Industry voice: While grey areas remain, user access management and a strong identity platform can be major assets in preparation for the General Data Protection Regulation, writes Nick Caley, vice president of Forgerock
A lot of questions are arising and plenty of heads are being scratched over the approach of the General Data Protection Regulation (GDPR). Due to come into force in May of next year, it will impose stiff demands on the data governance arrangements of all organisations, and have implications for the way they manage issues around consent and citizen identity.
But compliance is not straightforward, given the multitude of purposes for which personal data is collected and stored, and the grey areas that can be created by other regulations. There is already a perception of a tension between the emphasis on privacy and consent in the GDPR and the disposition towards data sharing across the public sector in the new Digital Economy Act.
As ever, the devil is in the detail, but those details are not yet fully clear, with everybody awaiting guidance on how to ensure compliance with the new regulation.
It was against this backdrop that I recently took part in a UKA Live discussion with Dawn Monaghan, head of data sharing and privacy at NHS England, and Ian Litton, a consultant who previously led Warwickshire County Council’s collaboration with the Government Digital Service on identification for Blue Badge applications.
A strong message emerged in the discussion: that nobody yet has a definitive answer as to how to comply with the GDPR.
Monaghan said that, while it should not require a massive change in how authorities manage people’s personal data, there is a confusing landscape – especially with the approach of a new Data Protection Act to implement the regulation. Several elements of GDPR are not yet covered by UK law, but they are within the Information Commisioner’s Office (ICO) data sharing code of practice and these will become mandatory next May.
She estimated that organisations should already be doing 70-75% of what is in the GDPR. But there are some grey areas around managing consent for data sharing and meeting the new requirements – such as the right for people to request the data on them is erased – and the guidance on how to do so is not yet available.
Authorities in the UK will be looking to the ICO to provide a lead, but that organisation has to wait for the Article 29 Working Party – which provides the European Commission with advice on data protection – to develop its own guidance. Only then can the ICO can fit it to a UK context.
One of the prime pieces of advice is to watch for any announcements coming from the ICO and be ready to adapt quickly; and any organisation that already follows good practice in its data governance should not find it too difficult to do so.
There are also two technology concepts that organisations can focus on to help them be better prepared.
One is around harnessing user managed access (UMA) for consent to share data. This is based on the OAuth standard for access delegation and gives people a convenient way to determine who gets access to their personal data, for how long and under what circumstances. They can delegate access through a ‘share’ button in an app, and use a console to manage sharing preferences.
The concept was used as part of the Warwickshire pilot, providing a point in time consent to check data with another organisation to support application for a Blue Badge. In this case, consent paved the way for an automated check - or attribute exchange - with the Department for Work and Pensions to confirm eligibility for the badge to be issued. This direct check on attributes rather than sharing the data itself minimises the wider risks of data exchange.
This was all done securely - which meets another fundamental requirement of building trust in data sharing.
The second is to find a way of relating an individual to any relevant data held in the sprawl of systems and repositories that have emerged in most organisations over the years. Complying with the GDPR requires being able to find the data belonging to the person who makes a request, and in the public sector this can be a very demanding task.
But is possible to manage it through the use of a platform that establishes a clear identity for the individual and associates this identity with relevant data held in all those systems and repositories that hold an individual’s data. All these shreds of data may serve a purpose just for one process, but it will be important that they can be recovered, shared or erased as required.
A strong digital identity platform will provide the necessary synchronisation between systems and reconciliation of the data to keep records up to date. This will help to make the organisation more efficient and effective, and enable the individual to retain control of their data in their interactions with the public sector.
All this will be important not just for complying with the GDPR, but in taking the opportunity to develop a trusted relationship with the citizen. Digital is a part of that, providing easier access and visibility of the data being shared, and organisations looking to the implementation of the GDPR should recognise that next May is not be the finishing line. It will be the beginning of a sustainable programme of work that will change the organisation's culture.
Of course, there is a lot more to be considered, much of which was covered in the discussion and can be found in the recording below. Everyone has a vested interest in making this work and it is important that those leading the efforts for their organisations begin to build their understanding now. The clock is ticking on 25th May 2018.
Meanwhile, you can view the full debate below: