Written evidence submitted by the Ada Lovelace Institute (DDA0038)
About the Ada Lovelace Institute
The Ada Lovelace Institute (Ada) was established by the Nuffield Foundation in early 2018, in collaboration with the Alan Turing Institute, the Royal Society, the British Academy, the Royal Statistical Society, the Wellcome Trust, Luminate, techUK and the Nuffield Council on Bioethics. Ada is an independent research institute with a mission to ensure that data and AI work for people and society.
We are working to create a shared vision of a world where data and AI are mobilised for good, to ensure that technology improves people’s lives. We take a sociotechnical, evidence-based approach and use deliberative methods to convene and centre diverse voices. We do this to identify the ways that data and AI reorder power in society, and to highlight tensions between emerging technologies and societal benefit.
The Ada Lovelace Institute welcomes the opportunity to contribute to the Science and Technology Committee’s inquiry into the right to privacy: digital data. Our submission is grounded in the expertise we have built in data protection, use, governance and management. We have cited our research throughout the response and included links to specific relevant research in an annex.
Our response focuses on the first two prompts of the inquiry, covering the benefits and barriers to data sharing, and the extent to which data issues are appropriately addressed in recent government strategies and consultations, where we highlight some existing barriers that are not fully addressed by Government proposals. Specific points regarding health data sharing and the role of the CDEI have been incorporated into these points.
Effective use of data can make significant direct contributions to society. Better use of data can bring benefits including to:
Indirectly, the use of data can bring social benefit as resulting growth and innovation support a healthy economy. Data sharing can enable social connections and research collaborations across fragmented, globalised populations.
In health specifically, the research platform OpenSAFELY enabled the access and analysis of over 50 million NHS patient records. This analysis of COVID-19 risk factors by health status and social category enabled targeted public health measures, both in the UK and internationally.
At present however there are a number of barriers to effective data sharing in the public sector. Joint research with Ada and the Royal Society examining data-sharing initiatives during the pandemic identified the following issues to effective public-sector data sharing:
The Government has demonstrated a welcome focus on setting the direction for innovation and data sharing as a core pillar of a post-Brexit economy. While we agree with their diagnosis of some of the issues, we disagree with some of their solutions, and see some gaps in achieving an effective, well-governed data-sharing ecosystem.
The Government approach will need to strike the right balance, to draw together data where there are clear public benefits while limiting extractive or harmful practices. Decisions about data sharing currently take place against a backdrop of a power imbalance, where a small number of market-dominant organisations hold an immense about of information and power in shaping societies.
This can pose a particular challenge as the ambition of Government is to share data across the public sector, and between public and private-sector entities: Governments and the public sector across the world have historically struggled to engage with and govern private-sector use of data, for example the data breach between Royal Free and Google’s DeepMind. Examples of harmful practices, particularly from platforms, have demonstrated that innovation and growth are not always aligned with social value and triggered public anxiety about how data may be repurposed.
To achieve a balance, we make five recommendations to strengthen the approach outlined in the proposals referenced in this inquiry, to build the right ecosystem to ensure the Government is successful in their ambition to increase data sharing for public good.
1. Public trust
The results of decades of exploitative practices in the private sector has led to an erosion in public trust in the use of data. High-profile examples of data use that the public did not see as legitimate have led to increasing concerns about public use of data – a recent report from the Centre for Data Ethics and Innovation described trust in public sector data sharing as ‘tenuous’.
In the health sector, as more data has become ‘health’ data, there has been an increase in private actors without a concomitant increase in adequate transparency and public confidence in social value creation.  Public concerns increase if data is being perceived to be sold, or individuals lack clarity about how their data is used.
The recent example of the GP Data for Planning and Research (GPDPR) initiative (which resulted in over three million people opting out of data sharing) warns that public anxiety about weak data governance can lead to withdrawal from data sharing even in sectors that are highly trusted, minimising opportunities for socially beneficial innovation. This erosion of trust undermines the potential collective benefit that could be extracted through responsible, trustworthy data stewardship in the public interest: we should not be complacent that people will continue to accept their data being as available as it has been over the last two decades, as the public become more engage and concerned about data use.
There must be effective mechanisms in place to understand not only average public opinions, but the views of those usually disadvantaged or least trusting of the use of their data, or the systems that use those data. Many of those who benefit least from health data uses, are most at risk of oversurveillance, and are also disadvantaged by poor data collection and infrastructural practices.
The Government must go beyond communicating the data benefits, and undertake in-depth, nationwide public dialogue and deliberation, to ensure data-sharing agreements are informed by nuanced and dynamic understanding public attitudes, and data agreements are viewed as legitimate in context.
2. GDPR interpretation and ‘over-compliance’
Ada research with the Royal Society on data access and sharing during the pandemic found organisations, particularly SMEs and public-sector institutions, can perceive the GDPR framework as difficult to apply or to understand how best to work within, often leading to unnecessary risk aversion.
The simplicity of GDPR as a risk-based framework is viewed as a benefit from the perspective of organisations that are well equipped with the legal and operational capacity to document and validate compliance. But for smaller organisations and individuals without access to legal support, the simplicity translates into uncertainty, which in turn can promote overcompliance or risk-averse approaches to using data.
As the data landscape becomes more complex, it brings together data from the public and private sectors, bringing in different players and data-sharing agreements. This leads to a lack of clarity about organisational roles – particularly when using non-health data to make health inferences.  Even across the public sector, there are cultural barriers and practical challenges to setting up data-sharing agreements.
There appears to be an assumption within Government that the current legal data protection regime stifles growth and innovation, but we have not found credible evidence to support that. Instead, there is evidence that it is the interpretation of the law that is a barrier to COVID-19-related research or innovation, rather than the law itself. This is in additional to a number of other practical barriers including data quality, culture and incentives as findings of the Alan Turing Institute’s major review drawing on over 100 experts using data science during the pandemic demonstrate.
We therefore recommend the UK’s approach could provide greater institutional confidence in data sharing through greater clarity and guidance on existing regulation; standardised approaches to data sharing to give confidence to public and smaller private organisations about data sharing.
3. Strengthening independent regulation
Across extensive public research, we have found consistently that the public want more, not less, regulation to trust the use of their data. There is no blanket social license for the use of data in the public interest, even during emergencies. The public want clear information up front on data practices, and clarity on the boundaries of data use, rights and responsibilities, even during times of crises.
The current regulatory system is not strong enough to address existing challenges or reassure the public of their privacy, so any ambition to increase data sharing should include strengthening independent regulatory capacity. Because the primary goal of the GDPR is not to restrict data use, but to allow purposeful data processing, it has not yet been effective in curtailing the potentially harmful aspects of the data economy and its power imbalance, or in prompting a move away from the commodification of human behaviour and activity by large corporates.
CDEI plays a valuable role in the data governance ecosystem but does not mitigate the need for independent regulation.
We suggest the UK’s approach could provide greater public confidence in data sharing through strengthening regulatory powers, capacity and coordination, and stronger enforcement mechanisms to ensure individual and group privacy is balanced with economic and societal benefits, and greater data sharing is matched with trusted, independent oversight and enforcement.
4. Biometrics legislation
Biometric technologies pose particular risks and harms to privacy and free expression, and may lead to discrimination (both through their differential accuracy for different demographic groups, and through their uses).
The Science and Technology Committee has previously identified the need for a deeper understanding of public attitudes and clarity of legal governance of biometrics. In response, Ada conducted a nationally representative survey on UK public attitudes towards facial recognition technologies (Beyond Face Value) and convened the Citizens’ Biometrics Council, a council of 50 UK adults to learn and then deliberate on biometrics in greater depth. Both the survey and the citizens’ council highlighted public support for stronger safeguards on biometrics technology.
To assess the efficacy of existing safeguards, we commissioned an independent legal review by Matthew Ryder QC (‘the Ryder Review’). The forthcoming review finds that the current legal framework for governing biometrics is not fit for purpose, and that the accountability mechanisms in place are fragmented and ineffective. The Review identifies the need for a new, technologically neutral, statutory framework to govern biometrics. To ensure that legislation is enforced, the Review suggests the establishment of a national Biometrics Ethics Board.
Based on our findings of public support for stronger safeguards, and the legal review findings that current safeguards are not fit for purpose, we recommend that Government passes new legislation to govern the use of biometrics. This primary legislation should account for the use of this technology for both identification and categorisation and should apply to uses by the public and private sectors.
5. Further research and development
There are opportunities where the Government could offer global leadership to define a post-Brexit approach to data governance.
We recommend further Government research and development on three aspects:
On data stewardship: responsible and trustworthy data use, governance and management:
On public attitudes and experiences of data-driven technologies:
On transparency and accountability for algorithms and AI:
On the use of data and data-driven technologies as part of the COVID-19 pandemic response:
 Margetts, N. and Dorobantu, C (2019) ‘Rethink government with AI’ Nature Available at Rethink government with AI (nature.com)
 Williamson, E.J., Walker, A.J., Bhaskaran, K. et al. (2020) OpenSAFELY: factors associated with COVID-19 death in 17 million patients. Nature. OpenSAFELY: Factors associated with Covid-19 death
 Ada Lovelace Institute (2020) Learning data lessons: data access and sharing during COVID-19 | Ada Lovelace Institute
 For example, the super-complaint brought against data sharing between the police and the Home Office; and concerns raised about public health data from test and trace being shared with police
 For example, the data breach between Royal Free and Google’s DeepMind from the ICO
 Half of Britons surveyed in Doteveryone’s People, Power and Technology survey felt they had little agency when it came to the use of their data online, and felt pessimistic about the impact of technology on their lives and on society in the future. Doteveryone (2020) Introducing People, Power and Technology: The 2020 Edition – doteveryone
 CDEI (2020) Addressing trust in the public sector data use.
 Powles, J. and Hodson, H. (2017) Google DeepMind and healthcare in an age of algorithms. Health Technol. 7, 351–367 (2017). https://doi.org/10.1007/s12553-017-0179-1
 See for example lawyers acting on behalf of openDemocracy demanding transparency on Palantir database https://www.opendemocracy.net/en/ournhs/uk-government-could-face-legal-action-over-huge-secretive-health-database/
 UK Statistic Authority (2021) Leaving no-one behind: how can we be more inclusive in our data. Available at: https://uksa.statisticsauthority.gov.uk/publication/leaving-no-one-behind-how-can-we-be-more-inclusive-in-our-data-executive-summary/pages/1/
 Institute of Race Relations (2021) A threat to public safety: policing, racism and the Covid-19.available at A threat to public safety: policing, racism and the Covid-19 pandemic - Institute of Race Relations (irr.org.uk)
 See the Advisory Committee on the Framework Convention for the Protection of National Minorities National minorities and COVID-19: inequality deepened, vulnerability exacerbated - Newsroom (coe.int)
 Ada Lovelace Institute (2020) The data will see you now https://www.adalovelaceinstitute.org/report/the-data-will-see-you-now/
 Ada Lovelace Institute and the Royal Society (2020) Learning data lessons: data access and sharing during COVID-19 Learning data lessons: data access and sharing during COVID-19 | Ada Lovelace Institute.
 The Alan Turing Institute (2021) Data science and AI in the age of COVID-19 Available at: https://www.turing.ac.uk/research/publications/data-science-and-ai-age-covid-19-report
 See forthcoming Ada Lovelace Institute policy briefing on public attitudes to data governance
 Ada Lovelace Institute (2020) No green lights, no red lines (public perspectives on COVID-19 technology) and Confidence in a crisis? (public engagement on COVID-19 technologies)
 See fuller comments by Professor Tommaso Valetti on responsible innovation available at https://www.adalovelaceinstitute.org/event/responsible-innovation/
 Hall and Pesenti (2016) Growing the Artificial Intelligence Industry in the UK available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/652097/Growing_the_artificial_intelligence_industry_in_the_UK.pdf
 Ada Lovelace Institute (2021) Exploring legal mechanisms for data stewardship
 Ada Lovelace Institute (2021) Participatory data stewardship,
 Geospatial Commission (2021) Public Dialogue on location data ethics
 The Participant Panel | Genomics England
 Independent Group Advising on the Release of Data (IGARD) - NHS Digital
 Current data sharing and collection within public bodies is governed by various frameworks including Information Governance and the Caldicott Principles our most recent work on the ongoing need for regulatory approaches for innovative practice, together with separate yet ongoing work with the NHSX’s National Chest Imaging data-sets
 For more on our forthcoming work, and to access it when published in early February 2022, see: https://www.adalovelaceinstitute.org/project/algorithmic-impact-assessment-healthcare/
 The Ada Lovelace Institute is exploring through its Rethinking Data work what types of interventions would enable positive transformations for data use and regulation. Publication of the final output from this work is expected in 2022.