22nd January 2019
Achieving the right balance between insight and data privacy
Mark Humphries, Managing Consultant with Civica explores the importance of data structure and governance for insights-driven councils and public bodies.
In September 2018, The Guardian* and The Telegraph** both ran a story on councils developing predictive algorithms to identify families where children may be at risk from abuse or gang exploitation. According to The Guardian, the algorithms were developed via data from at least three separate agencies: school attendance and exclusion data, housing association repairs and arrears data, and police records on antisocial behaviour and domestic violence.
Such insight from data analysis is invaluable to councils. Supporting vulnerable families is arguably the most important task that councils can provide and for many councils the combined budgets for adult and child care account for more than half of their total spend. Early intervention has the potential to both improve outcomes by preventing difficult situations spiralling out of control and to reduce long term costs.
How does this affect data privacy?
Trevor Hodges recently outlined the key fundamental building blocks to becoming an insights driven organisation. The data building block is a pre-requisite for analytics, so you need to excel at data management. For great analytics, you need to excel in disciplines for the control of your data including ethics and data protection law.
The use of machine learning and predictive models by organisations, raises important questions, both ethical and legal. For example, what constraints need to be considered? Also, what safeguards and oversights are needed to ensure that privacy laws aren’t broken?
This example illustrates an important dilemma facing many organisations. Data is being collected and stored at an unprecedented rate, it is easier than ever to share, merge with other data and analyse to gain valuable insight. On the other hand the rights of the individual, the data subject, are enshrined in new laws including what may and may not be done with their personal data. There is a tension between what can be done (technically) and what may be done (legally).
Data privacy in the UK is covered by the Data Protection Act 2018, which replicates the EU’s General Data Protection Regulation (GDPR) and provides a principle-based legal framework for processing personal data in ways that respect individuals’ rights.
Starting with the rights of the individual, a data subject has the right to be informed about how their data will be used, which implies that this information is available at the point when the data is first collected. In simple terms it means that the following questions require clear unambiguous answers:
- What data of mine do you need?
- Why do you need it?
- What will you do with it?
- How will you keep it safe?
- Who will you be sharing it with?
- What will you do with it when you no longer need it?
Maintaining citizens' trust
On top of the operational challenges that councils face, maintaining a trusting relationship with their citizens is paramount. More still needs to be done as Civica’s latest research found that only 11% of the UK public completely trust their local authority or the government to handle their data. Although councils are continuing to transform their services through insight-driven models, more work is needed for improved data transparency, security and shared access.
On the positive side, 48% of the UK public agreed that sharing more information will lead to better services, so they are open to building that relationship further.
Data analysis vs data collection
Regarding the primary purpose of data collection, it may well be straightforward. For a council, data may be collected with the aim of collecting council tax, providing social housing or the day-to-day management of schools.
Data analysis is different. It rarely starts with the collection of fresh data. It typically starts with a question and then looks for the answers in data that is available, which is usually in multiple databases, collected over years for diverse and unrelated purposes. In the case of the councils, a reasonable question might be, “is it possible to identify families where children are at an increased risk of abuse?” This leads to a series of hypotheses about the selection of existing datasets held by the council and other public services. It is very unlikely that local residents ever thought that their council tax payment records might one day be combined with police records and used to assess the risk of child abuse.
A proven model for insight and data privacy
To address current and future data regulation challenges and enable analysis and data sharing between agencies under GDPR/DPA18 requires a reliable, robust data governance framework. Civica’s Insight Framework is just that and covers the following three aspects that need to be addressed:
1. Data review and roadmap – reviewing personal data you have, how and why it was collected and its limitations. This is a requirement of GDPR/DPA18, and the information should be captured in Records of Processing Activity (RoPA, also known as Processing Activity Records or PARs).
2. Scope of analysis – what data will be included in the scope of the analysis, whether or not personal data is required, and if so, whether or not there is a legitimate legal basis for the processing.
3. Validation & governance – designing governance processes that include Data Protection Impact Assessments (DPIAs) to help validate and approve the use of personal data for specific new purposes? Identify any necessary steps or precautions that are required to stay within the law and to prepare any necessary communication. When data is shared between agencies, this will include multi-agency governance.
All three of these aspects form part of good data governance practice and create leading insights-driven organisations - reconciling the need for high-value data whilst respecting the comprehensive data protection laws in the GDPR/DPA18.
Ultimately, organisations which can demonstrate that they can be trusted with other people’s data will gain an advantage over those who can’t. Not only will they reduce the risk of large scale fines, but they’ll also reduce the much more serious risk of losing the trust of their customers or citizens. Ultimately, public trust is hard to win but very easy to lose.