Written evidence submitted by medConfidential




  1. Part 5 of the Digital Economy Act 2017 was designed to facilitate the digital transformation of government. That it failed to do so is not a flaw of the Act, but of the lack of desire for transformation across silos in Government.[1]


  1. The register of data sharing[2] under that Act shows that any “transformation” of government  is incidental, to the extent that it even happens at all. Of 245 projects currently in the register of data sharing, 115 projects are defined as fuel/water poverty, 11 helping people with multiple disadvantage, 26 on civil registration, 73 on Debt, and 20 on Fraud.


  1. It is unclear to what extent, if any, powers for debt are used to help people rather than help the public bodies. We cover the fraud aspects and their deficiencies in our simultaneous submission to PAC’s counter-fraud inquiry and do not repeat them here.


  1. The understanding around the Digital Economy Act powers was simple: Government wanted the ability to use data for public service delivery with inherent transformation, but had to be transparent about it with public registers and publication of documents written during the process.


Transparency of data use


  1. The primary obligation on public bodies using the powers is transparency of process and documentation, an obligation HMRC alone was proactively willing to deliver,[3] and no one else has been materially assisted to deliver by CDDO.


  1. Documentation is requestable under the Freedom of Information Act, and there’s no reason that we should have to submit a request per project, and for various public bodies to have to answer those requests, then they are supposedly publishable routinely, as HMRC do, had GDS (then) / CDDO (now) facilitated that process.


  1. When in charge of publication, Cabinet Office[4] have told us that it is not possible to link from something published on gov.uk to a document published on gov.uk.


  1. Such a statement was clearly nonsense technically, but to assess it as a technical barrier is to miss the consequence of the deliberate choice by Cabinet Office to own as little part of the process as possible – they do not wish to facilitate any publication.


  1. In effect, Cabinet Office requires every public body using the powers to come up with their own process for publication. Faced with that abdication of leadership, documentation simply doesn’t get published. It must be made under Freedom of Information Act processes.


  1. Similarly, a steady procession of errors in the register has led to the steady stream of corrections visible in the update information. Lines like “Register entry no.88 removed” which only means something if you have the old copy of the register, as on publication, the new register had a new line 88.[5]


  1. That Cabinet Office do not take any ownership of the register means they appear to take no ownership of whether it is correct (until we write to them, then they fix it, then the process repeats).



New digital transformation


  1. Part 5 of the Digital Economy Act had the defined purposes for existing data sharing, but the ability to add new purposes for the flexibility of future transformation of Government.


  1. Due to the transparency deficit around use of the Act, we understand only one new purpose has so far been added, which related only to Scotland. It appears not to have been used as yet.


  1. Cabinet Office recently ran a consultation[6] on adding a purpose to share data for identity verification purposes. The consultation as written allows any part of government to share identity information with any other part of government, potentially in bulk.[7]


  1. The previous identity system developed by Cabinet Office took responsibility for setting standards for data interchange, so that a department could be assured of the validity of pieces of information without the entire identity being shared. It had Government operate as a system which made agreements and kept them, an operation that required GDS/CDDO to both make agreements, and ensure they were kept.


  1. Current CDDO/GDS practice is to abdicate those responibilities so each service using identity has to handle all forms of identity.[8] Should new forms of identity sources be added, such as MoJ providing identity for those leaving prison (some of whom can not be expected to have non-expired passports or drivers licenses), refugees (via UKVI), care leavers (local government?), or service veterans (ID from MoD), each service across Government will both have to update their systems to cope, and in accepting such identities, will inherently know that their users have those characteristics. This is entirely unnecessary, and will lead to expense and complexities throughout government digital services, and make transformation ever harder and more expensive over time. Currently there are two identity documents accepted, this (illustrative) paragraph will at least triple that, creating cost and overhead to every service in government.



Any complex decisions get abdicated


  1. Current Cabinet Office decision making, including CDDO and GDS, avoids hard decisions. It is the culture and practice of CDDO that obligations are things to be avoided, responsibility is something to be evaded, and blame something to be dumped onto others.


  1. With leadership like this from Cabinet Office, it is no wonder that projects like the HMCTS Common Platform replicate the approach of dumping responsibility on those lower down the hierarchy.[9]


  1. The end state of such a culture are events akin to those currently being investigated by the Post Office Horizon Inquiry.



About medConfidential


medConfidential is an independent non-partisan organisation campaigning for confidentiality and consent in health and social care, which seeks to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe, and transparent.


Founded in January 2013, medConfidential works with patients and medics, service users and care professionals; draws advice from a network of experts in the fields of health informatics, computer security, law/ethics and privacy; and believes there need be no conflict between good research, good ethics and good medical care. We also engage with data use across Government, as to a first approximation, the data that institutions of state want to copy most is your medical record.

May 2023


[1] There are of course many digital transformation projects which don’t involve data crossing departmental silos, which are outside of the data sharing powers managed by CDDO.

[2] https://www.gov.uk/government/publications/register-of-information-sharing-agreements-under- chapters-1-2-3-and-4-of-part-5-of-the-digital-economy-act-2017

[3] https://www.gov.uk/government/publications/data-share-pilot-between-hmrc-and-local-authorities-a-to-c

[4] Responsibility has moved from GDS initially to DCMS when it was responsible for Digital and now rests with Cabinet Office via the Central Digital and Data Office.

[5] We have the documentation on how that and the various other register errors were made, and can make the bundle of spreadsheets and emails available if needed.

[6] https://www.gov.uk/government/consultations/draft-legislation-to-help-more-people-prove-their- identity-online/consultation-on-draft-legislation-to-support-identity-verification

[7] https://medconfidential.org/2023/rest-of-government-gds-embraces-1-great-database-state/

[8] https://questions-statements.parliament.uk/written-questions/detail/2023-02-27/hl5901

[9] E.g. page 4 of this training document released by HMCTS https://www.whatdotheyknow.com/request/cjs_fix_case_interface_errors_wi#incoming-2304238