“Who do you trust with your data?”
This question certainly proved to be a dominant discussion point at several Conservative Party Conference fringe events this year.
The answer (at least according to research and polling published by the Royal Statistical Society and IpsosMORI) is sadly: not many organisations. Few in either the public or private sector scored well in their survey. Only 6% of respondents expressed high levels of trust in internet companies to use their data. The figure was 13% for the British Government. The most trusted were GP surgeries, and even they only inspired high levels of confidence from 41%.
Given the paucity of public confidence, the more pressing question for policymakers should be: “How can we build trust?”
After all, the UK needs the private sector to be able to innovate with data in order to pioneer new business models that provide economic growth. The public sector equally needs to harness data in bold new ways to cope with growing demand and shrinking budgets. The success of both depends on public support. So what is the cause of the data trust deficit and what can be done about it?
We should start by recognising that the current model of giving consent for companies to use our data is dead. The terms and conditions for PayPal are famously longer than Hamlet; those of iTunes, longer than Macbeth. It is not just their length that is Shakespearean – the complexity of the language used can be as obscure as the Bard’s, too. Many T&Cs documents require a degree-level education to understand, and some a law degree at that.
In an effort to prove just how few people actually read their agreements, in 2010 GameStation.com added a clause that gave the company legal ownership of their customers’ souls. More recently, several (presumably quite distraught) parents were informed that they had given up the right to their eldest child in exchange for free wifi.
Of course, there are plenty of decent companies that proactively explain to their customers how their data will be used. Some even offer tools that allow users to opt-in or -out of specific data uses. There is, then, a market solution to the data trust problem: businesses that provide their customers with clarity and control should gain competitive advantage over those that do not.
But there are two challenges to make that market work.
First, the demand side. Customers need to be sufficiently informed about the merits and risks of different types of data use and sharing to understand how to make a choice between companies that have good and bad data practice. It is not at all clear that this level of understanding is wide-spread. Educating the public at large around such a nuanced issue is no simple task.
Second, before the market can establish itself and restore users’ confidence, regulations may be imposed top-down. That is already the threat emerging in the form of the European General Data Protection Regulation. Were this to be implemented, it would result in a nine-fold increase in legal compliance costs for digital businesses and could make some data-driven business models unworkable. That would stifle innovation and hit the UK (with its large digital sector) harder than most.
More desirable by far is for industry to develop and implement its own code of best practice that enables innovation while also giving users real choice and clarity about how their data is used. Various initiatives along these lines are in the works, but they cannot come fast enough.
The public sector likewise needs to be much bolder in its use of data. Local authorities alone need to save £12.4bn by 2020. Salami slicing back public services and encouraging more people to self-serve online will not be enough. Instead, public sector organisations need to find fundamentally more efficient ways of working. Many parts of the private sector have saved huge amounts through technology and clever use of data. The public sector needs to do the same. Designing and delivering shared services; targeting scarce resources more efficiently; coordinating the work of teams within and between different parts of the public sector – all require shared data.
It is true that government has been burned by past sharing initiatives, not least the saga of Care.Data – a case study in how not to run such a programme. It undoubtedly further undermined public trust. But policymakers must be sure to learn the right lesson. It is not that government cannot afford to try data-sharing initiatives. Quite the reverse: it cannot afford not to. But they must be done in the right way.
Three things could help.
First, a detailed, approved framework must be developed that gives public bodies confidence in when and how they can share certain types of data. Different organisations interviewed during Policy Exchange’s research had startlingly different interpretations of what is possible or prohibited under current regulations. Many were simply unsure, and so err on the side of not sharing at all.
Second, government needs an Office of Data Responsibility to match that of the Office of Budget Responsibility: an independent, critical but supportive body to audit and provide advice on data sharing. (This could perhaps be formed through an extension to the work of the Information Commissioner’s Office.)
Third, politicians must make a better case to explain how sharing data can benefit the consumer or user of a public service. Data sharing could, for example, help find cures for existing diseases or reduce tax and benefits fraud. Early interventions for troubled families could save children from harm as well as reducing costs by hundreds of thousands of pounds by nipping problems in the bud before they escalate. Done well, the public can be convinced.
Policymakers twist themselves into intellectual knots worrying about data sharing between departments. But they should remember that – outside the Westminster bubble – most people don’t think about DWP, HMRC, BIS and so on. They just see ‘Government’. Many would be astonished to learn that data isn’t systematically shared to improve services. They will complain if government’s left arm does not know what its right is doing. The IpsosMORI research showed that 55% of people would support the statement “We should share all the data we can because it benefits the services and me” as long as “…data is anonymised and I can’t be identified”. In short, support can be won in circumstances that are appropriate, proportional and done with proper protections in place.
Ultimately, government must trust individuals to manage their own data. One of the key lessons from Care.Data was that it is not enough for government to decide how data is used and give no immediate, direct and tangible benefit or control back to citizens. It should have been done in conjunction with efforts to give people access to their own personal health records online. For precisely the same reason, government should help promote the development of personal data stores that allow individuals to choose who sees their data and for how long. The market is currently embryonic, but with a strong commitment from the public sector to embrace the model, it could be expanded rapidly.
More broadly, it is time to stop framing the debate as if there is a battle between innovation and sharing against privacy and control. They are not mutually exclusive. They do not even need to be ‘balanced’. Instead, innovation and sharing will only be possible in the long term if users can protect their privacy and exercise control. That will require a shift in attitudes. Perhaps also investment in new technologies. Certainly education.
But let us be under no illusion. If the public’s answer remains hostile or suspicious of any attempt to share personal data, the alternative will be far worse.
Follow Eddie Copeland on Twitter @EddieACopeland