundation has estimated that the cost to British businesses of the government failing to secure an adequacy agreement with the EU will be between £1-1.6 billion. This would needlessly hinder investment and job creation, just as the economy needs them most. It seems clear that U.K government understands the desirability of achieving an adequacy decision but has yet to fully understand the barriers that exist or will provide the means to overcome them.

2 – Watering down the UK’s data protection legislation would see the UK driving in the opposite direction to the rest of the world, and impede international data flows.

The past 5 years have seen a steady growth of data protection legislation across the world. The GDPR and UK Data Protection Act became law in 2018, Brazil and Thailand followed swiftly afterwards, countries such as India and Canada are in the final stages of introducing their own legislation. In the United States, several states, most notably California, have introduced their own state legislation (CCPA), and a federal law may be in the offing from the Biden administration. In this context, the UK’s watering down of its data protection legislation would be more likely to impede the international flow of data than champion it. It is clear that the costs of navigating any future regulatory barriers to international data flows will be more burdensome and expensive than maintaining current compliance requirements.

3 – Our digital watchtowers need sufficient funding and clear mission statements to remain vigilant.

The government should ensure that the required funds are made available for our data regulators (ICO, Ofcom, CMA) to do their jobs properly. The Centre for Data Ethics and Innovation (CDEI) should be given a statutory basis. Accountability within Government for implementation of the National Data Strategy should be made clearer

The ICO is one of the most influential data regulators in the E.U and across the world. Regulators around the world look to the ICO for guidance. Any attempt to weaken our domestic data protection legislation will diminish the UK’s influence on the world stage. Instead, the UK government should ensure that the ICO has the resources required to adequately enforce data protection legislation. Ofcom will require further funding if it is to be made responsible for the enforcement of the Online Harms duty of care. The CDEI should be placed on a statutory basis and included in a 3-year spending review, so as to establish itself and gain public trust – something the government must facilitate. Accountability for the delivery of the National Data Strategy is unclear as between the GDS/Cabinet Office and the DDCMS. This needs to be clarified.

4 – Better data governance across the public and private sectors can promote growth.

The Strategy makes several statements that seem to equate legislation with slower growth. We would contest such an assertion. Data protection legislation has in fact accelerated the UK’s digital economy. As a general principle, and as the Strategy itself acknowledges, extracting value from data requires data to be available, well-managed and secure, so that public trust is achieved. If the Data Protection Act was a stick that forced organisations to improve their data estate, the carrot has been better quality data and data management practices. Short-term savings from reduced compliance overheads are worth less to the economy than well-written regulation that encourages economically productive behaviour.

5 – Better data sharing practices between local and national government would empower citizens and help the state to deliver public services.

There are longstanding concerns about the lack of data sharing between central and local government. The response to Covid-19 crystallised many of these issues; expensive, disjointed and insufficient responses had to be found instead. A major failing appears to be a fragmented data architecture with lots of separate databases that do not speak to each other.  The government should take this opportunity to conduct a deep “lessons learnt” review of public sector data sharing practices across the U.K.

6 – To stimulate growth, the government should focus on supporting SMEs.

SMEs are the backbone of the British economy. Many are struggling to stay afloat; others have run down their cash reserves in order to stay alive. Yet the British economy’s long-term productivity struggle can be resolved through supporting them. We support the proposal by the Coalition for a Digital Economy (Coadec) to introduce a Digital Adoption Fund that SMEs could draw on to fund their adoption of better digital technology, with potential productivity gains of £92 billion. We also strongly support the urgent creation of a Digital Markets Unit within the Competition and Markets Authority to ensure that SME’s are not denied access to the data sets necessary for innovation.

7 – Empower our citizens to fill the data skills gap.

Many businesses cite a failure to recruit skilled staff as one of their biggest digital headaches. We are pleased to see the strategy acknowledge the need to address the skills gap. We note with concern however that the skills shortage does not appear to be a major focus of the Strategy. A Skills Wallet/Lifelong Learning Account of the type set out in the Liberal Democrats’ most recent manifesto is a key part of the solution. Digital exclusion is a growing issue to and needs to be tackled and improved provision of IT education and equipment in schools and for students is crucial.

8 – The Strategy should not create a hierarchy of digital rights.

The Retail company H&M have been fined for illegally spying on their employees by a German Data Protection Authority. Recent news reports indicate that Amazon have been engaged in similar activities. We are concerned that this type of behaviour could become endemic across society, not just by bigger businesses but among smaller ones too. The NDS paper however, hints that regulation may be lifted for smaller businesses. We are concerned that this might lead to a hierarchy of digital rights. Employees at smaller businesses are entitled to the same rights and protections as those working for larger organisations.

9 – The Strategy should prioritise human solutions, not software solutions.

Secretary of State claims that the UK could become a leader in tackling Online Harms, through a cluster of software firms promoting software solutions. This would appear to be a case of asking technology to fix technology. We believe on the contrary that the strategy should prioritise human intervention above the capabilities of digital intervention. We note that after the summer’s school grades fiasco caused by algorithmic decision-making, the government had no choice but to turn to teacher assessments. The CDEI’s recent review on bias in algorithmic decision-making reminds the Public Sector Equality Duty requires public sector organisations to take reasonable steps to consider potential bias when deploying algorithmic systems, and to detect algorithmic bias on an ongoing basis. These are essential steps to safeguarding against all forms of discrimination listed in the Equality Act 2010.

10 – The government should retain a say over where public sector data is stored

We understand that it may be necessary to rely on private sector data infrastructure, namely the Cloud/Data Centres. On any basis, the U.K government should give itself the right to reject the storage of data in certain territories that may not adequately protect public data but the government should also incentivize the development of  U.K  based Cloud providers to ensure we retain sovereignty over critical public data.

Consultation Responses:

Q1. To what extent do you agree with the following statement: Taken as a whole, the missions and pillars of the National Data Strategy focus on the right priorities. Please explain your answer here, including any areas you think the government should explore in further depth.

Somewhat disagree. In particular, we believe there is no conflict between governance and growth. Well-governed data is valuable data. We are particularly concerned that the international flow of data will be impeded by a failure to obtain and maintain a data adequacy agreement. This will be exacerbated if the government were to deregulate in order to achieve "growth".

Q2. We are interested in examples of how data was or should have been used to deliver public benefits during the coronavirus (COVID-19) pandemic, beyond its use directly in health and social care. Please give any examples that you can, including what, if anything, central government could do to build or develop them further. For question two, we are only looking for examples outside health and social care data. Health and social care data will be covered in the upcoming Data Strategy for Health and Social Care.

The development of the centralised initial Covid track and trace app was a demonstration of how not to gain public trust. The response to covid-19 also highlighted longstanding concerns about the lack of data sharing between local and central government. As far as we are concerned, no substantive measures have been put forward to address this longstanding issue.  Reports using transport data to measure the efficacy of the lockdown were evidently in the public interests and proved tremendously useful. London transport data was used. Local government collects a great deal of data autonomously and the potential value of this data is not currently accounted for. The quality of governance of this data is also however very uncertain.

Q3. If applicable, please provide any comments about the potential impact of the proposals outlined in this consultation may have on individuals with a protected characteristic under the Equality Act 2010?

We would like to see a much stronger central compliance mechanism within government for the guidance set out in the Data Ethics Framework. This could mean for example the extension of the remit of the National Data Guardian for Health and Social Care ("the Caldicott Guardian”).

Q4. We welcome any comments about the potential impact of the proposals outlined in this consultation on the UK across all areas, and any steps the government should take to ensure that they take account of regional inequalities and support the whole of the UK?

We would like to see the national data strategy facilitate a much greater decentralisation of government, a process that would help tackle regional inequalities.

Q5. Which sectors have the most to gain from better data availability? Please select all relevant options listed below, which are drawn from the Standardised Industry Classification (SIC) codes.

Accommodation and Food Service Activities; Administrative and Support Service Activities; Agriculture, Forestry and Fishing; Arts, Entertainment and Recreation; Central/Local Government incl. defence; Charity or Non-Profit; Construction; Education; Electricity, Gas, Steam and Air Conditioning Supply; Financial and Insurance Activities; Human Health and Social Work Activities; Information and Communication; Manufacturing; Mining and Quarrying; Transportation and Storage; Water Supply; Sewerage, Waste Management and Remediation Activities; Wholesale and Retail Trade; Repair Of Motor Vehicles and Motorcycles; Professional, Scientific and Technical Activities; Real Estate Activities; Other.

Representatives of these sectors will have a greater understanding of their areas than we do and we urge government to listen carefully to their representations.

Q6. What role do you think central government should have in enabling better availability of data across the wider economy?

Good governance begins at home. The government need to demonstrate the benefits of well-curated and well-governed data.

Q6a. How should this role vary across sectors and applications?

N/A

Q7. To what extent do you agree with the following statement: The government has a role in supporting data foundations in the wider economy. Please explain your answer. If applicable, please indicate what you think the government’s enhanced role should be.

Strongly agree. One of the key areas to which government can contribute is in building trust in the use of data, particularly public data. It needs in particular to: 1. demonstrate strong standards of and an appropriate mechanism for compliance with the Data Ethics Framework 2. Support the development of data trusts (or social data foundations) as trusted mechanisms for holding, curating and sharing data 3. Move faster towards the creation of a set of national standards for digital identity services

Q8. What could central government do beyond existing schemes to tackle the particular barriers that small and medium-sized enterprises (SMEs) face in using data effectively?

The recently announced Digital Markets Unit within the CMA needs setting up as soon as possible with a strong remit to ensure that the market dominance of big tech does not prevent SMEs from having access to good quality data sets. As explained further in our opening summary, we also believe the government should support Coadec’s call to establish a digital transition fund that would make funding available for SMEs that wish to transition to productivity-enhancing software or platforms.

Q9. Beyond existing Smart Data plans, what, if any, further work do you think should be done to ensure that consumers’ data is put to work for them?

N/A

Q10. How can the UK’s data protection framework remain fit for purpose in an increasingly digital and data driven age?

The Data Protection Act should be subject to review in future, but not for some years. Funding for the ICO should be maintained in line with its EU counterparts, with additional funding to be granted for any future duties it is required to undertake. We agree that the CDEI has a vital role to play in assessing the need for future legislation, their work is commendable. There is an urgent need to fund the CDEI properly. The same applies to Regulatory Horizons Council. Both of these organisations should be placed on a statutory basis. It is also important to make them more visible so as to command greater public confidence. More broadly the responsibilities of different government departments, the CDEI, UKSA and regulators need spelling out. There is insufficient clarity as to who has ultimate responsibility for implementing the national data strategy

Q11. To what extent do you agree with the functions set out for the Centre for Data Ethics and Innovation (CDEI) - AI monitoring, partnership working and piloting and testing potential interventions in the tech landscape? Please explain your answer.

Strongly agree. Effective legislation can be an aid to growth because it provides certainty to developers and users.

Q11a. How would a change to statutory status support the CDEI to deliver its remit?

Placing it on a statutory status would enable to CDEI to establish its long-term future. The move would protect the CDEI from short term political interests, root it in the public interest and build public confidence that an effective framework for regulation is being established. We also suggest its insertion into the 3-year comprehensive spending reviews. Doing so would enable it to develop a long term work programme.

Q12. We have identified five broad areas of work as part of our mission for enabling better use of data across government: Quality, availability and access; Standards and assurance; Capability, leadership and culture; Accountability and productivity; Ethics and public trust. We want to hear your views on any actions you think will have the biggest impact for transforming government’s use of data.

All these areas of work are important. As we have outlined above however, we believe that the crucial areas even before the quality of collection and curation of government data is addressed in depth is: 1. the building of public trust in data governance and compliance 2. The development of a trusted vehicle for public data storage and use such as data trusts or social data foundations 3. A common set of standards for digital ID.

Q13. The Data Standards Authority is working with a range of public sector and external organisations to create a pipeline of data standards and standard practices that should be adopted. We welcome your views on standards that should be prioritised, building on the standards which have already been recommended.

Several industry stakeholders have commended the government’s CyberEssentials scheme to us. We understand that they would like its provisions to become mandatory, but that other standards such as ISO27001 should also be considered. We can observe that this could help deliver a minimum Information Security baseline.

Q14. What responsibilities and requirements should be placed on virtual or physical data infrastructure service providers to provide data security, continuity and resilience of service supply?

Clear procurement standards for data infrastructure services need to be adopted by local and national governments, particularly where cloud services are concerned. We should actively develop a U.K cloud services industry to ensure that the U.K.'s national data is held securely and with resilience.

Q14a. How do clients assess the robustness of security protocols when choosing data infrastructure services? How do they ensure that providers are keeping up with those protocols during their contract?

By this we assume you mean "government clients" of external service providers. This requires strong central guidance from GDS/Cabinet Office and monitoring of compliance from the centre.

Q15. Demand for external data storage and processing services is growing. In order to maintain high standards of security and resilience for the infrastructure on which data use relies, what should be the respective roles of government, data service providers, their supply chain and their clients?

As above for government data infrastructure procurement. For private sector security of infrastructure, government should establish the requirements for security standards and have enforcement powers to ensure these are followed. Data service providers should be responsible for demonstrating compliance through monitoring and/or audit. SIEM (security information and event management) is a framework that could be applied. Those involved need a security certification.

Q16. What are the most important risk factors in managing the security and resilience of the infrastructure on which data use relies? For example, the physical security of sites, the geographic location where data is stored, the diversity and actors in the market and supply chains, or other factors.

The concern we have about geographical location is that certain countries may attempt to access or interfere with any data held on their territory. It is vital that the U.K government retains the right to decide which territories its data can or cannot be held in. A government that is strongly committed to the protection of UK sovereignty should be similarly committed to the protection of data sovereignty, particularly over public data.

For general infrastructure concerns, we would point to the IRAM 2 Information Risk Methodology. The relevant risk factors are: people - companies should have HR policies that are cognisant of people from competitors or foreign countries; Asset Management; Supplier Relationships; Incident Management; InfoSec Policies; Business Continuity; Business solvency; Vendor lock in.

Q17. Do you agree that the government should play a greater role in ensuring that data does not negatively contribute to carbon usage? Please explain your answer. If applicable, please indicate how the government can effectively ensure that data does not negatively contribute to carbon usage.

Strongly agree. It is evident that internet use and data storage are a factor in energy use and climate change.

Q18. How can the UK improve on current international transfer mechanisms, while ensuring that the personal data of UK citizens is appropriately safeguarded?

Firstly, we stress the importance of reaching a data adequacy agreement with the EU. Secondly, we wish to highlight the importance of maintaining our participation in European data sharing, such as that with Europol. We have strong concerns about the ramifications of Schrems II and the privacy International case which has meant the inability of businesses to make use of a privacy shield mechanism and has cast doubt on the efficacy of standard contractual clauses. The third mechanism for data sharing which in any event cannot be used by smaller non global organisations are binding corporate rules, approval waiting times for which can be very lengthy. If there were a way of procuring a faster process for setting them up, while allowing multinational organisations to keep the ICO as their named DPA, this might give the U.K a competitive advantage provided an adequacy decision can be achieved. Facilitating faster approvals of BCRs will require substantial additional funding for the ICO. There are also considerable concerns that the current data sharing provisions in new trade agreements such as U.K/Japan are putting at risk our compliance with the GDPR and hence our ability to qualify for data adequacy.

Q19. What are your views on future UK data adequacy arrangements (e.g. which countries are priorities) and how can the UK work with stakeholders to ensure the best possible outcome for the UK?

We do not see data sharing agreements as a means of or motivation for debasing our own data protection regulation. From a business perspective, other than the EU, the most important country for the U.K to have a data sharing arrangement with would be the U.S.A, followed by Canada and Singapore.

Lord Wallace of Saltaire is Liberal Democrat Spokesperson on the Cabinet Office in the House of Lords.  From 2012-15 he was Lords minister and spokesman for the Cabinet Office, engaged in policy discussions on a number of digital issues.

Lord Clement-Jones is Liberal Democrat Digital Spokesperson in the House of Lords. He is the former Chair of the House of Lords AI Select Committee and independent consultant to the Council of Europe Ad Hoc Committee on AI.

David Chadwick was the Liberal Democrat Parliamentary Candidate for North Dorset in 2019. He is a certified Information Privacy Practitioner and works as a Data Privacy Consultant for Promontory, an IBM-owned consultancy.