Public Services Committee
Corrected oral evidence: Information Commissioner’s Office—follow-up
Wednesday 25 January 2023
3 pm
Members present: Baroness Armstrong of Hill Top (The Chair); Lord Bichard; Lord Bourne of Aberystwyth; Lord Filkin; Baroness Morris of Yardley; Baroness Pinnock; Baroness Pitkeathley; Lord Porter of Spalding; Baroness Sater; Lord Willis of Knaresborough.
Evidence Session No. 1 Heard in Public Questions 1 – 7
Witness
I: John Edwards, Information Commissioner, Information Commissioner’s Office.
USE OF THE TRANSCRIPT
12
John Edwards.
Q1 The Chair: Can I welcome everyone to this session of the House of Lords Public Services Committee? We are very pleased to welcome today John Edwards, who is the—relatively new—Information Commissioner. The committee has shown an interest in data sharing in the public sector, particularly in relationship to children. We are grateful to you, Mr Edwards, for being prepared to continue the dialogue between the committee and the Information Commissioner’s Office, particularly about data sharing and children in the public sector.
As ever, I will ask the first question. We have previously identified a need for a flexible and proactive approach to data sharing. Could you briefly talk us through what you see as the key barriers to data sharing in public services, from technical, legislative, and cultural standpoints? I was just telling the committee that I have seen your video, which I thought was a real help to the public sector. You might want to say something about that too.
John Edwards: “Kia ora koutou katoa”—a greeting from out here in New Zealand—and thank you for the opportunity. It is a very important topic. The Data Protection Act and the UK GDPR could equally be titled the data sharing Act, or data sharing legislation. That is what they are for. The legislation, which it is my responsibility and privilege to administer, is a manifesto for information sharing. Unfortunately, as the committee has heard and experienced, there is a common phenomenon in jurisdictions with similar legislation, which is that a degree of mythology creeps up around the legislation: that it is there to prevent information sharing.
In my confirmation hearing with the Digital, Culture, Media and Sport Committee, I described the UK GDPR as a “how to”, not a “don’t do”. For public authorities, third-sector agencies and others, the legislation describes how to go about information sharing safely and proportionately to achieve legitimate and public objectives. To answer your question, there are a number of barriers to information sharing. I am the first to admit that some of those lie at the feet of the perception of the legislation that I have described.
However, there is an interaction, which I think the committee needs to understand, between some of the other factors that you mentioned, technological, for example. There is desire for information sharing across systems that do not readily speak to each other, and that requires considerable investment. Sometimes a call for investment is met with, “But if we spend all this money, the legislation won't let us do it anyway”. There is a reinforcing cycle. As I say, the technological barriers are significant, and the investment barriers should not be underestimated.
The cultural factors that you mention include a lack of preparedness, a lack of trust, and misaligned incentives. For example, you might want an organisation to share and invest in its information infrastructure, staff training and documentation in order to achieve a benefit that is realised not by that organisation but by another, or by a subset of the community. Those misalignments need to be addressed.
There are also different expectations in different disciplines and parts of the health service. There may be patch protection. There may be a sense that there is no public or social licence for an organisation to contribute its data to a wider pool for the wider public good.
The factors that you mentioned are all very real, but while I acknowledge the importance of this inquiry and very much appreciate the committee’s attention to it, one caveat is that it is very difficult for us to describe the challenges to information sharing in the abstract. It is like talking to a fish about water. Information is all around us. It is shared hundreds of millions of times a day in order to achieve a variety of objectives. So when we speak of this world of data sharing, we are talking about a social worker calling a school or an NHS trust and saying, “I have concerns about this child. Can you help me?”, through to a large investment in a data warehouse that brings together a variety of systems from different providers. To the extent that there are commonalities between the challenges faced at the micro and the macro level, there will not be one single solution or silver bullet.
My office plays an important role in providing guidance on how to share information safely and reassuring the public that sharing can be done responsibly, but leadership needs to be shown in other domains as well, including across central government, to set examples and expectations of public services, both at central and local government level.
The Chair: That is very interesting.
Q2 Lord Bichard: That is a really helpful opening. You are obviously aware of and sensitive to the particular cultural issues in the public sector. It is quite risk averse and silo-based, but you have been trying to address those issues. You have done the video, which we have all looked at, you amended the code, you are working on the resource paper, which we have talked about before, and you introduced the “public enforcement trial,” which I thought was fascinating. Do you have any other tricks up your sleeve, or any other initiatives that we will like? Also, do you think these are having an impact? I am particularly interested in whether you think the public enforcement trial project is likely to make a difference to how people perceive sharing.
John Edwards: I wonder if the committee would indulge me for a moment just to touch in slightly more detail on the examples that you gave first, for those who may be watching and who have not had the advantage.
Lord Bichard: I was hoping you would.
John Edwards: Thank you. I have had a meeting with the Children's Commissioner, we have had workshops, and I have met with a number of colleagues who have reported to me on how the mythology of data protection gets in the way of information sharing. A device that I used to good effect in New Zealand was to deliver a very simple message to those charged with the care of children who may have information to prevent a child falling into vulnerability. I made a video that simply said, “If you hold information about a child who may be in need of care, of protection, or of safeguarding, who may be vulnerable, and you tell an authority or individual with the power to do something about that, you will not fall foul of, or experience repercussions under, the UK GDPR or the Data Protection Act”.
A simple message like that is very important, to the extent that it might remove a reticence that could get in the way of a child receiving comprehensive care, or a family receiving the support to which it is entitled. It is hard to measure whether we have been effective yet.
You mentioned a shift in approach to public sector enforcement. I stumbled upon that early in my term last year, when I was invited by the team to issue a significant fine against an NHS trust for failures in its data protection administration. Being new to the country, and unfamiliar with the funding arrangements in the devolved health system, I asked what the impact would be. I was told that the fine, which was for a breach that put patients’ data at risk, would be taken out of the system, and therefore effectively punish the victims of that breach for a second time. I thought, “What’s the sense in that?” In another instance, we had fined a Whitehall authority a significant amount for a breach that it experienced. Again, the financial go-around did not seem to make much sense as a disincentive to the factors that led to the breach.
Therefore, we have revised our approach. We have decided that we will really emphasise good practice and call out bad practice. We will assist you to hold public authorities to account by issuing reprimands, and publicising those. I have had feedback that this is already bearing some fruit. You may be aware that, around the third quarter of last year, we issued a reprimand to the Department for Education for a failure that allowed children's school records to be accessed by a company that was not using them for the legitimate expected purposes, but instead was using them to screen access to gambling sites on a commercial basis. We could have issued a fine, but we thought it was better to work with the Department for Education to try to ensure that it could not happen again, or certainly to reduce the possibility.
The feedback that we have had from publishing the reprimand and publicly holding the department to account is that it has really elevated data protection in that organisation. There is now a responsible Minister with oversight for data protection, it is properly resourced and, I think, it is appreciative of our support. The power to fine public authorities rests in the Bill. It is Parliament's will that this should remain a resource available to me, so I do not feel able to take that off the table altogether. We retain the discretion to issue fines for egregious conduct, but we are increasingly looking to what we call “upstream mechanisms” in improving practices. We have joined with the Department for Digital, Culture, Media and Sport and the Cabinet Office to form a three-legged stool to co-ordinate across the Whitehall leadership group, which will disseminate the lessons learned during our enforcement activities, highlight good practice, and elevate data protection and data sharing issues to senior levels in Whitehall. I have great hopes for that endeavour.
When we issue a reprimand that, but for this change of approach, would have attracted a fine, we will continue to give clear signals as to the size of the bullet dodged; how much the fine would have been but for our change in approach. That will serve two purposes. First, it will send a message to the private sector and others about the kinds of tariffs for these breaches or lapses. Secondly, it will give public and civil servants some pause, and we will be able to show an accumulated benefit at the end of our trial period.
You asked what other tricks we have up our sleeve. We have plenty. You mentioned the resources that we will be producing as a result of our collaboration with the Children's Commissioner. We held a workshop in which we asked practitioners what issues they faced on a day-to-day basis and how we might support them in achieving the information sharing that is necessary to properly keep children from harm. We are producing those resources and they will be ready by the summer. Just this week, I asked my team whether it was possible for a local authority child protection team or civil society group working in child welfare to get a template data sharing agreement from our website, and I was told that it was not. I can tell you that it will be, and that has gone into our work programme.
We are producing more and more guidance and help-desk resources for staff. I have some statistics for the committee, if that would be of assistance. We have a business advice service, which has had 11 inquiries from local government in the past six months and 87 in the third quarter of this year from the health sector relating to data sharing, and we have been able to explain how to achieve their data sharing objectives. To give you an example of the complexity and diversity of requests, we had one query from a local trust providing services to children affected by substance abuse. The contract with the local NHS trust required that, as part of the funding arrangements, they provide all the health information they held to that trust. The service got in touch with us and said, “Is this proportional? We know we need to ensure that these children receive the support they need across the system, but just because we’ve come in contact with them and are providing this service under that contract, does that mean that we should be providing all that data to the trust?” These are the challenges that are occurring at the coalface every day.
Lord Bichard: I cannot tell you how encouraging I find all that. I hope we all find it encouraging. It feels like one's work is done. Can I just go back briefly to the video? We have had concerns in the past that the advice and guidance was just too complicated for people to understand, and that was one reason why they took a risk-averse approach when experiencing any problems. Your video is absolutely clear. It ought to be available and seen by anyone who is working in the field of child protection and child safety. Are you trying to ensure that it is?
John Edwards: Yes, I want it to be seen widely. The risk that one child could be exposed to harm because of a delay caused by uncertainty as to the legal consequences is unacceptable to me. It is not realistic. This is a message that I need to hammer home. When the UK GDPR was signed into law in 2018, attention was focused on the 4% of global revenue fines, the millions of pounds of fines that could be issued. You can understand the chilling effect that might have. In fact, in 2022, the ICO answered 955 complaints about the lawfulness of processing data in the public sector, involving queries on data sharing, transparency concerns, and deliberate disclosure. We pursued less than a third of those, and none resulted in formal investigation or enforcement action. I can assure the committee that not one fine has been issued during the life of the UK GDPR when an authority has shared information in pursuit of ensuring the safeguarding of a child. That is the message I want to send, and it dovetails with the shift in approach that we have taken to public sector enforcement by reserving that power to fine for the most egregious cases.
You will note, I hope, that when we issued the fine to the Department for Education, which was for the failure of a system, a failure of security, which allowed a commercial enterprise to have access to a dataset for completely unconnected purposes, there was no ambiguity about the law in that case.[1] If there is ambiguity, we will work with authorities to clear it up. We will not go in and punish.
I give you my assurance that, for me, it is as important to ensure that appropriate information is shared as it is to ensure that information is not shared inappropriately.
Q3 Baroness Morris of Yardley: That is really interesting, and I am really pleased that it seems to be having a good impact: that by treating things in a positive way and emphasising the positive, it will become a “can do” organisation. Is there an argument for doing something similar with the public? I only ever read about data sharing when it has gone wrong, so no wonder the public’s cultural resistance is fairly great. You must have myriad examples of lives that have been saved, things that have gone better, and improvements to public services because of data sharing. Is there any way in which these can be brought to the public's attention?
John Edwards: That is a fantastic point. Unfortunately, we do not hear about those.
Baroness Morris of Yardley: No, we do not.
John Edwards: We do not hear about the thousands of lives that have been saved this month in the NHS because information was shared, since that is our everyday expectation. Very often, privacy and data protection are something that we take notice of only in the negative: “Something has been taken from me. Something has gone wrong”. Most of us go about our day expecting reasonable interactions with services leading to predictable pathways for information, and those are not noteworthy. It is only when unusual uses of information, breaches of security, or breaches of trust occur, that we feel the need for some commentary or retribution.
Q4 Lord Filkin: That was very interesting, and it delivers a sense of progress. I am not going to crack open the champagne just yet, because the challenge is still considerable, as I am sure you know better than we do. It seems to me that the focus tends to be on not sharing things, rather than how it is morally and practically essential to share. Clearly, your video is the start of that shift. I wonder, though, if the incentives are sufficient at this stage to make people recognise that it is more culpable sometimes not sharing than being passive.
A subsidiary minor point: do you also need to focus on public sector lawyers and local authority lawyers? They will often be turned to, and will instinctively look for a reason to be cautious and for a defence of cautiousness.
I would like to know what else you are going to do to really try to ensure that data is shared when it should be. What you are doing should help, but we are not interested in whether it is a step in the right direction; it is whether we are going fast enough and far enough.
John Edwards: To your first point about value, as I mentioned in my opening remarks, the organisation or the individual who receives the benefit is not the one who has to take the risk or make the investment or divert the resources, and that is a challenge. There needs to be more co-ordinated leadership from the top and a more transparent articulation of the value proposition of this appropriate sharing.
I will do what I can. Just this morning I met with Professor Chris Whitty, who, as you will know, is an advocate for the use of data to derive public benefits, and benefits to public health in particular. We shared our own anecdotes about the barriers to information sharing of the sort that you have described to me today. He had also seen the video about safeguarding of children that I made for those who are providing services. We have decided to come together and make a similar video or message and accompanying resources for public authorities.
It will then be for our political and administrative leaders to champion that. They need to come together and set the example. It is enormously inefficient for us to expect every council to have its lawyers grapple with these issues, to have every school write a data sharing agreement, to have every NHS trust provide training resources to staff working at the frontline, when you could have that expenditure at the centre. “Do it once, use it many times” is the model I employ. That is what I expect to see from my colleagues in Whitehall too, because as well resourced as we are, we cannot provide that level of guidance for the entire economy. What we can do is support those who have those resources and networks to disseminate those messages. That is my commitment to you too.
Lord Filkin: Presumably, you have a little mental mind map of which sectors need to take which actions to be able to keep a score on that and, if necessary, go public on the progress of those individual sectors and the collective action they are, or are not, taking.
John Edwards: Yes. As for scores, I must revert to a part of Lord Bichard’s question about measurement of progress with our revised public sector approach, which I artfully dodged. It is important that we establish some baselines so that we can speak to you and the public about the progress that we have made after a two-year trial period. We do not have those yet, but that remains a priority for me.
Lord Bourne of Aberystwyth: Thank you very much for being here, and thank you for the can-do attitude that I am sure all of us really appreciate. The emphasis on “how to” rather than “don’t do” is absolutely right. Thank you for the video.
First, I would like to follow up on what Estelle, Baroness Morris, was saying about the importance of accentuating the positive, and getting those positive messages across in literature and social media videos to ensure that the public sector in particular appreciates that sharing data is the right thing. We want to clearly indicate that that is the heroic position, that we are far from wanting to punish for sharing data; if anything, the emphasis is penalty on those who do not share where they should. I am not in favour of penalties, but that is clearly identified as the negative. If we are able to get that across, that is really good news.
That is a comment I wanted to make, but I wanted to press you a little bit on something you have touched on with Lord Bichard: the public services resource for those working with children. You said that the summer is the deadline date. Is that a hard date? When in the summer will that be? Are any impediments cropping up? I am not looking for them, but if there are, maybe it is something we can help with.
John Edwards: Thank you for the offer. I do not believe there are any impediments. I am sorry that I am unable to give you a hard date. I did not acquaint myself with the project planning documentation to that level of detail. I would be happy to commit to delivering that by the end of June. There is no reason why we cannot deliver something. There might be 12 units of whatever it is that we are delivering, and if the team are saying that we are not finished yet, I can have six out in the public and we can work on the rest during the autumn to deliver another six by Christmas. I am not entirely sure. Someone in my team has just splattered their cup of tea over their computer learning that I have committed them to a very hard date.
Lord Bourne of Aberystwyth: Perhaps you could come back to us with something on that. That is great to hear.
John Edwards: Thank you. I will do that.
Q5 Baroness Pinnock: Your very full answers so far have touched on my questions, and I want to congratulate you on the way you are approaching data sharing. Being involved with a small charity that uses individual data has been a very difficult and challenging process. Your approach of reprimand rather than punishment will be welcomed across the country.
My question is about the NHS in particular—about structural barriers to data sharing both in the NHS, which you have largely answered on, but also between the NHS and other public sector bodies, such as NHS schools, NHS children’s services, NHS youth services, or even the justice system. What is the role there, and who else could be working with you to address those issues?
John Edwards: I have appreciated a working partnership with the Office of the Children's Commissioner. As I mentioned, I have met with Professor Chris Whitty today. I have also met with the National Data Guardian. All these partnerships are important in sending consistent messages about the expectations for responsible data use.
A related point—to hark back to Baroness Morris' question about how we celebrate the successes—before it fades too far in the memory, is that it is important for us to reflect on the success of the Government in using personal data to manage the pandemic in a very timely way. My office supported those initiatives and prioritised taking misperceptions off the table so that there was just a row of green lights in front of the initiatives that were necessary for pandemic management.
There is no reason why we cannot continue to act in that way, but I am concerned that there is a reversion to status quo ante. The NHS is an enormously complex data infrastructure; there are plans for complex responses to those challenges with the federated data platform and the like. I want to emphasise to the committee that these bold initiatives require a high degree of social licence, and there needs to be a level of transparency.
I do think there is sometimes a risk that at the centre we do not trust people to understand the value and importance of sharing information to deliver public benefits. The lessons of the pandemic highlight this. There was a high degree of social licence to the initiatives that I have described and which my office supported.
Where we see developments undertaken in stealth, we see suspicion. Without offering a diagnostic or a map between cause and effect, the failure of the GPDPR initiative to bring together NHS data may be an example of that. I urge the leaders who are planning these ambitious schemes to take the public into their confidence, to explain the value to be derived and the safeguards. When they do, I will stand shoulder to shoulder with them and say that the ICO is there to ensure that these happen responsibly and in ways that can be trusted.
Q6 Baroness Pitkeathley: Mr Edwards, you have a remarkable ability to second-guess the questions that we get and to answer them, which is to be greatly commended.
My question is about trust, which you have just touched on. You talk about trusting people, but also about the suspicion with which people view public authorities, which may know more about them than they would wish. Could you expand a bit more on what you are doing to ensure that there is no further damage to public trust, perhaps related to the suspicion about data sharing among particular minority and vulnerable groups?
John Edwards: Thank you for that. Last year, we launched a corporate strategic plan called ICO 25 in which we envisage our place in the world in 2025. We attempt to be the architects of our own destiny rather than passive recipients of stuff imposed upon us from outside. A significant part of that is about identifying communities of unmet need and not being captured by those with the information and resources only. I am very grateful for the question. It drives my curiosity about where the ICO reaches.
I can give positive and negative examples of trust. Let me begin with a negative example. I released a piece of work last year which I regret I cannot take the credit for because it was well under way when I took up my post. I was very pleased to see that the team had done some work on identifying aspects of the data ecosystem that were affecting people's right of access to justice in rape and serious sexual offence cases. We found that, for victims of these offences, law enforcement and prosecutorial practice were so traumatising, they were experiencing the process of making a complaint as a re-victimisation.
The failure there is one of trust, where certain police services or forces were acting in a way inconsistent with those victims’ sensitivities and expectations. They were going around collecting information from other sources that called into question their credibility or maybe created lines of inquiry for the defence council that would have been unwarranted. Those practices were contributing to the appallingly low conviction rate for those offences. In fact, they were causing women—there were men as well, but this is an area predominantly affecting women—to withdraw from those processes rather than access the justice to which they were entitled. We issued a report that called for a number of specific reforms to reduce those barriers to people accessing the justice system in relation to those offences. That is a negative example of how trust not respected can reduce public confidence in public services, law enforcement and public prosecution.
For a positive example, I would revert again to the pandemic. There was a high degree of public confidence in the ability of national health services to manage data in an appropriate way to minimise the impact of the pandemic. That perhaps led to a greater level of tolerance to information flows in that emergency. This high level of trust could have been abandoned if, for example, the security systems were insufficient and information leaked, stigmatising people and the like.
That is a good example of a virtuous cycle of trust enabling the more effective delivery of public services versus the former example being a vicious cycle of disrespect for fundamental human dignity, leading to an erosion of trust in a very important public service.
Lord Bichard: You are obviously someone who seeks out partnerships rather than wait for someone to come to you, but have you ever been invited to go to the weekly meeting of the permanent secretaries?
John Edwards: Are you referring to Wednesday Morning Colleagues?
Lord Bichard: Yes. Have you been?
John Edwards: Yes, I have. I was very pleased to have the invitation; I grasped it eagerly. It was great to take the opportunity to signal to them that we are there to support them, but I rely on them to prioritise this work. It is critical to their mission, and to realising the benefits of the data innovation strategy, to have data protection by design. It is critical to the delivery of their mission to prioritise it in their organisations, not just as a compliance exercise but as a core value.
Lord Bichard: It was getting across to them the message about sharing, which I think, instinctively, they would not have had. But it is great that you have been there.
Q7 Lord Willis of Knaresborough: First, thank you very much indeed. Can I just say, John, that you are a breath of fresh air when it comes to actually looking at this very tricky and incredibly important issue?
There is one thing I wanted to raise with you. It is about trust, about the NHS, and about children. Much of what you said—indeed, much of what the legislation said—was about sharing between professionals, getting an efficient exchange of vital information across professionals. Can I take you to a crucial group that constantly has major problems with the professionals—babies, in particular looking after them? If a baby is born, the professionals clearly are key to that, but so are the parents, particularly the mother at that point. In every major problem in maternity services, there has been a lack of access to data for mothers from the professionals. I wonder whether there is any way we can achieve a better organisation between those crucial two groups: first, the parents; secondly, the professionals.
John Edwards: The best medical advice I have ever heard is that the mother is the most reliable person for information about an infant, and that the mother needs good information about the infant’s health for the child to prosper.
I would be surprised to hear of barriers, but I shared an anecdote today about the potential for data. You are describing a micro-application of the delivery of service from one set of clinicians to one parent.
There is great potential for data to highlight anomalies more quickly in service provision. We saw an example of this in maternity services in Kent; had there been a national aggregation of data that enabled comparisons between services, you might have seen the patterns that enable more prompt interventions. In that case, perhaps they saw them but did not act on them promptly enough.
That macro level of analysis should be able to occur without compromising individuals’ expectations of privacy, but allowing the diversion of resources to inquire more closely where anomalies appear to be occurring.
Lord Willis of Knaresborough: In this case, it is also a question of professionals not accepting the mother as an equal in data sharing. I can understand when children are at school and there are other problems, but for a mother and a baby to be classified as not equal with the professionals who are working with her does not seem quite right to her.
John Edwards: Could I take the conversation back to Baroness Armstrong's opening question about the cultural barriers to information sharing? You are touching on a point here that we have not covered yet. Although I have my hands firmly on the levers of the legislation that has come through these Houses—the UK GDPR and the Data Protection Act—there are a number of other common law duties of confidentiality and ethical expectations on clinicians that also require clear leadership and clear messaging about the reasons for those and their boundaries.
I discussed that today with Professor Whitty and the National Data Guardian as well. It is predominantly junior clinicians who are confused by the limitations under which they operate. In committing a sin I do not allow my staff, I am making an assumption here about the factors that might be contributing to the phenomenon you have observed, of something getting in the way of the relationship between the clinician and that parent.
The Chair: Thank you very much indeed, and thank you to all members of the committee, too. At the end, we were beginning to stray into something that we have not been exploring at great depth so far, something another member of the committee who is not here today is very interested in: that is, how we use data to compare public service provision and outcomes and so on.
I appreciate that your main concern is how to make sure that the data that we have on individuals is used in an appropriate way for their protection and safety. We have also raised something else that is quite important in terms of the future of public services. There is always more to do. There is always more to think about.
We are really grateful to you for spending this time with us, and I am sure that the committee will want to continue a relationship with you so we can make sure that we do what we can to support the causes you have been talking about today. Thank you very much indeed.
John Edwards: Thank you.
[1] Staff from the Information Commissioner’s Office subsequently clarified that this was not a fine, but a reprimand, which noted what the fine would have been, had the new approach to public sector enforcement not been in place.