Public Services > Central Government

Civil servants under fire over Digital Economy Bill drafting as Parliamentary scrutiny bites

David Bicknell Published 23 November 2016

Concerns remain over quality of data sharing legislation within the bill and failure to sufficiently address impact of EU GDPR

 

The Digital Economy Bill is facing extensive change as it works its way through parliamentary scrutiny.

It is understood that the need to satisfy numerous drafting  demands, particularly on the controversial subject of data sharing, has left the government scrambling to recast large chunks of the legislation.

Over 130 amendments have been tabled to the bill by the government itself and even specialists in its minutiae say they are unclear where the legislation is heading. Louise Haigh MP, Shadow Minister for the Digital Economy, has observed that “It is now clear that the Bill was not ready to come to the Committee.”

A particular source of concern is the drafting of Part 5 of the bill, which covers data sharing and discusses how citizens’ personal information is accessed, shared and used by government, public authorities and private companies.

It has been suggested that government ministers have been unhappy with the discovery of problems around the bill’s data sharing provisions after being repeatedly assured the bill was ready.

There have also been several queries from digital, data and security specialists as to the lack of references to the GOV.UK Verify identity assurance scheme in the codes of practice, especially when Verify is meant to be the main means of identification for services.  

According to one specialist who is familiar with the bill’s provisions, “Quite how you can share data if you don’t sort out identity remains a mystery. Whether you’re sharing information within government or with others, surely you have to know who you’re sharing it with and that they have the right to access and use the data? Why rush the bill through when no-one is ready to actually share data anyway until they crack this problem?” 

However, the government has pointed out that it wants to make better use of data to keep pace with rising public expectations as well as the availability and potential of new technology “to deliver better services at a lower cost.”

It is understood that the government’s response to criticism of the bill is a robust one, saying it spent over two years working with more than 50 civil society and public sector representatives to develop the data access clauses in the Digital Economy Bill. Its message about the bill is, “It is an important piece of legislation and we have been determined from the outset to be collaborative and to get this right. It is essential to public service reform.”

One former civil servant, who has been involved with the drafting of legislation, defended the bill drafters, saying a desire not to be too technology specific in the drafting of legislation might be behind Verify not appearing in the bill.

Conversely, say campaigners, other technology-related legislation such as RIPA and the IP Bill does include technical material. While Verify itself might be too specific, the need for some form of identity and authentication regime to be in place (in order to know who is trying to access data) is certainly necessary.

On this point, Edgar Whitley, an associate professor (reader) of information systems at the London School of Economics has previously argued that, “Technological issues should not be left for codes of practice, regulations and statutory instruments. This is because apparently neutral technological decisions can, in fact, have a significant impact on the way a law is implemented and, as such, should be subject to proper, detailed scrutiny. In particular, these decisions can be such a key part of the proposed legislation that they should be subject to more scrutiny than codes of practice and statutory instruments typically receive.”

There has also been a suggestion that the relevant government department behind the data sharing legislation – the Cabinet Office–failed to take sufficient specialist and expert input on the impact of EU General Data Protection Regulation (GDPR). There is also criticism that the Information Commissioner’s Office was insufficiently consulted, particularly over the drafting of the legislation, and that the Cabinet Office’s own Privacy and Consumer Advisory Group, established to provide expert review and guidance on government identity assurance and data-related initiatives, has been largely ignored through the entire process.   

EU GDPR regulation is intended to enable the European Commission to strengthen and unify data protection for individuals within the EU. The regulation enters into application on May 25, 2018, after a two-year transition period and, unlike a directive, does not require any enabling legislation to be passed by governments.

One bill watcher said, “I’m not sure why the GDPR has not featured as a more significant concern. If the EU were to rule that the bill effectively places the UK in breach of compliance (which it would seem to do given the GDPR’s provisions about requiring consent and also the ability to easily revoke consent with regard to the protection of sensitive personal data), then it would have major implications for any organisation or business in the UK wanting to hold and process EU citizens’ data.

“On a wider point, it would seem to make sense to remain in compliance with GDPR anyway to ensure that there is a consistent set of rules for UK organisations rather than having to comply with one set of regulations for UK citizens and another for EU citizens. Making life more difficult for organisations doesn’t really seem consistent with the desire to support a more efficient “digital economy”.

It has been suggested that a reason why the ‘process and outputs’ for the bill is poor may be the use of more of ‘generalist’ civil servants working on what has actually become a highly complex technical area.

One Digital Economy Bill specialist expressed his concern that in terms of data sharing, despite two years of ‘open public consultation’, it is unclear what improvements have actually been made and lessons learned.

The specialist said, “I get the impression that Part 5 was tagged on quite late in the day. The end of the consultation was all very, very rushed. And the fact that the codes of practice didn’t appear for some time after – and are still largely incomplete or rushed – also suggests the timescale to be included with the bill took precedence over getting it right. It is possible that there was no single owner who looked at the bill end-to-end to ensure it made sense.

“Various lawyers will have drafted the legalese but by the time they’d finished, everyone else probably couldn’t understand what it meant anymore! Ministers would have been told at a high level that it delivered the policies they had asked for, and only once it was in the bill process would it have started to unravel, leading them to ask the officials why it was encountering so many problems. It all seems very Sir Humphrey.”

In his submission on Part 5 of the Digital Economy Bill, Dr Jerry Fishenden co-Chair of the Cabinet Office Privacy and Consumer Advisory Group (PCAG) said, “The desire to make better use of data in order to improve public services for citizens and businesses is important.

“The use of technology offers the potential to empower and better assist some of the most disadvantaged in society, as well as improving the daily experience of public services for UK citizens and businesses alike.

“Part 5 seems to imply an approach to “data sharing” modelled on the era of filing cabinets and photocopiers when – quite literally - the only way to make data available to others was to send them a duplicate physical copy. Modern technology has already rendered the need for such literal “data sharing” obsolete: data can now be used without copying it to others and without compromising security and privacy.

“If Part 5 is required – for example, to put into law provisions such as making data breaches a criminal offence – it will need to be substantially revised to be significantly more precise, putting into law the legal and technical detail currently absent.”

In its own submission to the Public Bill Committee on Digital Economy Bill, Big Brother Watch has already called for Part 5 on data sharing to be completely removed. It said, “Rather than suggest amendments to the bill, we request that Part 5 be removed from the bill as a whole, to enable a coherent, properly defined, legally compliant piece of legislation to be drafted which will have the safeguards and longevity needed in this absolutely critical area.

“Data sharing will be one of the most important functions in a completely connected society; it should therefore be done properly. We fear that Part 5 will merely build a temporary solution which will fail to solve the profound problems, some of which have been highlighted by the National Audit Office and the Cabinet Office in recent weeks.”

It added, “The bill fails to define what information will be shared. No definition of data sharing is given. Part 5 indicates that the intention is to hand over or replicate data between departments. This approach is fast becoming outdated. Data sharing based on the old paper model of handing over all data rather than relevant data is something which the Government Digital Service (GDS) has been actively working to move away from.”

Big Brother Watch added, “The GOV.UK Verify Scheme has been working for the past five or so years to establish a model of attribute exchange sharing, based on the government not centrally storing data and ensuring that there is no "unnecessary sharing of information". Verify adheres to strong privacy principles and is based on the premise of asking the citizen for limited access to their data in order for a secure reusable identity verification process to be established.

“There is no mention of Verify in the bill or in the supporting documents. We think this is cause for concern as it shows a lack of communication with experts working in government on data sharing.”

Shadow minister for the digital economy, Louise Haigh, said , “This bill has demonstrated a lamentable lack of ambition for the digital economy.

“The Government’s almost cavalier attitude to data sharing has laid bare a basic lack of understanding about the implications of their own measures. By tabling dozens of amendments to their half-baked bill after it has come before Parliament, ministers appear to be scrambling to make their Bill ship-shape while it is hurtling down the slipway. This is a wholly inappropriate way to legislate on an area as sensitive the sharing of personal information.”

 








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.