Select Committee on Public Services
The implication of the Information Commissioner’s code on data sharing for public services (Non‑inquiry session)
Wednesday 13 January 2021
Members present: Baroness Armstrong of Hill Top (The Chair); Lord Bichard; Lord Bourne of Aberystwyth; Lord Davies of Gower; Lord Filkin; Lord Hogan‑Howe; Lord Hunt of Kings Heath; Baroness Pinnock; Baroness Pitkeathley; Baroness Tyler of Enfield; Baroness Wyld.
Evidence Session No. 1 Virtual Proceeding Questions 1 - 17
I: Elizabeth Denham CBE, Information Commissioner; Steve Wood, Deputy Commissioner, Information Commissioner’s Office.
II: Martin Lennon, Head of Public Affairs, Office of the Children’s Commissioner; Clare Mills, Head of Communications and External Affairs, National Association for Voluntary and Community Action (NAVCA); Alison McKenzie-Folan, Chief Executive, Wigan Council, and Digital Spokesperson for SOLACE.
Elizabeth Denham and Steve Wood.
Q1 The Chair: Good afternoon, everyone, and welcome to this first session of the Public Services Select Committee in 2021. We are going ahead with three separate sessions, each of which deals with an issue that came out of our first inquiry and that we want to have a very quick look at in a little more depth, before we move into our next, larger inquiry.
I am pleased that today we have the Information Commissioner, Elizabeth Denham; Steve Wood, the deputy commissioner from the Information Commissioner’s Office; and then other people in the second session. Today, we particularly want to look at the work the ICO and the commissioner have been doing on new guidance on a data-sharing code.
We talked about this quite a lot during the last inquiry, and we were told by the commissioner that this would be coming. We are really pleased that that has happened, and that we now have this chance. It is not an interrogation; it is so that we know what has been happening with the code, the changes that have been made, and then what some of the people whom we expect to use it efficiently think about it. In the first hour, we are going to talk with Elizabeth Denham and Steve Wood about the new code. We will then move into another session, with a very short break between them.
I want to start the questioning by welcoming the commissioner. I am really grateful to you for giving up your time to come again. I know that the Government and other stakeholders need to respond to this; there is a lot of thinking going on. We just wanted to get a feel for where it was going so that, when we make our decision about our next inquiry, we have a better handle on where data sharing is at the moment.
In the last inquiry, lots of people said that they were not sure about data sharing, were not clear about what they could and could not do and felt that several things had not happened, because there had not been the data sharing that they felt there should have been on particular issues going forward. A lot of it amounted to confidence that they would be doing the right thing. I wanted to ask you how you think the new code of practice will tackle the lack of clarity and certainty that those using the code felt.
Elizabeth Denham: Thank you for the invitation to the committee. I congratulate you on the report, which my team and I have been poring over, particularly chapter 8 on data sharing and our mandate. I am really proud of the work that my office has done in the past year to develop the code and a suite of tools that has been published alongside the code. I wanted to at least remove the barrier that stakeholders have spoken about: that there is no legal clarity in how to share data and whom to share data with. When we look at the pressures and barriers to data sharing, we talk about legal, cultural and technical barriers. I am interested in what stakeholders have to say, but we hope that the code is accessible, uses case examples in specific contexts and has plain, accessible language.
The last thing we wanted to do was write a legal tome or thesis. That said, the code itself is directed towards data protection practitioners, legal counsel and those working on data sharing in public bodies. Then the checklist, myth-busting blogs and interactive tools are to be used by front-line staff. We did not just release a tome. We released some tools and how-to kits to help in certain contextual situations. Think about law enforcement, for example, or health and social care.
We talked to over 150 organisations. We consulted widely on the development of this code. The code takes account of the changes in data protection law since 2011 when our last statutory code was drafted. It is also accompanied by how-to materials. It takes account of the Digital Economy Act 2017 and the new legal pathways in that statute. I very much hope it is in plain language. The tools will evolve as we hear back from stakeholders.
The code was published in December. For me, that is phase 1. It is a milestone, not a conclusion. We are waiting for a response from government. We are waiting for more detailed responses from your Committee. We are keen to have input from you and other stakeholders.
Steve Wood: Good afternoon. We have doubled down on the key messages in the code, reflecting what we have learned over the last few years and making sure throughout that the key message is there that safe, proportionate, fair data sharing is enabled by the law. There are some practical steps organisations need to take to ensure that the public has trust and confidence in the data sharing and the accountability is there. The code guides people through that, step by step.
To say a little more about stakeholder engagement, we have worked hard, particularly with certain sectors that had already approached us. The law enforcement sector in particular was very proactive with us. We have already developed a lot of extra tools to go around the code for that sector. We have worked with the Metropolitan Police and other law enforcement stakeholders to develop things that work in a sectoral context. It has to be a partnership in tackling that work.
We know there is more to do, and we continue to work with different sectors. It is the breadth of the public sector that we are dealing with here; it is lots of different sectors. There are tens of thousands of practitioners in reality. We know we have more work to do to get the messages out. Equally, we know that some of the most complex and challenging scenarios are where it is cross-sectoral data sharing between agencies from different sectors. We are keen to make sure those messages are joined up into one overall document, which is what the code tries to do in the navigation we provide for practitioners to find the information they need, whatever sector they are based in.
The Chair: What you have been saying about making sure that people know and understand the code is really important. Do you have any specific proposals for how you are going to consult with the sectors?
Elizabeth Denham: Now that we have published the code, there is still a step that involves laying the code before Parliament. We have been assured by DCMS that the Secretary of State will get the legislative slot to do that in the coming months. We know that people were clamouring for the code, so that is why we published it, but it gives us the beginning of what I am calling phase 2, the socialisation of the code. That means we have to communicate it widely. We need to engage not only with the practitioners, but with chief executive officers in local councils, the voluntary sector, central government and the health sector.
Data sharing does not stand alone. It is part of data protection responsibilities. Accountability and leadership are really important because we as a regulator cannot educate everybody on the front lines. We have to rely on a coalition of the willing that is going to keep on this task. It has to be sustainable. It is not a one-time educational programme; it is an ongoing engagement that we and government need to have with all the sectors. It is a massive task, especially when it comes to culture change within organisations and maintaining the trust of the public in data‑sharing activities.
The Chair: Thank you. I forgot one of my responsibilities earlier. Because this is a one-off session, can I remind colleagues that, if they have an interest, they should declare it when they begin to ask their question? This is going to be your only opportunity to do that.
Q2 Lord Bichard: I should preface what I am going to say by acknowledging that this is a big step forward. This is a milestone, not a panacea. You know I am onside. You have been very brave to give data sharing more of an emphasis and we talked about this offline after the last meeting. If what I am about to say appears sometimes critical, it is from the position of a constructive friend, I hope.
We heard from a number of witnesses in our first sessions that the problem that we faced here was risk aversion. People were very risk averse where data was concerned. They also lacked confidence, as the Chair was pointing out recently. I know we have a lot of socialisation to do. Do you think that this document in its current form is going to successfully tackle the issue of risk aversion? Rather than leave it as a general question, can I ask you to focus on data sharing and children, which for me is one of the most important areas? We came back to it quite a lot in the inquiry.
When I look at the code, I am struck by the negatives in the wording. The “at a glance” section starts by saying, “If you are considering sharing children’s personal data, you must take extra care”. That is right; you should. Then it goes on to negatives: “do not disclose”; “sharing children’s data with third parties can expose them”. My point is that this is quite negative language and people need to have their hands held if they are going to go forward.
You could have had said, “You can share children’s personal data if it is in the best interests of the child”, which for me is the fundamental point. A lot of people do not get that. They do not understand that you can share it if it is in the child’s interest. You could have gone on to say, “You cannot say children’s personal data if it is primarily for commercial purposes”. In other words, you could have held people’s hands rather more as they embarked on what for them was quite a risky process.
I wonder whether you feel, as obviously I do, that the tone is not yet quite right. There is a bit more work to do, which may mean producing checklists for people, really simple stuff looking at the particularly important areas. For me, children are. If you look at every child abuse inquiry for 30 years, the problem has been that people have not shared data. We have to get this right. Could we have another look at the tone and language that we have used to help people tackle this? Sorry, it is a long question, but as you know I feel quite passionately about this.
Elizabeth Denham: I do think of you as an important critical friend to look at the code and our checklist. There was an effort in the drafting of the code to get away from some of the lecturing and negative language. I am absolutely willing to look again at that section. I agree with you that there is an ongoing concern about sharing children’s data, and in fact vulnerable people’s data.
When the ICO undertook an audit of the Department for Education after a data breach in which it was shown that a contractor had shared information for commercial purposes, that raised our attention. We did a fulsome audit. We looked at how the national pupil database was used. The Department of Education, at the end of the day, came away with a much better approach to data governance and sharing information of children.
There is more work to do, but I take your comment. I will go back and look at that section on children. It is particularly important that people understand that, in law, there is no legal barrier to sharing information when it is in the best interests of the child.
Lord Bichard: That seems to me such an important point to get across right at the beginning, so that people are enabled and encouraged to tackle the problem. We also heard from the Children’s Commissioner that it is not just the data legislation that impacts upon these issues. There is also the Children Act 2004, which practitioners will have in their minds when they are coming to this, but I do not think it is mentioned in the paperwork. I wondered whether you felt that that was an oversight.
Finally, this is something I have had personal experience of. There is a real problem in getting people to share data downwards, in other words local authorities sharing data with voluntary groups or individuals, or the Government, as we found consistently, sharing data with anyone, local authorities in particular. You might think about addressing those sorts of practical problems in the guide, if you were to have another look at it.
Steve Wood: I would echo what the commissioner said. Our intention is to give that enabling message in the code. It is particularly there in the opening sections of the code trying to set out what can be done to enable data sharing. We will certainly take those points away to make sure that the tone is right from the start.
The issues we see with children’s data will often involve consideration of the Children Act. It is important to say that we do not see a conflict between the Children Act and data protection legislation, although there are two considerations that need to be made. Public bodies that are operating under the Children Act and have obligations to meet there will also need to consider the lawfulness under that piece of legislation, and then go on to consider whether they can meet the requirements of the Data Protection Act.
The message from us would be that, if data sharing is necessary and lawful under the Children Act for safeguarding of children, it is likely that you would be able to work through the requirements and safeguards in the Data Protection Act and go on to share that data. However, because there can be some considerations about what those triggers are, and whether the particular requirements in the Children Act for safeguarding are met, there is sometimes discussion about whether the sharing is lawful under the Children Act. We are aware of this.
For the next phase of our work, we want to work closely with the Children’s Commissioner and the local government sector to make sure that there is additional sector-specific information to cover these particular areas, as we have done for the law enforcement sector. We were aware that it had some particular areas that needed to be covered in more detail, which we set out as part of the hub.
Yes, we recognise the need to do more in this area. We will speak to the sector soon. We are aware that you have the witness coming from the Office of the Children’s Commissioner later. We have a good working relationship with the Children’s Commissioner, and we will follow up on this area too.
Elizabeth Denham: This discussion underscores the breadth of the kinds of data sharing for public interest service delivery that we are trying to grapple with under the data-sharing code. On children, I am hearing very clearly that this is a further area in which to evolve our toolkit, and we are committed to doing that. Most of the members will know that we have been laser focused on children and data protection in the development of our age-appropriate design code. We have focused on law enforcement, and the Met Police in particular are very pleased with the toolkit that we have developed. I would like to hear the same if we can collaborate with the Children’s Commissioner on that.
Sharing data downwards is something that I know the committee has heard about. We have read about it in the newspapers. Data protection is not the cause of those barriers to data sharing from national to local. My office is consistent in saying that, if sharing data downwards is done properly, the law does not get in the way. If other cultural or organisational issues are preventing efficient sharing of data, that has to be addressed as part of this conversation. The committee’s report recommended that the ICO and the Government work to resolve these difficulties. We will be discussing this further, now that the Government has our data-sharing code and our tools, but the ICO is keen to be involved in that work.
This issue was highlighted in 2020, when, suddenly, there was a necessity to share information quickly downwards, either from national government to local government, or from local government to community groups. We could not have appreciated quite how challenging that was going to be and people were scrambling. A lesson learned from 2020 is that this is a golden opportunity for us to rethink how information should and can flow between levels of public administration to benefit people. I appreciate the question and that this needs to be part of the conversation.
Lord Bichard: I know you are facing cultural problems across the piece. They are not of your making, but they exist. There is a mountain to climb if we are going to make people confident enough to share data where it is needed, particularly for children’s benefit. Therefore, we have to get this right. This is such an important milestone that there is a bit more work to do on it, but that is for you.
Elizabeth Denham: I completely agree that there is more work to be done. A milestone, not a conclusion, is getting the code out there. But there need to be deep conversations about the necessary sharing of information so that public service can be administered effectively. We have seen that local governments, schools and community groups need the right information at the right time to be able to provide the service. I completely agree with that.
In order to remove these cultural barriers, in some ways it is a shame that we no longer have the Centre of Excellence for Information Sharing, which was an organisation that could convene these conversations. One of the things to talk about is how and with whom these conversations can be convened. I notice today that the Cabinet Office has announced a new office that will focus on data and digital, with three new executives focusing in this area. I look forward to working with this new team to have that conversation.
To Lord Bichard’s point, we know that the ICO has a strong, impactful voice in this arena. We will do more to point out and build a narrative about responsible data sharing downwards, if you want to use that phrase. Everybody knows what that means.
Q3 Lord Hunt of Kings Heath: Thanks to the commissioner. The work you are doing now is really important. I must declare an interest as president of GS1, the barcoding association, as we are talking specifically about information.
I used to have responsibility for the Health and Safety Executive as a Minister. There are lots of parallels, in particular that there is a whole industry around giving advice to public bodies that is utterly risk averse. I wanted to emphasise what Michael was saying. There is a huge task ahead. If you go in at the senior level, you will find a lot of people who will welcome this. Up and down the country, there are hundreds and hundreds of people giving advice on data protection, most of whom are very risk averse. I would like to hear a little more about how you are going to tackle this.
The Chair: Can I bring in other colleagues? Then we can wrap this bit up.
Q4 Baroness Pitkeathley: I want to ask the commissioner whether she agrees that it is important to share information not just downwards, but crossways. Referring to Lord Bichard’s point about the child abuse inquiries, the key thing was staff not sharing it across agencies, as well as up and down their own agency. Health workers were very risk averse, for example about giving social workers information, and even more risk averse about giving it to the voluntary sector. Would you agree that that is also a very important point?
Q5 Lord Filkin: Thank you very much, Commissioner, for your quick response to our, at times, challenging report and questions. I am on the same page, essentially, welcoming the draft code and recognising that there is more work to be done to ensure that it focuses on practitioners’ actual behaviours and problems. It is good that you have responded that way.
My question is essentially about the scale and nature of the problem. I am sure what you are doing is a move in the right direction, but I doubt whether it will be sufficient to fully redress the problems that we exposed during our relatively short inquiry. What would you like to see done, either by government, or perhaps by a parliamentary committee such as ours, to expose the nature of the problems and to put you in a position to monitor whether improvements happen?
The Chair: I have asked you to handle rather a lot in one answer, but never mind.
Elizabeth Denham: May I start with the most straightforward answer? I agree that there is risk aversion in sharing information across organisations, especially when two sectors are involved. It is just that the question I had was about sharing information downwards, but I understand that it is also across organisations.
Do I realise the scope of the problem? Yes, absolutely. Have we gone one step in the right direction? Yes. Our work is mostly focused on practitioners and front-line staff. I understand that we need to work on the risk aversion and the industry of legal practices and consultancies that are emphasising the risk of sharing rather than the risk of not sharing.
This is a long-term fix. I am making data sharing one of our biggest priorities, along with children. The two that we just talked about go hand in hand. As long as I am commissioner, it will be a priority of my office. I have said that I need to talk to senior executives in organisations, especially those who run common or integrated programmes in service delivery, so that they can understand the permissive nature of data sharing when it is in the citizen’s interest. It is a long‑term task, but we have something solid to start with. Then we need to bring together the practitioners and chief executives. I am committed to doing this work.
The ICO can be a strong voice but data sharing is a team sport. We need other leaders in organisations and government to get behind this. At the end of the day, we are the regulator. We have a statutory responsibility to take complaints about data sharing from individuals and to resolve them. We cannot be the leader or the convener, but we can be a strong partner to other organisations doing this work. I look forward to the advice of the committee on how we can monitor the effectiveness of socialising and removing risk aversion from data sharing.
Steve Wood: I would add something about sustainability. Observing the 10-plus years that I have worked at the ICO and how the question of data sharing has arisen, we can see a lot of cross-sectoral initiatives and projects on data sharing. Issues come and go, and sometimes they are issues that concern the public about whether data has been breached. We have to build these messages week in, week out, and make sure that this is not too project-based, in that things happen, good projects are set up and then the benefits are lost.
It takes some investment at the start to get the governance right for a good data-sharing programme. Once it is in place and the confidence is built, the data sharing can take place in the timely, quick manner that is needed, particularly to safeguard children. I am keen to stress the importance of a sustained, long-term programme that has that overall co‑ordinating mechanism in place and, as the commissioner said, every actor playing its role. We need to play our very significant part as the regulator, but a long-term project is really important.
We should build on the good practice we see out there. For the data sharing that goes across different partners, we have the multiagency safeguarding hubs in the child and adult safeguarding contexts. They are often called MASHs. Quite a number of those have been set up across the country. Where the investment has gone in, they have been set up for the long term. They are operating well in some areas, but it is about consistency and making sure that it is embedded across the country in all those scenarios. There are some good foundations and roots out there, but we have to use this opportunity now to get the message out.
Q6 Lord Bourne of Aberystwyth: Thank you to the commissioner and deputy commissioner for the work you have done. I acknowledge the very important progress that has been made. Great work has been done; more, as you rightly say, needs to be done. It is a milestone. To coin a phrase, it is a process, not an event. That said, when we were preparing for this session along with our officials, none of the stakeholders we were speaking to knew that the new code had been published. That needs to be put right if we are going to tackle this risk-averse position that we are in. They need to know about it.
I wonder if you could tell us something about the communication and engagement strategy that you are no doubt putting in place now to make sure that you can get that feedback and we can communicate. You talked about the law enforcement agencies, but, as you will know, we are very concerned about the urgency of ensuring that people are aware that they can share data quite legitimately.
Elizabeth Denham: I am finding this session extremely helpful, because we have been in the weeds, working on this data-sharing code, for almost a year and talking to over 150 organisations. The realisation of the scope of socialising and communicating the code and its suite of tools is our next challenge. I mentioned at the beginning of the session that we still have another milestone to go, and that is the laying of the code in Parliament. Once it is laid in Parliament, we plan a bigger communication splash than we could have when we published the draft code just before Christmas.
Those who are closely watching our work in this area, practitioners, data protection officers, et cetera, have been already diving into the detail. We can see that from our web statistics and the kinds of social media commentary and links that have been shared. I hope that the practitioners and others watching our work are going to suggest ways to enhance the kind of tools that we put out there. It is not just the ICO that needs to get these messages out. I know that the publication has not made a splash yet, and we are looking forward to the future when we can amplify our communications once it becomes a statutory code.
I talked about our suite of tools and our hub of resources. The idea is that those resources would provide a contextual, sector-specific, layered approach to the kinds of checklists, tools and advice that need to go out there. I am certainly not sitting back and expecting organisations just to come to the ICO to seek what they need. We will proactively push our messages out there on social media with our Data Protection Practitioners’ Conference in April, which attracts over 5,000 practitioners. We will get the message out there in every policy line and every speech that I give.
I want to underscore that we have just finished phase 1 and we are entering phase 2. We are certainly open to any suggestions the committee might have to further engage those in the field. We want to mainstream data sharing and that is really what we are talking about here. How do we make this a mainstream issue? How do we make it a permissive issue and have people understand that there is a risk in not sharing data? It costs lives or opportunities, or leads to a failure to discover by the public sector.
Lord Bourne of Aberystwyth: I am reassured by that. We will no doubt be watching it like hawks to make sure that it is having the desired effect, but I thank the commissioner very much indeed.
Q7 Lord Davies of Gower: Good afternoon. Thank you very much indeed for your answers today so far. You have alluded to the question I am about to ask in some of your answers so far. I accept that the new code is very helpful, as are the several case studies. How will you work with government and public services to address the cultural, technical, and organisational factors that inhibit data sharing?
Elizabeth Denham: This may be a small and underappreciated point, but the ICO plays a niche role in data sharing. Not only are we in receipt of hundreds of thousands of complaints from the public every year, some of them about data sharing, but we get inquiries and organisations seeking advice from us on data-sharing initiatives. We have intelligence that is about what the public, voluntary and private sectors want to do with data sharing, but also what the public might be concerned about. That puts us in a very strong and important place in the dialogue, debate and discussions about data sharing.
In any given period, and take the response to the pandemic as one of those, we have a lot of data about what the public complained about, what they did not complain about, and what they were complacent about or comfortable with. I see that as a niche for the ICO, but I want to emphasise that we need a coalition of interests and leadership—parliamentarians, government officials and the voluntary sector—to address the risk aversion that we see across organisations. It is a team sport; it cannot just be the ICO. The ICO brings some value, but we are not the only player.
Wearing my regulator’s hat, I heard in the previous session of this committee that people might be afraid of sharing data because the ICO might take regulatory action against them. As a regulator, I obviously cannot compel organisations to share data, and that would not be appropriate. We have never taken action against front-line staff or organisations that are trying to do the right thing in sharing data. What our organisation does is 75% help and advice, and 25% the kind of regulatory work that we need to do.
Given the consultation that the Government have initiated on the national data strategy, with ministerial leadership from the Cabinet Office and DCMS, now might be the right time to get this coalition of interests to really attack the problem, work on the culture and get organisations to be more comfortable with data sharing. I can play a key role; I just cannot lead because I am a regulator. I just wanted to let you know that that is very much in our mind.
Lord Davies of Gower: On the issue of the pandemic and being afraid, I think you previously told us that you did not understand where the fear was coming from. Clearly, there was fear during the pandemic. Could your office have done more to address this by being more explicit as to how information could be shared during the national emergency?
Elizabeth Denham: From a policy perspective, we gave a lot of advice to organisations on various types of data sharing.
Steve Wood: Right from the outset, going back to March of last year, we put some quite clear regulatory statements out from the ICO encouraging organisations to share data in the public interest and making the central messages clear that data protection law was not a barrier to it. We also opened up our resources to organisations to assist them. We stood up a dedicated team at the ICO to take contacts from public bodies.
I have had lots of different questions and concerns about whether they should share data in certain circumstances. To take one example, we engaged with different parts of government and the retail sector about sharing the shielding list so that people could get the delivery slots they needed. That made a real and fundamental difference. When everybody worked together on that, we were able to break through. The ICO played a role in giving advice, and that happened pretty quickly. We sought to get that message out there that we were going to take a sensible and pragmatic approach as a regulator, emphasising what the commissioner just said.
In those situations, we do not have a track record as a regulator of being unfairly punitive. We will often take a step back and say, “This is a situation of lessons learned”, rather than issuing a punishment if appropriate in a particular situation. We have sought to do that but, if those messages are not getting across, we can continue with our next phase of work to make sure that they are getting out there. We recognise the public interest of this continuing.
Lord Davies of Gower: That is good to hear. Thank you. The thrust of my question is based on the fact that we had a great deal of evidence from a variety of organisations, both governmental and third sector, that frankly seemed unsure about where they stood. That really was the question that I was asking. Would you agree with that?
Elizabeth Denham: In our regulatory action policy, it is clear that we are not a punitive regulator. The only time we have prosecuted individuals for data breaches has been when they have stolen records to be used or passed on to criminal gangs. The public would want us to take action in those cases, but when it comes to getting things right we are much more involved in advice. In fact, we have been criticised for how often we are giving advice to organisations, particularly public bodies, and not acting when things go wrong.
I am committed to doing whatever we can to remove that fear, which you say is real, when it comes to sharing of data. Then we can work across the technical, cultural and legal issues together.
Q8 Baroness Tyler of Enfield: I declare an interest as a non-executive board director of Social Work England. It is directly relevant to the question I would like to ask the commissioner. You talked about working with a coalition of interests to promote the message about appropriate data sharing. I wondered what role you thought that other sector-specific regulators—Social Work England is one for social workers—might have to play in this arena. We are involved in setting professional standards, competencies, fitness to practise and all that.
In getting the message across that this is a key part of the role of front-line professionals, including social workers, could we and other regulators do more about these cultural barriers?
Elizabeth Denham: It is in our plan to work with both sector leaders and other regulators. We have done quite a lot of work with the national data guardian, Dame Fiona, in sending out that message jointly to health authorities and health bodies. Certainly, other regulatory bodies can help us put it in context. They know their sector, whereas we are a horizontal regulator. We just cannot know everyone, and we do not necessarily know the right messages or the right issues. It is a sector-by-sector coalition of interests that can get some basic messages out there about the downside of not sharing data. That is critically important.
When it comes to law enforcement, we have done a lot of that work, but we need to do more work when it comes to social care and health, children services, et cetera. Universities also have some significant issues about suicidal students and sharing information. There are different issues across different sectors, but the regulators can absolutely help us.
Steve Wood: It is really important for us to continue that collaboration. Professional and regulatory bodies can also help with embedding into training. We have had success on that in some areas, but we could do more. If confidence and knowledge are built during those stages and the right information is always available for professionals as they develop their career, we know the value of that. We will continue to focus on the support we can provide. We have done it, for example, in working with the College of Policing. We know what happens in that area. We have tried to do that in the health sector in the past as well.
Q9 The Chair: We have to appreciate the difference between your role as a regulator, and your role in ensuring that people understand the issues and how to act in a way that benefits the citizen, whether that is a child or an adult, come what may. You have given some interesting, and I think very useful, case studies in the draft code. I wondered if you were thinking of going a bit further and providing a toolkit for public services about what they can and cannot do, to help them into this. Instead of just thinking, “This is too difficult. We can’t do it”, they can work through what might be possible.
Elizabeth Denham: Case studies are really powerful, and much better than standing on a podium and saying, “You must do this. You must not do that”. Working through case studies is an excellent way. When we published the code, we published the hub of materials that were ready. It is an evolving toolkit, and we need many more case studies, which will come in phase 2 of the work. That is really how people learn.
It is an excellent point that we need more. We need practitioners and professional bodies to give us more examples. As you know, this is more than a full-time job in focusing on data sharing. We are a regulator that is also responsible for data security and overseeing the public, private and voluntary sectors. It is a critical part of our role and I am committed to continuing to do this work, and I know that my executive is committed to it as well. I look forward to getting more input from your committee, and hearing how you think government should support this work, especially in removing cultural barriers.
The Chair: Thank you very much indeed to both of you for coming. As I said to you at the beginning, we know that this is not even the end of the process of the draft code, but we felt it would be useful for us to have another think about this before we agree on our next report. We appreciate that you have a lot of other people you need to talk to, so we really are grateful to you for coming along. I hope that we can be helpful, because I know that we all have the same objective in mind. It is a question of how we get there rather than disagreeing about what those objectives are. Thank you very much indeed.
Examination of witnesses
Martin Lennon, Clare Mills and Alison McKenzie‑Folan.
Q10 The Chair: Welcome to this second session of the Public Services committee today. We are looking at the new draft code from the Information Commissioner. We have three people who use the code to understand how they can effectively data share. They work with organisations to make sure that they can do that.
Will the new code that we have been talking about have a significant impact on reducing barriers to data sharing between public services? Where do you see that at the moment?
Clare Mills: I am the head of communications and external affairs at NAVCA, the National Association for Voluntary and Community Action. We are the membership body for local sector support and development organisations, which you might know as councils for voluntary service, community action or voluntary action. We seem to have as many different names as we have members.
We have nearly 200 members and, between them, we estimate that they support at least 180,000 local charities and voluntary groups across the country, helping them thrive and deliver essential services in their communities. Our members work very closely with their local authorities, CCGs, the police, police and crime commissioners and other statutory bodies. I am here today not only to talk about my own experience as our data controller in our organisation, but to talk on behalf of them.
The first question was about whether it will have a significant impact in reducing barriers. I hope so. It is important to recognise that public services are not just services commissioned or provided by the statutory sector. A whole range of other actors are involved. I particularly welcomed one statement in the code that said that sometimes it can be more harmful not to share data. I hope that message will come out loud and clear to everybody across the voluntary and community sector, local authorities, CCGs and health and social care, because that is so useful. The information itself that has been published on the code I found particularly helpful, including the myth‑busting section, which will be crucial in telling people’s stories.
Q11 Lord Filkin: To summarise our previous session, we concluded that the new draft code was desirable, but much more was going to be needed. I would like your assessment of what more needs to be done. Is it clear who is responsible in government for trying to ensure that data is properly shared in the interest of the public? If it is not clear, who else needs to act to improve the situation? Although nobody has done a systemic analysis, it is pretty clear that there is a big problem. I would welcome your perspective on what more needs to be done, whose job it is in government and who else needs to act.
Clare Mills: The thing that needs to happen is education of data control. I am a data controller and, maybe it passed me by, but the first I heard about this code was when one of your clerks asked me to come along and speak to this session, having responded to a request. I did a quick poll of our members’ chief executives. Around 20% of them responded, which was not bad. I gave them an hour. Of those, 80% had not heard of the data sharing code.
I know that it came out just before Christmas and we are in the middle of a pandemic, but we need to make sure that those organisations know about the code so that they can support the 180,000 groups, which probably all have data controllers, and make sure that they are aware of it. We would love to put on a session with the Information Commissioner’s Office to help educate and share that knowledge. At the moment, we need to get some more public messaging out there. There was so much information and awareness raising around the introduction of the GDPR and I would like to see a similar level in relation to this.
Lord Filkin: I am sure you are right that the code needs to be publicised and data controllers need to be much more sighted. We are asking wide questions than that, though, because it seems that there are a whole range of other impediments that go wider than just the attitude of data controllers. Do you have any views on that?
Clare Mills: I was not able to listen to the whole of your previous session, but I kept picking up words in the background in relation to risk aversion and risk awareness. That is the cultural issue that needs to be addressed. It is not even about organisations, because individuals make decisions within organisations. We need to create cultures where everyone is aware of risk but not necessarily averse to risk.
I keep coming back to that one statement that sometimes it is more harmful not to share the data. That is where we need to get into local authorities, particularly health and social care, to ensure that they understand that they can share data and that sometimes it is much less harmful to share data than not to share it. It can be a really positive thing to improve outcomes and keep people safe.
When people are looking at their risk assessments in relation to data, if they are putting the data subjects at the heart of that risk assessment they will probably conclude that, in many cases, data sharing is the right thing to do. If they are putting their own organisation at the heart of the risk assessment, they may not. It is about making sure that the data subjects are the primary focus of risk assessment as part of this.
Lord Filkin: Thank you. That is extremely helpful. It perhaps suggests that Ministers need to see themselves as responsible for data sharing as well as just for data protection. The same would apply to chief executives of a wide range of public bodies.
The Chair: Can we therefore move to a chief executive, so that they can answer the question too?
Alison McKenzie-Folan: I am chief executive at Wigan Council in the Greater Manchester Combined Authority region. I am also representing SOLACE, the Society of Local Authority Chief Executives, which is a leading membership network for the local public sector and local councils. Thank you for the invite and for being able to share views.
I was able to listen to a bit of the session earlier. Sorry, I was on some other meetings. The global pandemic has brought data sharing into sharp focus. It has been central to what we have been doing in terms of economic and social benefits, innovation and the delivery of joined-up services. More fundamentally, as Clare was saying, data sharing is about how we save lives. One of the leadership issues is about understanding what these barriers are across all our organisations and sectors. It is about being courageous and promoting a no-blame culture.
With staff and people who are involved in information governance and data sharing, it is about not always needing permissions. The first priority should be to share rather than not to share. Trying to get that message through at all levels across all organisations is really key. The risk of not sharing data is particularly important. Often, our citizens think that we already do. As for this issue of residents and citizens being concerned about how we share data and Big Brother, the expectation is that we should be sharing that data across organisations.
We welcome the code and what has been produced. It provides clearer guidance and will help to overcome some of the barriers, especially the cultural ones. The toolkits will help in interpretation, particularly of the minefield of legal documents. In local government, our resources for information governance are limited. There are capacity issues, so we welcome a clearer way of engaging and trying to supplement best practice.
One of the issues is about people being hypersensitive. People are frightened of getting it wrong and what the outcome might be if they do. It is about flipping that over to see that citizens and society need to be at the centre of our decision-making, and that is why it is so important to share data. As Clare said, we need to do much more promotion of the code. We are all working really hard on the pandemic response, so we have not been able to go into the code, look at it, raise the awareness or do the communication. We need to collaborate and do much more on that together across all organisations. It is important to get citizen engagement.
There is a lot more that I could say, but I am conscious that other people might want to come in. There have been lots of examples during the pandemic of how we have been able to share data. Initially, there were still big problems with the barriers. We need to get that data flowing between organisations, free ourselves from the consent issues that we seem to get bogged down in, and play our part together. We have shown that, particularly on shielding data, once we join that up across the private and voluntary sectors, local government and the NHS, we can do unbelievably marvellous things to protect people who are socially isolated and those who have not been able to get their prescriptions or do their shopping. We have done a whole host of things. It has shown how powerful it can be by bringing that data together.
Martin Lennon: I work for the Children’s Commissioner’s for England. We are a statutory body looking after children’s interests and rights. We have a cross-government remit. We look mainly at vulnerable children and children in care. We have a statutory data power under the Children Act 2004 to request data from any public body. We use that power, primarily, to create our children database, which is national data for local authorities on risks to children. We now have 100 indicators. We work a lot with various parts of the public and voluntary sectors on protecting vulnerable children in the broadest sense of safeguarding. That is mostly where my comments will be.
The specific question that Lord Filkin raised, about who the lead for this is, is a very good one. Ultimately, the benefit for data sharing is realised in improving children’s outcomes and safety. That is not the primary purpose of the ICO. The ICO is a partner in this, but the lead probably needs to come from government, particularly DHSC, DfE and the Home Office. Where we see the limitations of the code, it is in that specificity, specifically with regard to children.
The code’s accompanying documents are not as good as they could be. It was really helpful to hear the ICO talk in the earlier session about the specific documents it has on law enforcement, for example. I would like to see that same kind of specific document on children’s services. Once you have that level of knowledge in the ICO, you see it reflected in the code. Lord Bichard made some really important points earlier about the language in the code on safeguarding. The language on law enforcement is much clearer. There is a presumption that you should share. I would like to see that reflected across in safeguarding, because we need that sector‑specific knowledge about children.
A lot of the issues are not in the code, and are not necessarily in the GDPR, in fact. I am sure we will go into this. In lots of the most egregious examples I come across of where information is not shared, the restrictive factor cited is not the GDPR; it is a misunderstanding of the Children Act. That comes across in the comments Baroness Pitkeathley made about sharing within the voluntary sector or between one public sector body and the voluntary sector. I do not think that the limiting factor is necessarily the GDPR, although it may be misunderstanding the GDPR.
Lord Filkin: Thank you. I thought that was very helpful and probably requires us to go away and think about who really is the focus for making these changes happen. It goes back to a point when we rather irritably blamed the Information Commissioner for not solving the problems previously. It cries out for a proper problem analysis, so that we know the nature of the problems rather than highlighting the failures. It may be that government should be doing the problem analysis or that we should. Until we know what the problem is, we are not going to get a right fix.
You are right that part of it is about individual departmental policy leads and Ministers owning their responsibility for promoting public data sharing in the public’s interests. That is lacking at present, from what I sense. Would you agree?
Martin Lennon: Yes. Particularly on children, the Government have taken some quite big steps but have not necessarily explained those steps to partners. I draw the committee’s attention to the Children and Social Work Act 2017, which reconfigured local safeguarding partnerships. There is a power deep within that for safeguarding partnerships to share information across them and to co‑op new members. Safeguarding partnerships can co‑op schools and members of the voluntary sector, and can share information either across the partnership or between two of its members.
There is a step there to explain to local authorities or local areas generally what that power allows you to do and how that interrelates with the GDPR. It picks up on the point Alison was making, which I totally agree with, about the lack of capacity to think through this. Do we want every local area to have to bring in lawyers to go through what it can and cannot do? Could we have a bit more guidance that everybody could access?
Lord Filkin: That is very helpful. Your evidence reinforces the view that the new code is progress but will not solve the problem by itself. It is a wider problem.
Q12 Lord Bichard: To reinforce that point, the ICO cannot solve the problem, but it can do a lot to create the problem or make it worse. We should not forget that. I agree with Geoff that it is important to have responsibility for change, but a code that is badly expressed could make the situation worse. Without leading my witnesses, I was trying to suggest to the commissioner that this code in its current form could make things worse because it is overcomplicated. Like others here today, I have managed social workers and people who are managing social workers. I know the pressure that they work under and the reasons why they are under pressure. They want clarity and to be able to refer somewhere to get enabling advice.
You will be glad to know, Chair, that I am coming to a question. I would like the three witnesses to say honestly whether they think this code is clear enough, is positive enough and will help social workers under pressure make decisions about when they share data. Do we want something different or more?
Alison McKenzie-Folan: We have already established that we need to do more in terms of the code. You are right that people want simple guidance. We have quick decision-making going on in our social work teams. They need to have assurance that they are making decisions in an environment where they are safe and secure, and to understand the legal complexities and challenges.
We need to go further, but it is also about communicating what is there. It is very early days, but we need to get the messages out. We need simplicity. We need to work together with the ICO, and all relevant partners and stakeholders, to simplify the messages, whether it is through toolkits, case studies, more training or communications. It is probably a combination of all those things. I certainly think we have a lot more to do. Giving examples of where we can do more is really important.
At a local authority level, we have been working for example on school readiness and risk stratification, which predicts when young children are ready for school. We would be able to do much more if we could share data with the NHS, bringing in health, hospital and maternity services data. We can be much more involved in early intervention and prevention, rather than getting involved in serious complex problems at the end. If we could get ahead of the game, and be involved in intelligence and sharing data across organisations, we would be able to respond, have much more joined‑up services and support our children, young people and families better than we do.
There are examples of good work going on across the country and we should not forget that. We can talk about those.
Martin Lennon: Specifically on the code, the exchange in the previous session was very telling. There are steps forward, but there are areas where we, like you, Lord Bichard, would like clearer language and specificity about safeguarding. I feel that it is there in law enforcement and is not about children’s data. There was a very telling response from both the commissioner and the deputy commissioner about how, if you are complying with your statutory duty, you probably have legal entitlement and are probably complying with the code. It could say that clearly. My own reading of the code is that, if you are complying with Working Together, you are probably complying with the whole code, because there are very strict requirements within Working Together.
The examples in the code are not problematic, but they are a bit simple. One is that you can use the code to share data if you are a private nurse and you are worried about an adult. It is not just that you can; you are under various statutory obligations to do it. In some areas, it would be a criminal offence not to share information because of your previous work, Lord Bichard. The example they give in the code for bad information sharing is where a local authority has shared information about gangs across partners. It does not really say why that was bad; it just says that it was. Those are the kinds of grey areas where it is much more difficult and you need the code.
There might be an occasion, for example, where the local authority told schools that children were in a gang and it was quite necessary for their welfare and their safety. The children-in-need review found that schools were routinely unaware that a child was open to children’s services and had a social worker. The DfE has still not managed to rectify that two years after the review.
There is a gap between the actual problems where data sharing is held back and what is in the code. I would like a degree of specificity, whether that is in the code or in an attached document. If I was being really picky, I would like the examples in the code to be more relevant to the topics that are causing bodies difficulty.
Clare Mills: As the code evolves, because I appreciate it is a starting point rather than a completed piece of work, we would like to see strong case study examples of actual events. That would help to address Lord Bichard’s point. We had a really good case study from our member in Hambleton, North Yorkshire, where North Yorkshire County Council, during Covid, appointed 23 trusted local charities to act as community support. They set up a data-sharing agreement with those 23 organisations and the council. It has been really useful for them to be able to refer across different charity sector bodies and voluntary sector bodies and with the council.
These were the exact words that came back: “We previously might have had problems in dealing with social workers, but now we can say, ‘But we have a data sharing agreement in place, and that has opened those doors’”. It demonstrates that it works. It still has more to do, but those real‑life case studies could be useful.
Q13 Baroness Pitkeathley: This question is about the legal basis for sharing information. You have referred to this already. I will come to you first, Martin, given your position in the Office of the Children’s Commissioner and what you have already said about the legal basis. In our first inquiry, we heard that services working with children have often struggled to understand the legal basis for sharing information because of the various piece of legislation about data on children. You have referred to at least one of these. You have already given us some of your views on this, so I would like a very specific answer about whether you believe the new code has addressed this particular problem about sharing and understanding the legal basis.
Martin Lennon: To answer the last part, no, the code has not, because it does not have that level of specificity. I do not know whether it is for the code to have that level of specificity or it needs to be elsewhere, because I appreciate it is quite a general piece. Alison will be able to give more detail, but the issue I come across a lot is the Children Act 1989. Most children come into contact with the Act under what is called Section 17, which is the child-in-need plan.
For the local authority to share information under Section 17, they have to get the consent of the parents. This prevents the routine sharing of information and prevents you putting a flag on the system. You can share information without consent only when you get to the higher threshold of a child protection plan, Section 47, where you are doing an inquiry to understand whether the child is at the risk of serious harm. That is only about 20% of the children who come into contact with children’s services. That came out in the children-in-need review, where they showed that schools routinely did not know that their child was open to children’s services.
A clear example of this in practice is domestic violence callouts. I am sure many committee members are aware of something called Operation Encompass, which is where the police tell the school if they have had a domestic violence callout during the night. I went to a very early pilot of a slightly separate scheme run by Vera Baird when she was the Northumbria police and crime commissioner. I went to a school in Ashington, and they could not believe how many notifications they had received, but they found it really helpful because form tutors would know before the child turned up and could help them. In some cases, they would decide, “We’re worried about this child already. We have a few attendance concerns. They are not quite at the threshold of referral, but we can now make it”.
The local authority was already being notified of these domestic violence callouts. It could not tell the school because it was Section 17 and not Section 47, but the police could. They are both bound by the code and the GDPR, but the limiting factor that local authorities cited was Section 17 and not being able to do it without consent. I know that some local authorities have found their own ways around that, but there is not that guidance to local authorities to say, “You should look at the Children and Social Work Act, et cetera”.
Alison McKenzie-Folan: I agree with everything Martin said. People found ways round it. Sometimes you have to do things that you think are right. In Wigan, and perhaps in many local authorities, we acted early on that. We are getting the information either via the police, or sometimes via ourselves, through to schools so they can act on domestic violence information. It has helped them to look after the children when they come into school the next day. There is a lot to be said for wrapping services around schools in order to make sure that we can get dataflows to schools, such as from GPs, and bring our place‑based services together.
I gave the example of school readiness and the data there. It is often a different way of engaging with parents. Sometimes they are afraid of what could happen as a result of data being shared. Engagement with citizens and parents, explaining the initial barriers and getting them confident in why you are doing what you are doing often makes it a lot easier. There are two things there. One is confidence from citizens, families and the public. The other goes back to the initial points about being courageous, getting on, doing it and finding ways around the things that we have done.
Baroness Pitkeathley: “Finding ways around” is a phrase that we will remember, I am sure.
Clare Mills: I do not have anything like the technical expertise of the other two witnesses in this session. As a parent, I am shocked and saddened by the complexity of that and the lack of joined‑up thinking, with the police having to contact the school but the local authority not being able to.
Baroness Pitkeathley: I am sure many members of the committee will feel the same.
Q14 Lord Hunt of Kings Heath: Thank you very much for the evidence you have been giving. To an extent, you have answered my question, which is about obstacles to the sharing of information. I wonder if we could turn to the health and social care sector specifically. Perhaps I can start with Alison, because I know Wigan has had a long tradition of integration between the health service and local government. Are there some areas in health and social care where you still feel it is very difficult to share information, which perhaps the code will not help with?
Alison McKenzie-Folan: Yes, we have been working hard on integrated place‑based working, particularly with our GPs, primary care, the hospital, the CCG, the local authority, the police and other services. It has been really important in bringing health and social care together. Through that journey, we have found lots of issues where we are very culturally different across the public sector. In our interpretations of the data sharing issues, we and the NHS look at things from different legal bases. Although we might think that we can share things, it often comes down to interpretation. The code can help with those cultural differences in interpretation. Maybe it needs to go into more depth and detail, but it is a helpful initial basis.
We need to be able to link health data. Covid has shown that we have been able to do that, where previously we have not. We talked earlier about the example of shielding data. One issue that we have not mentioned is the exclusion of health and adult social care bodies from the list of permitted persons in the Digital Economy Act. My understanding is that that still causes quite a lot of difficulties for our information governance teams and their ability to share. People often come back to the point that it is still a big barrier for health and social care, because it is not in permitted use.
We have tried to get around this by working together in an integrated way, whether it is on shielding data or vulnerable children and families data, to make sure that we can overlay those data sources. This is about how we deploy resources more effectively. We have shown through Covid how we can do that. I am hoping that, post pandemic, we can carry on with all the amazing work that has gone on. We need to be proud of it and think again about how we can be innovative. The code can do more on this, thinking about what we can do to document that and help with interpretation.
Clare Mills: We have identified that, when health and social care can and does share data with the voluntary and community sector, it can have an enormous impact, particularly if the local authority is also involved, in creating a lot more positive outcomes and support, particularly early intervention rather than waiting until things get to crisis point. As ever with public services, I hope that there will be a financial incentive to develop data sharing, even if no other motive.
We heard of a really good example, where Cumbria Council for Voluntary Service employs third sector referral co‑ordinators. Those posts are funded by the CCG and are embedded into the integrated care system. They are honorary NHS contracts, which means that the workers can access and input NHS data in EMIS in real time. The voluntary and community sector there has become a significant part of the health system. It has taken a lot of work and input from lots of different people to get to that point. We know that will have a big impact.
Alison mentioned shielding data. There was the opposite experience in a London borough I spoke to. When the NHS shielding data came out, probably a couple of weeks after the local voluntary sector and the local authority started to work on supporting people who would be shielding, there was a disparity between the numbers of people who would be shielding identified by the local authority and the local voluntary sector. I spoke to the chief executive. We could not remember the exact figures, but there were something like 10 times as many on the NHS list. They tried to plan and had to go back and replan.
If we bring data together, share it and think about using it as a preventive and precautionary way of working, as well as in response to crisis and emergency, we can see real financial benefits for the public sector, and benefits to the people at the heart of it, whose lives are going to be better because someone knew their situation.
Martin Lennon: I agree with all those points. I was thinking back to our experience of working on contextual safeguarding issues, particularly gangs. Health plays a really important part there, because mental health and SEND issues come to the fore. Three things repeatedly come up in our engagement. The first is the sheer number of health bodies. The CCG is now your statutory safeguarding partner, but it is not really the data holder. Some will be in trusts and GPs; some may be given to local care partnerships. For really complex safeguarding cases, it is at the single transformation programme level. Health visitor data, even though it is commissioned by local authorities, can be in any number of places. Many of the most egregious examples I have heard of difficulties integrating data come from health visitor data into local authorities.
The second concern, particularly from health colleagues, is about where information goes if it gets past the local authority. If there is a really serious case and they need a social worker to assess the immediate safety of a family, they do a referral. If it is at that lower level of Section 17—does that family need a bit of support?—I get the sense that some GPs and other health professionals think that they are just sending off a referral into the ether and they never hear anything back.
In contrast, when health visiting networks were within the health service and they could get the health visitor to do a couple of extra visits, they could see that support to that family. I have spoken to GPs who have said, “We have a family hubs network now that we can socially prescribe, so I can get the family a couple of visits from the family hubs network. I can get them a food parcel. I can see that practical help”. There is not always that visible help pathway that comes from doing a referral to children’s services. A GP wants to know what help a family is going to get. It is not always visible.
Finally, we still have a job to make sure that the NHS, at all stages, understands its role in safeguarding. It is now a statutory partner in the safeguarding system. Its role is not simply to refer cases to the local authority but to make sure that its services are there to keep children safe. Children are at greatest risk aged nought to one. Midwife services and the availability of perinatal mental health services can be just as important for a family as getting a social worker visit.
We came up against the NHS in our work on gangs. We looked at teenage mental health problems, communication problems, undiagnosed SEND and autism as risk factors. When we asked the NHS, “What are you doing in response to gangs?” the only specific action that it could cite in response to youth violence was that it had written to all acute trusts reminding them that, if a child came in with a serious stab wound, they were obliged to refer that to the local authority.
I have never known of a situation where a child has turned up in hospital stabbed and someone has not realised that that is a safeguarding issue. The NHS has a much broader role to play in safeguarding and child welfare then that. It is really important that commissioners understand that at all levels.
Lord Hunt of Kings Heath: The committee is doing a quick investigation. Thinking about the National Health Service, where could we best turn our attention? What is the core recommendation? Each of you has described areas where there is something lacking in the contribution of the NHS. I am sure it works the other way as well.
Martin Lennon: A good place to start might be the joint CQC-Ofsted local area inspections of SEND provision. They have now done a national programme. They have visited all areas and have done some thematic work. They were pretty eviscerating in many cases. The vast majority of local areas got pretty stern improvement areas, both to the LA and to the CQC. There were very common themes in there about identifying and co‑operating on need and sharing it. There is a question there nationally. Individual local areas are all having to respond to those letters. They are and things are improving. There is also the question of the national learning from this web of issues that have been pulled up.
Lord Hunt of Kings Heath: Alison, would you agree, add to it or suggest something else we should focus on?
Alison McKenzie-Folan: I agree. Fundamentally, there is not always a need to centralise things. We have seen that during the pandemic. Often, we seem to be playing catch‑up with the need for local information to aid local decision‑making. Needing to lobby for information to make decisions at a local level is not great. This central grip makes our jobs much harder on the ground. It is fundamental to get over that you can still control things at the centre while letting go of some of the grip, trusting local resilience forums and trusting local political or operational leaders to get on with the job in hand. It has been shown, in the way we have come together through the pandemic, how important it is to do something about it.
Lord Hunt of Kings Heath: Thank you. That was one of the themes of our first major report, so it is helpful to have that.
Clare Mills: I like what Martin said about national learning from particular issues. When you have a true partnership between the NHS, the local authority, local service providers and the voluntary and community sector, you can just achieve much more than if you have one body being the senior partner and being regarded as somewhat other. Fundamentally, it comes down to this. We are talking about data, but actually what we are talking about is people’s lives. We must keep that at the centre. What are we doing with the data? No. What are we doing about the people’s lives? The code is a tool to make people’s lives better by enabling us to share data. I hope we will see more of that.
Q15 Baroness Pinnock: It has been a fascinating session. When we were doing our report and discussing data sharing, and today, we have heard that, in the first stage of Covid, there was a great release of innovation, especially in local provision of services. Putting my other hat on, I am also a councillor and serve on the health and well-being board in Kirklees Council, so I understand what has happened. We have already heard from Alison that we hope we will be able to continue the innovation that has taken place because of the pressure of need in the months and years ahead.
I would like to know your wishes for data sharing in the months and years ahead and how the Government could perhaps change the direction that they give to the regulator. Let us start with that and what public service providers would like to see, from your three perspectives. Alison, it is a big issue for local government.
Alison McKenzie-Folan: A few years ago, I attended a Greater Manchester data-sharing workshop, and we were all given a pin badge that said, “Data saves lives”. I cannot locate it now, but I wish I had put it on today. That is probably the main message that should come out of this, both where we are now and where we look to in the future. The mantra that data saves lives will perhaps help us get through the minefield of the barriers we have been talking about today.
Going back to the question, there is a role for all of us across the public sector to promote and support the best use of data. It is really important to drive that innovation in data sharing. We need to bring together groups across the public sector much more proactively to focus on that. Innovation and sharing will be important. We have shown through the pandemic and the emergency that we can do that. There are no excuses now. We need to push hard and be much more proactive.
In MHCLG, we have been asking people to sign up to the local digital declaration, which has five priorities and objectives on openness, culture and values, and useful ways to build trust. Bringing that together with the things we have talked about today would be important, getting more people to sign up to declarations that talk about safe, secure and useful ways of sharing data, but also focusing on embedding an open culture and the right values.
We all have a leadership role, within central government and councils, to see ourselves as equal partners across the public and voluntary sectors and to promote that shared vision to collaborate. There is lots to do and think about. Hopefully that answers some of your question.
Baroness Pinnock: Clare, these last few months have had big issues for lots of voluntary and community groups. What is your perspective on this?
Clare Mills: I am certainly going to take away that data lives saves, Alison. Thank you for you that.
I would like to see leadership from Ministers across government, to promote the idea that data sharing is the way forward, is a useful tool and is not something to be scared of. I would like to see as much noise about being allowed and encouraged to share data as we had about the GDPR. One reason we have not had that yet is that, when GDPR was coming in, there was a lot of money to be made in providing services to check people’s policies, make sure that they were all right, and frighten them.
For people who were data controllers, the GDPR was great in many senses. It encouraged everybody to look at and think about their data, and to firm up what they were doing. It also created an awful lot of fear, which is never a very good motivating emotion. I would like to see as much noise as we had about the GDPR but in a positive and encouraging way, using those stories to say how sharing data has saved money, improved services, made life better and made people feel safer, more secure, better looked after and supported in their communities. That is what it is about.
Baroness Pinnock: We are all going to borrow this “data saves lives” mantra. Thanks very much, Alison. It is great. Clare, whom would you like to see take the lead on all the vision, sharing and issues that you have just raised? Does it need to come from government or can it come from other institutions?
Clare Mills: It is the responsibility of leaders across all different sectors, whether that is local government, the voluntary and community sector or central government. I would like to see Simon Stevens in the NHS encouraging this. He would have the credibility within the NHS to lead on that role, along with people from NHS England. I do not know whether the Secretary of State would be the best person in relation to health and social care, but I would like to see people within the organisations themselves. Simon Stevens is my top pick for that one.
Baroness Pinnock: I am sure he has time, but maybe not just yet.
Martin Lennon: It is a good question. I will pick a theoretical one and a technical one. Obviously, they are both about children. At a theoretical level, I would like us to move on in how we understand safeguarding. We understand the principle that you can share information for safeguarding, but people often think safeguarding is reacting to risk. Actually, it is about preventing harm. That is where you bring in the voluntary sector, schools and partners, because they have that much wider preventive role. If we think about that role as part of safeguarding, it opens the door for both data sharing and funding arrangements. Otherwise, we just funnel both money and data into LADOs, who then do assessments. That wider role and conception of safeguarding would be a theoretical one.
A technical one, which Alison has already picked up on, is about early‑years data with children and our inability to track children under five across health, social care and education. There is some technical stuff about the inability to match the unique pupil identifier on the national pupil database and the NHS number. It creates all sorts of problems. We have 14% of children start reception and fail half their development indicators. There are multiple and significant issues with development across physical, communication and emotional development and the ability to learn. In a sense, that is a health outcome. As educational practitioners will tell you, the EYFS is not really an educational test, but they are now in the education system.
Those 14% of kids should be a national priority, because they are starting school at such a level that we cannot track them. We cannot link that EYFS score to the two and a half year old check that is now compulsory. We cannot check them through other health services. We are really limited in data tracking and Alison will speak about this, because GM is probably further along than anyone else in the country at linking that data and being able to track it through.
In one area, I spoke to a director of children services who wanted to write to all the parents of three year-olds to say, “Your child will be starting school in a year. Here’s what you need to do to help them get school ready, and this is what you need to do to ask for help if your children are not ready”. That data is held with the health visitor team, which said, “You can’t have it”, even though they work in the same local authority. The compromise reached was that the director of children services would write letters and put a stamp on them, and then hand them over to the health visitor team, which would post them out.
You cannot integrate a service for nought to five if you will not talk to each other within a local authority, let alone bringing in other partners. There needs to be a push, because all the work that GM has done is great. As Alison will attest to, it has been hugely labour intensive and it has taken years. We cannot ask every LA to replicate it on its own. There needs to be some central government push.
Q16 Lord Hunt of Kings Heath: It has been a fascinating session and this is a clear message. We have heard from the Information Commissioner of the constraints on her because she is a regulator. We have heard from our current witnesses, Clare, Martin and Alison, about the need for champions at central government level to promote the benefits of information integration for the benefit of the public.
I have a devil’s advocate question. Let us say that we recommended this, it was implemented and a senior official in each department, maybe a Minister, took on the role of championing information sharing. Is there a risk that the ordinary practitioner gets confused by what seem to be two messages coming down and that, in the end, you need a whole new industry of people to manage it?
At the end of the day, we have all met people locally and been told that we cannot do something because of data protection and the GDPR, et cetera. I am a bit worried about even more confusion on their part. I just wondered if you had thought of that and any ways in which we could overcome it.
Martin Lennon: I was really encouraged in the first session to hear from the ICO about its desire for partnership work in this next phase. That is the key. We could get more sector‑specific guidance that has the principles which the ICO set out in a particular context. Some of this is so long term and technical that it would be quite good if it were led by officials in departments and there was a lead official for this. This year is a classic example. There is so much on Ministers’ plates, and institutions rather than individual Ministers need to take responsibility for some of this technical stuff, such as getting the NHS number to match the unique pupil identifier.
Clare Mills: I am a communicator, so part of my job is to take complicated things and make them clear and easy to understand. The Government have a whole field of professionals in the Government Communication Service who would be ideally placed to help with this work. It does seem complicated. Martin is right about sector‑specific guidance being a helpful add‑on to what is already there as the starter for the ICO’s toolkit. The Government have a huge body of communications experts who will be able to take complicated information and make it easier to understand.
The other thing is the cultural change of empowering people to make the right decision and to be brave, rather than risk averse. That is a cultural change we need.
Alison McKenzie-Folan: I would support what Martin and Clare have said. It comes down to not always needing permission and being brave. As Clare said, a lot of it is about culture and what is generated in organisations. Being courageous and getting on with it is really important. Creating that culture in all our organisations is a responsibility of managers and political leaders who run organisations. Fundamentally, we have to create a culture where we understand how important it is to share data and not find the reasons why we cannot. That is going to take lots of effort by lots of people, trying to get those messages out there and showing that that cultural change is very important. I agree with Clare and Martin that we have lots to do and that promoting that cultural change is key to it all.
Q17 Lord Filkin: Martin, you have read our report and heard this session. Have we done our job on exposing this issue and identifying the key issues, or is there more significant work that we could usefully do?
Martin Lennon: You have done a very good job in the previous session and in holding these sessions. You have brought people together. You have put the issues under the microscope. This is a journey. Your committee has a broad public sector remit, rather than looking at it within individual departments. That is quite unique among Select Committees. I am not saying that the education committee and the health committee do not do very good work, but these issues are slightly more cross‑cutting and beyond any one remit. The focus you have put on it has been incredibly welcome and I encourage you to keep with it, because of your unique position.
The Chair: We are all aware that, too often, other committees cannot look at these issues because they are about how things are dealt with more effectively, in a cross-cutting way. Thank you to all three of you. You have really helped us think our way through this. It is important. You have made it clear. I know that the ICO will have been watching this and will want to work with you. It is important that we give it support in getting more comments and ideas from the different sectors while maintaining its role as regulator.
After this, we will have a very quick meeting on our own to work out what we do with this session, but this will not be the end of our work on data sharing. It has been a really useful session. Thank you all for contributing your time, expertise and experience with us this afternoon.