There is a need for clarity in how the effort relates to data protection laws, writes Richard Duffield, head of customer insights at GeoPlace
Interest in sharing data to protect vulnerable people is on the rise in the public sector as energy costs rise and the first real cold snaps of the winter hit. But confidence in applying complex information governance (IG) in response to rapidly changing requirements is not uniformly high across local services. IG is complex at the best of times and this lack of confidence can stand in the way of progress.
The issue came under the spotlight at a recent UKA Live discussion in which I took part along with Dawn Monaghan, interim director of IG policy and ethics at NHS England, Dr Susheel Varma, head of AI and data science at the Information Commissioner’s Office (ICO), and Murat Soncul, head of privacy and data protection at the Central Digital and Data Office in Cabinet Office.
It confirmed the view that the need to protect and support vulnerable people during the Covid-19 pandemic injected a strong momentum for sharing data between different public sector bodies – especially between the NHS and local government – with clear benefits such as people who were isolating receiving appropriate support and advice.
During the pandemic identifying and supporting this cohort was supported by sharing and linking different datasets, often using the unique property reference number (UPRN) – the identifier for every addressable location in the UK – to identify households.
But this seems to have fallen short of a continuing change in mindset. While the enthusiasm for more data sharing remains, there is an awareness that it was legally facilitated in many cases by the temporary extension of Control of Patient Information (COPI) notices, which are now more limited, and debatable perceptions of the General Data Protection Regulation (UK GDPR as tailored by the Data Protection Act 2018) as a blocker.
Need to maintain momentum
In addition, the drive to prepare datasets to be ready for sharing in response to emergencies such as the pandemic, or supporting the vulnerable this winter for example, has naturally dissipated. This includes linking to universally understood identifiers such as the UPRN. During the pandemic it was high on the ‘to do’ list for many organisations, and while it still has a tremendous value in planning for future crises, the effort has been held back by uncertainty over the legal issues and the need to get on with day-to-day business.
This is understandable but any loss of momentum on this will undermine the ability to deal with future problems.
Dawn Monaghan outlined the position on COPI notices, saying they are still valid for some data sharing related to Covid-19 purposes. However, when sharing information is not Covid related, and where the purpose is not for direct care organisations must consider the common law duty of confidentiality in any effort to share data.
Susheel Varma explained that this duty adds another layer to the GDPR, which is intended to balance the rights of individuals with the responsibilities of organisations to process data for the public good.
This means that any initiative, even when supporting vulnerable people, has to be balanced in terms of proportionality and purpose, which often requires a risk based approach to sharing data.
There is scope for a more open approach in the Digital Economy Act, which includes legal gateways for sharing some personal data in order to identify and improve the wellbeing of vulnerable individuals. But it also specifies that any initiatives should comply with data protection regulations, which leads people to look at the GDPR and see more barriers than opportunities.
Meanwhile, as Varma explained, the perspective of the ICO is changing from an emphasis on what should not be done to what should be done within legal bounds and with recommendations of best practice. This will often involve linking data to provide innovative solutions to public sector problems.
It often creates confusion and caution that stand in the way of using the data effectively. Varma made the point that “there is no single truth”, that laws often reflect a particular view of how to protect people, and that the environment around them changes over time.
This creates a sense of a need for strong guidance in dealing with the IG complexities, for which there are some interesting ideas.
Monaghan made the point that different groups need different levels of understanding. The public only need to feel right about how their data is being used, while frontline staff do not need to know the intricacies of IG but do need clarity on what they can do.
It is the IG professionals, said Monaghan, who need to know what the laws say and how they apply, to be clear about what their organisations are doing and the obligations involved, relating this to purpose and proportionality. They have to fully understand the legal gateways and how they apply to instances of data sharing, and will sometimes have to make judgement calls in grey areas.
Questions from the audience articulated the desire for a standardised approach to the use of data, which could work through a formal mechanism and/or under the oversight of a central authority. Might it be possible for regulators to develop standards and say what needs to be done to achieve specific outcomes?
Varma acknowledged the possible benefits but said the ICO does not want to be prescriptive in telling organisations how to do their jobs.
There could, however, be a less formal approach that organisations are encouraged to follow, with steps such as the adoption of UPRNs as a key for data matching and linking, and the SAVVI (Scalable Approach to Vulnerability via Interoperability) standards, or use of common ‘vulnerability flags’ that indicate someone in a household could be subject to conditions that place them at risk. This latter could apply to age and health conditions, and sometimes to local factors such as proximity to health services.
Such an approach could meet the requirements of data minimisation – one of the core principles of GDPR – which flags up that someone could need help without making the details visible or sharing full records.
The ICO does provide a source of guidance, but this is for more generalised concepts without interpretation for specific cases.
Gap to fill
It leaves a gap that could be filled by the development of communities of practice for local service sectors, through which IG professionals could share best practice on linking and sharing data. They could provide foundations for refining then disseminating the best way to manage the processes for specific use cases.
Underlying all this is the need to communicate with the public about how and why the data is being used, to build trust that there is due respect for the principles of data protection. It needs more than one message on a website, rather thinking through with communications teams on the best way to engage with communities on how the organisation is aiming to help its communities.
Dealing with these issues is a priority for the public sector, as there is a need to be ready with future crises – as Varma said, we need to wargame future challenges. But it will have to be balanced with a legally compliant and proportionate approach to information governance.
GeoPlace plans to make a contribution with further research in partnership with UKAuthority in the new year, and already provides guidance on the use of the UPRN to help support the vulnerable.
Links referenced during the discussion:
- ICO's Data Sharing Code of Practice
- ICO codes re Digital Economy Act
- Digital Economy Act 2017
- Data Protection Act 2018
- Geoplace guides: