14
Examination of witnesses
Elizabeth Denham, Steve Wood, Simon Madden and Professor Sir Ian Diamond.
The Chair: I welcome our second panel, which is essentially about how well we have shared data during the pandemic and what we need to do going forward. We have two people from the Information Commissioner’s Office and Professor Ian Diamond from the ONS. You got a mention earlier, Ian, although I am not sure you were in the conversation. We also have Simon Madden from NHSX. I thank all of you for coming. We are always very tight for time, particularly as it is a public broadcast session. We only have an hour.
I will move straight into questions. I ask Baroness Pinnock to ask the first question.
Q104 Baroness Pinnock: We have just had a fascinating evidence session, which largely featured data, and we will now have another one, because the questions here will be about data and its importance.
Professor Diamond, there has been a lot of praise for the ONS and the data that you have provided during the pandemic. You will have read in the press about the data applying to deaths of children and adults with learning difficulties and those on the autistic spectrum. In your assessment, how has the ONS performed, and what are the learning points for the future?
Professor Sir Ian Diamond: Thank you very much for that question, which is a very good one.
I am very proud of my colleagues’ work on death statistics. We have had very high numbers, and my colleagues have worked tirelessly to be able to produce statistics on deaths faster than we have ever been able to do before. Indeed, the UK produces its death statistics rather faster than just about anywhere else in the world.
Our judgment is that the best person to decide the cause of death is the medical practitioner at the death. As you will know, medical practitioners can give up to two causes of death: a primary and a secondary cause. If a medical practitioner says that Covid is either a primary or a secondary cause, we have given Covid as the cause of death.
However, issues such as autism are not on the death certificate. Therefore, we have to work differently to find out the relationship between comorbidities such as that. We have made some progress by linking death certificates with census data, but census data only has self-reported “Do you have a disability?” That is why we have been working with NHSD to gain access to primary care data. That is new for NHSD, and some of our statisticians are working inside its environment to be able to make the linkages that will enable us to learn more about the relationship between comorbidities and death.
Baroness Pinnock: That was a really good response. It has helped me to understand how difficult it is to record causes of death. Thank you.
Q105 Lord Bichard: I welcome the panel and thank them for the time they are giving us. I want to put this question, first, to Elizabeth Denham, although others may want to come in.
I notice that in your blog published in May you talked about the new priorities for UK data protection. One of the priorities you referred to was wanting to enable responsible data sharing for the public good. You said that you were conscious of the risk arising from a failure to share. I could not agree with you any more about that.
We have seen and heard evidence from public services that have found new and innovative ways of sharing data. Do you think we need to revisit the regulatory regime to ensure that those kinds of innovations continue, while of course ensuring that people’s data is protected? Do you think we need a new emphasis on data sharing for the public good?
Elizabeth Denham: Thank you for the question. Very early in the pandemic crisis, as early as the beginning of March, I was asked the same questions by NHSX and the Secretary of State. Do we need a new regulation? Do we need changes in the law to allow data to be properly shared and used, to take steps and manage the pandemic?” I assured them, and I have assured the public, that the law is flexible enough to allow for the sharing of data for the public good and in the public interest, as long as it is shared because it is necessary, transparent and proportionate.
As you said, I have said over and over again in blogs and guidance that a failure to discover or a failure to share data to assist the public is taken account of in the law. I think the law does support and tilts towards flexibility to manage circumstances such as our current pandemic. What is needed is trust by the parties that are sharing data and clear assurance and guidance from the regulator. I think we have those things, especially in relationships that have existed for some time. We see better and more effective data sharing between some parties that have worked together for a long time, and less assurance.
During the pandemic I have been both an enabler and a protector. We have supported the sharing of data. We have enabled transparency, but we also take steps to protect the public when there is non-compliant practice.
Q106 Lord Bichard: May I follow up with a question about guidance? It is a long time ago now, but when I chaired an inquiry into the murder of two young girls I was constantly told by the police, the local authorities and anyone else—any witnesses I had—that they could not do what you have described because the legislation did not let them. My conclusion was that they could, but they did not understand the legislation well enough.
Is there not a responsibility on the Information Commissioner’s Office, and your office in particular, to clarify the guidance and advice that is out there? People still think they cannot do things because of the data protection legislation.
Elizabeth Denham: Some of those issues are cultural. Some of the data sharing issues have to do with resources and knowledge. It is not the law, as you said. As your experience showed, it is not the law that gets in the way. We have to bust that myth.
What is really important is that the tools, the toolkits, the guidance and the interpretation of the law are out there and are easy to digest. One of the most important things that we will be releasing later this summer—we hope the statutory code will be laid before Parliament in the autumn—is the ICO’s data sharing code. You will remember that we have had a code for a long time, but this is updated. The data sharing code includes good examples across various sectors, and along with the statutory code comes a toolkit and learning materials so that public bodies can understand what they can do. The law is a “can do”; we are not the department of no. The law does not prevent responsible data sharing.
Certainly, my brand, as Commissioner, has been about encouraging innovation and data sharing when it is in the public interest.
Lord Bichard: I am delighted to hear that. I would love to continue this conversation.
Simon Madden: I echo what the Information Commissioner has said about the importance of guidance. In fact, we had the support of the Information Commissioner throughout the pandemic response for NHSX. I should say that NHSX is responsible for the data policy framework for the Department of Health and Social Care. The Information Commissioner’s Office was really supportive of us in publishing very clear, authoritative and simplified information governance guidance to the front line—to clinicians and practitioners—to empower them and give them confidence to handle and share data, especially when using new technology that has been necessary because of the pandemic. That has received very positive feedback, not only directly to us but to Ministers when they are engaging with front-line clinicians and professional bodies.
I underscore the importance of guidance, and of almost giving permission to share data responsibly so that people understand the context in which they are operating.
Lord Bichard: This is an issue of culture. It is the front-line workers, whether they are clinicians or social workers, who need to understand how this data can be shared. It is not an easy task, is it?
Simon Madden: It is not an easy task, particularly in the healthcare system. You have some structural things that you may need to address to help with the sharing of data. We try to resolve those through using the COPI regulations, which allow for a more permissive environment in certain contexts. You have some structural things that you may need to resolve, but crucially it is cultural and behavioural issues. Often overzealous interpretations of the law result in a failure to share data at appropriate times.
Professor Sir Ian Diamond: I agree fully with Elizabeth. The Digital Economy Act gives us all the powers that we need. I note, of course, that that does not include health data. There does need to be a renewed commitment to sharing in that space.
There has been enormous progress in data sharing during the pandemic, at a real pace that I have sometimes been surprised and reassured by. Some of the critical issues are therefore not the law but, if you like, culture and in many ways caution. People say, “If I share my data with you—it is given to ONS—what happens if something goes wrong?” I am very clear that we, at ONS, take on the risk and have worked very hard with the National Cyber Security Centre to be able to have secure places. To return to what Elizabeth said, we are making sure that our ethics and our approvals are such that all work that is done is in the public interest. We have all the mechanisms that we need. We now just need to maintain this change of culture and understanding, and to turbocharge it.
Q107 Lord Hogan-Howe: What concerns me about your advice is not the accuracy, which I am sure is right. The law can be helpful, but the evidence we have heard is that people are concerned about how to operate that law. There is certainly a gap between what the experts say the law allows them to do and what the people who are trying to use that law feel able to do. It is probably driven by fear.
If that is accurate, what worries me is who will address that fear. If the guidelines are not getting through, and people do not feel they have a defence, the system will not work very well for everyone. Everybody wants that to happen, so I would like to hear more about how we address the gap between when people say the law is okay and the people who try to use it on a case basis.
I would argue that the national sharing of data has been okay. I know that there have been glitches, but when it gets down to case to case, where you quite often have a privacy issue, it does seem as though there have been problems, and it is not just this crisis.
Elizabeth Denham: As we have all agreed, it is not the law that is the problem: it is the interpretation of the law, the understanding of the law, the trust between parties that are sharing information, and the emphasis on public interest gains from data sharing.
I have noticed in the pandemic crisis that, yes, everybody is moving at pace and people are united in the efforts to help particularly vulnerable groups. Let us get the data that we need so that supermarkets can deliver to those who are screened. We need all these efforts to do the right thing. The pandemic is a great opportunity to examine data sharing and to break it down into really clear examples for the front line.
We have observed sound data sharing and sound responses to the sharing of data from partners who are used to working together, but when it comes to partners such as community voluntary groups that needed to get some data sharing up and running and needed to get data from local or national government, if it was a new relationship, that takes some time.
We worked with community voluntary groups to help them get up and running when it came to taking responsibility for identifiable, sensitive health information on individuals. This might have been a first time. At the coalface of data sharing, people working on the front lines need simple toolkits to understand the responsibilities.
I agree that we need more of that. I think we at the ICO are laser focused on getting as many tools out as possible. Let us be real; we still need good data quality standards. We need interoperability of data systems, particularly when we are data matching. We also need a trusted cultural environment so that partners in data sharing understand how they are in fact accountable and responsible for the data they are using.
Lord Hogan-Howe: I accept that; it is a good answer and I do understand that. Are you content that the defences available to individuals—let us forget organisations—is sufficient to reassure them that a person trying to do the right thing for the right reasons who breaks the law has a good defence? They do not seem to think so.
Elizabeth Denham: I am not sure where that fear is coming from. Our office, for example, office has never taken action against an individual who, for good reasons or because they do not understand their responsibilities, has contravened the law. We have taken action against individuals who purposefully and opportunistically use data for their own gain. We have prosecuted individuals for theft of data, for example, but we have never taken action against an individual. They have that defence; if they believe they are acting in the public interest, we will certainly take that into account.
I do not understand where the fear is coming from. It could just be culture. It could just be, “I’d rather not share with this partner, because I do not understand and I am not sure I can trust them”. I would be interested in what the other panellists have to say about that, because I really do not understand the individual fear.
Professor Sir Ian Diamond: I agree with everything Elizabeth has just said. Our experience is that people need to understand why their data are being used, and we need a good approvals mechanism—it can be very agile, but a good approvals mechanism—to enable those data to be used.
Too often, people say, “Can we use your data”? rather than, “For the following reasons, we would like to share data”. When you do the public engagement in the right way, people agree. Again, I do not see the issue about individuals having fear, because if they have been through the right approvals process there should not be a problem.
The second point on which I agree with Ms Denham is that we should not believe that data are out there in a beautiful, fully formed way. Data are collected administratively, often for particular purposes. They are often very dirty. They need an awful lot of data engineering to get them into the right place. If we are going to share data, we need the right data architecture and data standards.
I am delighted that there has been a real push recently. We at the ONS are working with the Cabinet Office, DCMS and the Government Digital Service to form a data standards authority around an integrated data platform. That will enable us to share data much more easily, because we will have the standards to be able to pull data together very simply.
Q108 Lord Filkin: This is a question for Elizabeth Denham. In response to the questioning from Lord Hogan-Howe, she concluded by saying that she does not understand the problem. I think we are pretty clear that there is a problem. If the Information Commissioner does not understand the problem, it is extremely unlikely that the Information Commissioner will do much about trying to sort it out. I do not think I feel at all comfortable by the way this conversation has developed. Does she want to comment?
The Chair: Do you want to respond to that, Ms Denham?
Elizabeth Denham: Yes. I was saying that I did not understand the idea that individuals on the front line had fear in sharing data.
Lord Filkin: Well, they do.
Elizabeth Denham: I certainly understand that organisations have not always shared data when they should have. I understand that there are some complexities in organisations sharing data. I fully acknowledge that. I do think that the building up of additional guidance in our new data sharing code, which is imminent, and the tools that surround that code will help a great deal in this context.
I think you can understand that the Information Commissioner’s Office is a horizontal regulator, which means that we have responsibilities for all sectors, public and private, when it comes to the use of personal data and data sharing. That is a big mandate, but we are very focused on the data sharing code and all the tools that go with it to assist government in this way.
This is not a particularly British problem. It is not a UK problem. I am the chair of the Global Privacy Assembly, which brings together all the commissioners from 130 jurisdictions around the world. What I hear from our Australian colleagues, our Canadian colleagues, our Brazilian colleagues and all our European partners is that data sharing by government departments for public interest reasons is a problem. It is about data quality and interoperability. It is about the quality of data, but when it comes to privacy and data protection we need to do more, and I accept that. It is not a problem unique to the UK.
Lord Filkin: In conclusion, I recognise that it is not unique to us, but that does not give us any comfort.
There were hints that there was a clear statement of owning the problem. That is what I would hope to see: the Information Commissioner clearly signalling that even though it is a complex problem there is some ownership in trying to sort it out.
Elizabeth Denham: I fully accept that we own the issue of good guidance and getting good guidance out there. It should also be recognised that public bodies have to have knowledge of the law, and they have responsibilities and accountabilities for data sharing and data use.
The Chair: I will bring Simon in, because in many senses this is a real issue in the health service. I was going to come into the conversation and say that we suffer from the group of people who have no trust in anything the state does and that there has been a real undermining of trying to sort this out. I think that is at the heart of all the problems. There are people at both extremes of our world who have conspiracy theories for everything.
Simon, this is an issue for NHSX, and it is an issue for the app and for the health service generally, is it not? You need to unmute.
Simon Madden: I beg your pardon. I must have accidentally muted myself. Perhaps that is prescient.
Public trust lies at the heart of this debate. Particularly in the health context, it is vital that the public understand how their data is being used. That can be brought about by transparency.
I echo the importance of getting an understanding that the guidance that is issued is really understood. It has been our experience, particularly during the crisis, that we cannot allow ourselves to become complacent about the guidance that we have sent out, which has been clear and has received positive feedback, because there are still pockets where that guidance and that message has not really permeated. Although it is really important to keep the message going, you also need to have proper feedback loops and a feedback cycle so that you understand how the guidance is being received and understood, and then respond to that further challenge.
A key part of our information governance guidance campaign is about not only giving health practitioners the confidence to share and manage data but trusting each other and ensuring that those partnerships and that trust is developed so that data can be shared to save lives.
Baroness Pinnock: I think there is a dilemma at the heart of this, which you have touched on. The example I want to give is test and trace, which is being done nationally by the private sector. It was not able to share full postcode data with local public health directors to deal with cases that came up locally.
The Chair: I am going to interrupt you, or I will get into trouble with Lord Bourne, because that is his next question.
Baroness Pinnock: I am sorry;. I will let him do it and I will come in, if necessary.
Q109 Lord Bourne of Aberystwyth: That is fine. I am always grateful to Kath for being the warm-up act.
This really follows on from what Geoff and Michael were saying, and what Kath was going to say. I think there is a great danger of our being a little complacent about data sharing. There is a very real problem. It is a bit of a cop-out to say that this is a problem not of the law but of interpretation of the law. People at the sharp end are not going to understand that distinction. It really is a bit unrealistic to expect them to do so.
We have heard from local authority leaders. They have made complaints about data sharing with the NHS that has caused problems. The contact tracing app, which Kath was just about to expand on and which I will mention here, is presenting real problems in relation to local lockdowns in Leicester, and could do for future local lockdowns.
There is a problem that needs grappling with, and, stripped of the gobbledegook, it is how we get through this and properly share the data. The first step is to acknowledge that there is a very real problem. Please comment.
Simon Madden: I should say that NHSX, of course, is responsible for the framework rather than the specifics of the test and trace operation. I do not want to stray too much into my colleagues’ areas lest I get into trouble.
As for the policy framework that is operating, either with a combination of PHE existing powers or with the COPI regulations that were invoked in March and the notices that were issued, there should be no obstacle to the sharing of data for public health purposes. The Secretary of State has now made it clear that data is being shared, and should be shared, at that level.
It may have something to do with the progression of the testing data, as that was coming on stream. As early as June, NHS Digital made available an operational data dashboard, with the support of the department, and that included testing data at a local authority level. That was made available to directors of public health.
PHE then started to provide more granular data, including postcodes, to local authorities, including directors of public health, from 24 June. The chief executive of Public Health England wrote to local authorities in early July to outline what data was available to them, and how they might access it. Tom Riordan, the chief executive of Leeds City Council, is working alongside test and trace as part of that operation. He wrote to council chief executives on 10 June, asking them to send NHS Digital a request for access to those operational data dashboards. NHS Digital began to create accounts for those dashboards as early as 11 June.
It may be an information or a communication issue, but substantively, as I understand it, the policy frameworks that were in operation allowed for the sharing of that data.
Professor Sir Ian Diamond: Let me be very clear. We are absolutely not complacent. We have some datasets on which we have been working with providers to access for over three years. That is incredibly frustrating, but we recognise the work that needs to be done in public engagement, building trust between providers, and building a culture of understanding exactly why and how the data will be used.
I recognise that this has to be done at great pace in the pandemic. I have seen a number of areas where things have moved very much more quickly than we have seen in the past. I cannot comment fully on the test and trace cases, so I will not. I just wanted to reassure you that there is no complacency.
Lord Bichard: I want to follow up on Geoff’s point. I am slightly concerned about the way the discussion is going. This is a really critical point. Many children in this country have died over the last 30 or 40 years, because people on the front line have not felt able to share information. It is a cultural thing as well as a knowledge-based issue.
You tend not to change culture just by regulations. You have to do something rather more significant and fundamental. A lot of people have felt that the Information Commissioner’s Office in particular has been threatening by only ever talking about data protection. I am delighted to hear today a little bit more about data sharing.
This may be going too far—this comment is really aimed at Elizabeth Denham—but I think we need to get to a world where people feel that, if they did not share information when they should have done, that is as bad as breaching the Data Act. It needs a pretty fundamental statement, and a continuing statement, from people such as the Information Commissioner if that will happen. Would you like to comment?
Elizabeth Denham: I want to underscore that our office is not complacent about the issue of data sharing. I did mention the fulsome code that we have been working on for the last year. We have consulted extensively with all government sectors. The code is ready to be laid. It is unfortunate that the code was not ready a year ago. We did not see Covid coming. That work required extensive consultation with stakeholders, including across government but also with researchers, academia and businesses that all benefit from the innovation that we want to see in this country in the use of data.
Also, since the beginning of Covid our office has given about 600 pieces of advice across the voluntary sector, the private sector and the public sector. In a way, we have been running at pace to give advice on new and innovative ways in which agencies want to share, use and collect data. We are out in front among data protection agencies across the globe in coming up with standards of transparency and audibility of artificial intelligence. That work is really important when it comes to the use of data.
As soon as Apple and Google had announced their joint initiative for a contact tracing app, our office published a commissioner’s opinion on the safeguards that are provided by Apple and Google within four days of that announcement. Now we see that the Government are pursuing that model for the contact tracing app. I just wanted to underscore that we are not complacent. We have taken a very strong role.
On the comment that it would be useful to hear more about the benefits of data sharing by our office, again I agree that we could do more of that. We could offer more support with regard to the use of data for research. Again, the Covid-19 crisis gives us a great opportunity to get on the soap box and be able to get out there and support the responsible and effective use of data. That is our job, but we are also a protector. We have to ensure that agencies are sharing data with cybersecurity and with good information governance around it.
Q110 Baroness Pinnock: I want to give a couple of examples of where I think that data sharing has not worked well during this crisis and see what the learning points are from it.
I am a governor of a local high school, where children come from different local authorities. Information on children who are currently shielded needs to be with the school before they start in September. It has been almost impossible—I think it still is—to get the information about which children need to be shielded when they return to school in September. The local authorities are unwilling to share the data between two different local authorities. That has a huge impact on the individual child.
There was a local outbreak in my town. The private sector element of the national test and trace was not able, apparently because of its contract—this is what I am told—to share full data, right down to the six-digit postcode. Everybody talks about postcodes, but they do not always mean the full six digits. Sometimes they mean just the first three or four. Having the whole six-digit information is the only way you can deal with local outbreaks. That has only just started to come.
May we have some comment about why this is and how we can learn from it?
The Chair: Some of that is for Simon and some for Liz.
Baroness Pinnock: I agree. Simon, would you like to answer about test and trace? We have had three local outbreaks, and it has made life extremely difficult for the local public health people.
Simon Madden: Elements of NHS test and trace are run by the private sector—the contact tracing call centres—but the vast majority of it is run by the public sector.
My understanding of how the test and trace data has been shared is that it has been a gradual process, particularly the testing data. There has been a building up of the data as that comes on stream. The most recent access to data has been that very detailed postcode data.
I go back to what I said slightly earlier. The framework that was put in place at the start of the pandemic—the COPI regulations—allows for the processing of confidential patient information. I can only speculate, I am afraid, not being very close to the test and trace operation, that it was a question of definitions and debates about what was identifiable and what should be released.
My understanding is that, with assurances about various protections, the information is now being shared.
Baroness Pinnock: It is now, yes. What about the individual information on children? Is that for Liz Denham?
Elizabeth Denham: Going back to the principle in the law, agencies should have the information that is necessary and proportionate to do their work. Local government and schools should be able to get access to information, including identifiable information, which is the full six digits of the postal code identifiable to a household. The identifiable information of the individuals should be accessible to schools, to local authorities and to groups if it is necessary to do their work. That is what the law says. It is about necessity, proportionality and transparency. That is what we would look at.
On this particular example, I understand from Simon that that information is now flowing. That is good. If our office were asked that question, we would look very closely at why that data was needed. The law allows for that sharing.
It could be that the partners were not comfortable. The ICO is not a party to a data-sharing agreement, but we are the expert regulator and we can help to bring parties together, as we have been doing.
Simon Madden: Although the regulations that we invoked at the beginning of the crisis—the control of patient information regulations—had been in place for some time, this was one of the first times that they had been used. There may well not have been clear understanding of the power of these regulations, the notices that were issued and how they could be deployed.
We will definitely take that away as a lesson to strengthen our communication about COPI notices and the permissive environments that they created.
Q111 Lord Hogan-Howe: As we emerge from lockdown, do we need a new cross-government, cross-public sector strategy on data sharing? If you do think that, what should it look like?
Professor Sir Ian Diamond: The good news is that the Government are making a very good effort to bring data sharing together. Alex Chisholm in the Cabinet Office is leading an effort to build the infrastructure to share data across government departments and to do public engagement on privacy, and to do the data standards and the data engineering that I have talked about before.
I do think that we are at a moment when government is working very well to bring the processes together. It is for all of us to continue to advocate for cultural change and for those data to be shared.
We at the ONS are enabling data from many arenas—some of it in real time—to come into our secure research service, where it is available for analysis both within government and through bona fide researchers completely anonymously with very good privacy, as long as the work is for the public good.
I completely agree that this is needed. The good news, I believe, is that we have the beginnings of it happening.
Elizabeth Denham: I would agree that we have the beginnings of a new chapter in data sharing, and that we can better develop the culture and trust in data sharing with the co-ordinating role of the Cabinet Office that was announced today. I think that is a good step.
There is obviously a huge role for our office to continue to do our work on assuring public bodies of the legal and ethical sharing of data. We have more work to do there, especially on the granular level in different contexts.
I also think that, coming out of the pandemic and looking to the future, there will be bigger government. There will be more expectation of better data, better-quality data and more data to be able to make sound decisions by government.
This is an opportunity to get the public more on side with data sharing. The public, especially in this crisis, expect that their data will be shared for good purposes and for the public good, but they want it done within a solid governance framework. They want it done responsibly. That is the way we will take people with us in gaining their trust and confidence in the use of data.
I also see that we need to focus on research uses of data. We need a new code of practice for research, both in the public and private sector uses of data. I would like to see a focus on research in the future.
Simon Madden: I agree with everything that Sir Ian and Elizabeth have said. I would just add that in the health space the Secretary of State has asked us to look at how we build on what we have been able to achieve in Covid so far, particularly in relation to data sharing and the environment that we have been able to create.
A key part of that is trying to bring together all these strands in a data strategy—we are working on that at the moment—within which there is an element of public engagement to test the public’s attitude to data sharing in the health space.
Professor Sir Ian Diamond: I would come back to Elizabeth Denham’s point on research. At the ONS we have a partnership with the Economic and Social Research Council, called the Administrative Data Research Network, which works to allow research on all kinds of administrative data.
Secondly, we have a partnership with Health Data Research UK, a UK-wide body with access to many health data. Again, we will be building our platform that enables research using and linking anonymously health and social data to enable some fantastic work to take place.
The platforms are there and the will is there, but we absolutely do need the publicity.
Lord Hogan-Howe: I can understand the dilemma between what the law says and what people are experiencing; I get that. Experts often have a far better understanding of the law.
As an analogy, in the police service, firearms officers often believe that they will be subject to manslaughter charges once investigated by the police complaints at various authorities. The reality, as Elizabeth has said, is that there has never been an officer charged. The trouble is that, when you have been investigated for two years, that is not how it feels. There is a difference between how they feel and the reality of what may happen.
We have heard quite a lot about it in these discussions, but I do feel it is that gap that needs to be addressed somehow. I do not suppose that any of us have an easy answer to it, but there is a gap.
Elizabeth Denham: That is a really good analogy. At the ICO what gets headlines in the papers is when we take enforcement action, especially against a large private sector organisation that has breached the security of customers’ data. That is something that people take away with them. We have fining power and sanctions. We have fined public bodies for data breaches, because again it is in the public interest to make sure that there is good security around private data.
Seventy-five per cent of the resources in my office are used to help organisations to comply, to write guidance, to give speeches and to write blogs. What I am hearing from this conversation is that we need more of that. What helps people on the front line is real, detailed and context-specific guidance. If you are in this situation, if you are a front-line healthcare worker and the police come to the door, what do you do? How much data can you share, and under what authority?
That is really what the front line needs. They need me, Ian and Simon to stand up on the bully pulpit and say that failure to discover or failure to share information that is in the public interest is not acceptable. I think there is more of that, and it will take time. I do think we have progressed at pace. We have probably fast-forwarded five years in some of our thinking on data sharing because of the pandemic. Let us not lose that opportunity.
Simon Madden: My point has been made, but I would just stress that in health it is often not a question of application of the GDPR but of confidentiality. That is why I think public engagement is so important to be able to test the limits of where the public are in the sharing of that data.
Professor Sir Ian Diamond: I agree completely, but not enough of that public engagement is being done. We have been doing a lot of public engagement using citizens juries. If I was to go up to Simon in the street and say, “Can I have your health data?”, he is pretty likely to say no, and I would not mind him doing that. If we have a conversation about anonymity, the purposes of those data and aggregated data, the public have a very different response. Proper and really thoughtful public engagement is urgently needed.
The Chair: I am passionate about all of that. It is about the questions we ask as well as everything else, and the context within which you place them. The problem is that too many people get their information from social media, which does not exactly deal with the reality. That was what I was thinking earlier in the discussion. Unfortunately, we cannot ignore it.
This has been a fascinating session. As you can tell, Members are very exercised about this, because we want data to be shared effectively. I know how difficult this is. We have been trying to do it for a long time. Again and again, on the one hand the public get worried that their data will be misused, but on the other they do not understand when lots of government agencies come to them for information or expect them to give them information, and that they do not talk to each other about it.
When someone on social security dies, about 50 different contacts must be made to ensure all the different parts of the law are abided by. We have to make that more straightforward for people but do it in a way in which they have confidence.
I am going into areas that as Chair I should not. I really want to say thank you very much to all of you. It has been a fascinating session. We have learned a lot. I am sure that we have more questions that we will think about, so we may contact you again.
If you think afterwards, “Oh, I wish I had said that”, or, “I could have let them know about that”, please do let us know. We would appreciate any further written evidence.
Thank you for your time and your commitment in helping us work through this very tricky issue.
