Data Management Board minutes: October 2016

Attendees and apologies

Present

• Sarah Davidson, Chair - Director General, Communities, Scottish Government
• Ken MacDonald, Assistant Commissioner for Scotland and Northern Ireland, Information Commissioner's Office
• Ruchir Shah, Head of Policy, Scottish Council for Voluntary Organisations
• Roger Halliday, Chief Statistician, Scottish Government
• Gerry Donnelly, Head of Data Resources, National Records of Scotland
• Vicky Brock, CEO, Clear Returns
• Colin Sinclair, Director of Procurement, Commissioning and Facilities, NHS Scotland
• Graeme Laurie, Professor of Medical Jurisprudence, Edinburgh Law School
• Alan Johnston, Head of Connectivity, Economy & Data Division, Scottish Government

Secretariat/Officials

• Stuart Law, Digital Directorate, Scottish Government
• Stephen Peacock, Digital Directorate, Scottish Government
• Jessica Roscoe, Digital Directorate, Scottish Government
• Michael McLafferty Digital Directorate, Scottish Government

Apologies

• Mike Neilson, Director Digital, Scottish Government
• Jane Davidson, Chief Executive, NHS Borders
• Rosemary Agnew, Scottish Information Commissioner
• Neil Logan, Chair DataLab, Technology Advisory Group (TAG) member and CEO of Incremental Group
• Andrew Morris, Chief Scientist
• Tim Ellis, Registrar General and Keeper of the Records of Scotland
• Phillip Couser, NHS: NSS

Items and actions

Welcome

1. Sarah Davidson provided a brief introduction, noting that the purpose of the meeting would be to;

• Note updates to workstreams involved in supporting the delivery of the Data Vision
• Have an in-depth round table discussion on verification, with a view to aiding on-going policy development

Item 1 - Supporting Delivery - Workstream Updates

2. Workstream updates were taken on an exception basis.

3. Roger Halliday informed the meeting that significant work on linkage is being undertaken by his team and that, with reference to the Scottish Informatics Linkage Collaboration – Senior Management Board (SILC-SMB), the Digital Economy Bill will enable us to bring data together. Ministerial views will be sought on this in due course.

Item 2 - Focus on: Verification

Introduction:

4. The primary purpose of this DMB meeting was to have a facilitated, in-depth, discussion on verification with the intention of gathering the views of the DMB to both nuance and inform scheduled advice aimed at supporting Ministers in responding to consultation responses.

5. Alan Johnston introduced the topic of verification, largely from the perspective of the individual, covering considerations such as;

• How a citizen can prove they are who they say they are and be assured that their identity is secure?
• What information can individuals/service providers hold, own or see?
• Should a user be required to consent to gain a service?
• Existing data protection and privacy laws
• Lessons learned from, and the way forward from the NHSCR consultation.

Alan went on to present the list of questions at Annex A for further round table examination. Please note DMB requested that the list be amended to include the points raised over course of this discussion – this version can be found at Annex B.

The Importance of Future Proofing:

6. DMB agreed on the importance of future proofing what is put in place now, by ensuring it is robust enough to withstand future technological developments.

7. In light of BREXIT the status of Data Protection is unclear and should be monitored closely in relation to this work e.g. will Scotland/rest of UK be adopting the General Data protection Regulation (GDPR)?

  UK Verify:

8. The Board signified that UK Verify, whilst solid in its intentions, lacks reach and is not without its problems, particularly its poor verification rate for young, old and those without a financial footprint. This would cause a particular problem in the area of Social Security.

9. With these issues in mind, Scottish Ministers have been clear on the desirability of a distinct Scottish model of verification.

10. The main benefit, and ultimate goal, of this work is to provide better services and sound assurances on user privacy. The Board concluded that this session on verification should be seen as a ‘discussion in principle’ concentrating on;

• What works technically
• Acceptability and desirability of the outcomes by citizens
• Establishing a ‘needs-led’ system, as opposed to one that is ‘solutions-led’

Engagement with Citizens:

11. DMB were clear on the importance of pitching the messaging of this work right with Sarah Davidson pointing out that avenues for public engagement have been explored and remain open.

12. DMB explored the idea that there are two types of citizen; those who are keen to engage and those who are more reluctant and suspicious of our proposals. Engagement with the second type will be necessary to discover the root of their suspicions and why they are not using the service. Alan noted that, to some extent, this was covered in the consultation and views were sought on what might be desirable. It should be noted that public services will continue to be available to all, irrespective of an individual’s consent to using these services.

Consent and Opt-Outs:

13. The issues of consent and opt-outs were discussed in detail and in particular whether choosing not to opt-out is a form of consent or implied consent. The conversation was informed by the General Data Protection Regulation (GDPR) imperative that “Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent” which the meeting took to mean that consent is more skewed to opting-in.

14. With citizens having an increasingly significant digital identity, the Board discussed the benefits of taking a human rights approach to consent. It was noted that taking this approach would necessitate a move away from tick-boxes and require consent to be both active and optional. Furthermore, a human rights approach puts an emphasis on personal ownership of records and control of where data is used.

15. DMB agreed that, in taking proposals forward, it would be prudent to have a conversation with citizens about their online identity and that continued thought should be given into how citizens can be given the option to opt in and out of where their data is held. This however does not take into account the legal position on the ownership of an individual’s data identity, but rather focusses on an ideal scenario – it was agreed that conversations with citizens would be necessary to explore this further.

16. DMB noted that the delivery of good public services is paramount and the way in which information is provided is vital in achieving this. The Board discussed how giving citizens the option of consent has the possibility to be detrimental to how data is joined-up and used to deliver services. DMB agreed that a proportional, risk based approach is needed and that citizens will be more likely to provide data if aware of how it will be used and shared.

17. This issue of transparency was explored with the Board noting that transparency and trust provides a measure of control to citizens. UK Verify, which attempts to provide checks and balances, provides a staring block in this respect. Moreover, the capacity to better draw data sets together will be of benefit to citizens.

18. DMB discussed the desirability of offering citizens a choice of the types of information that could be used for verification purposes. The Board was clear that legal regulations and existing processes need to be respected when considering changes and improvements to verification. Furthermore, thought will need to be given to how verification is sought from those who decline to give their consent; will a face-to-face service be available?

19. In considering any additions to the types of information needed to verify an individual thought should be given as to how a ‘pure picture’ can be developed to mitigate building unnecessarily large data profiles.

20. DMB were clear that there needs to be a strong focus on the purpose of data, i.e. where it will be used and what is its intended use? The Board agreed that this was a significant area of interest and requested a further session on data protection to explore it in more detail.

21. Alan shared his experience of the Estonian model in which citizens are able to view all their held data at a secure facility and asked the Board whether this is something we may wish to mirror in Scotland. In response it was noted that the GDPR which states that provision should be made “to allow people to see data held on them”.

22. DMB went on to discuss the benefits of putting the citizen at the heart of the process, thus enabling them to easily amend their records which, it was suggested, is another positive reason for using multiple sources rather than a single database.

23. With reference to ID cards it was agreed that the messaging should focus on the benefits of being able to easily identify oneself rather than giving emphasis to the creation of large databases. It was noted that getting early input from citizens will be essential as will providing assurance on what data is being held and for what purpose.

24. DMB agreed that the role of the Board in this work will be at a strategic, rather than decision making, level and that guest contributions at previous meetings had been useful.

25. The future Scottish Social Security system will require significant verification services and will be an opportunity to consult on data verification in a real, rather than hypothetical, situation. The Board agreed that independent input should be sought and that, in doing so, this work will chime well with the Scottish Government’s ambition of Open Government.=

Action Table: Summary

Action No	Action	Owner
DMB 8/20	To organise a further session on data protection to in the context of verification in more detail.	Secretariat
DMB 8/25	Independent input to be sought to ensure that continued work on verification will chime well with the Scottish Government’s ambition of Open Government.	Secretariat

Annex A

What kind of issues and arrangements should be explored, in looking for a way for people to prove their identity on-line?

• Against which information should my claimed identity be checked?
• Should I routinely be able to see that information anyway – and other information held about me?
• Should I be able, for these purposes, to hold that information myself?
• What part should consent play in that process?
• Could or should I be asked to give consent to my identity being checked against a wider range of information – if that allows more reliable verification, and access to a wider range of on-line services?
• Should I have to – is that fair?
• What kind of oversight and governance would be appropriate for any such arrangements?
• What part could any existing arrangements play in these processes?

Annex B

What kind of issues and arrangements should be explored, in looking for a way for people to prove their identity on-line?

Points raised and considered at the Data Management Board meeting on 11 October 2016:

Against which information should my claimed identity be checked?

• DMB discussed the desirability of offering citizens a choice of the types of information that could be used for verification purposes.

Should I routinely be able to see that information anyway – and other information held about me?

• DMB noted that the General Data protection Regulation (GDPR) is clear that provision should be made “to allow people to see data held on them”.

• Consent and opt-outs were discussed in detail and DMB agreed that, in taking proposals forward, it would be prudent to have a conversation with citizens about their online identity.

• This work should aspire to taking a citizen-led approach by incorporating an option for individuals to opt in and out of where their data is held.

(This objective focusses on an ideal scenario, and does not necessarily take into account the legal position on the ownership of an individual’s data identity, meaning it would be prudent to consult citizens to explore the issue of consent further.)

Should I be able, for these purposes, to hold that information myself?

• Not expressly discussed, however, DMB noted that transparency and trust can provide a measure of control to citizens and also that the facility to draw data sets together will be of benefit to citizens.

(DMB agreed that UK Verify, which attempts to provide checks and balances, provides a starting block in this respect which, if replicated/enhanced within a Scottish version, may alleviate some concerns.)

What part should consent play in that process?

• The conversation on consent was informed by the GDPR imperative that “Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent”

(DMB took the GDPR imperative to mean that consent is more skewed to opting-in.)

• DMB discussed the benefits of taking a human rights approach to consent. This would necessitate a move away from tick-boxes and would require consent to be both active and optional.

Could or should I be asked to give consent to my identity being checked against a wider range of information – if that allows more reliable verification, and access to a wider range of on-line services?

• DMB stressed that legal regulations and existing processes should be respected when considering changes and improvements to verification.

• How verification is sought from those who decline to give their consent will need further consideration.

• In instances where consent is not given, will a face-to-face verification service be available?

• Messaging should focus on the benefits of being able to easily identify oneself rather than giving emphasis to the creation of large databases.

• Obtaining early input from citizens will be essential in providing assurances on what data is being held and for what purpose.

Should I have to – is that fair?

• DMB noted that the delivery of good public services is paramount and the way in which information is provided is vital in achieving this.

• With this in mind, according citizens with the option of consent/opt-outs could prove detrimental to how data is joined-up and used to deliver services.

• Ultimately, DMB agreed that a proportional, risk based approach is needed and that citizens will be more likely to provide data if aware of how it will be used and shared.

What kind of oversight and governance would be appropriate for any such arrangements?

• DMB agreed that the resulting system needs to be robust enough to withstand the consequences of future technological developments.

• DMB discussed the benefits of taking a human rights approach to consent, this would necessitate a move away from tick-boxes and would require consent to be both active and optional.

• DMB were clear that, in progressing and promoting this work, there needs to be a strong focus on the intended purpose of data.

• In considering any additions to the types of information needed to verify an individual, thought should be given as to how a ‘pure picture’ can be developed to mitigate building unnecessarily large data profiles.

• DMB agreed that the role of the Board in this work will be at a strategic, rather than decision making, level.

What part could any existing arrangements play in these processes?

• The Board signified that UK Verify, whilst solid in its intentions, lacks reach and is not without its problems - in particular its success rate in verifying the young, old and those without a financial footprint. This, if duplicated in a Scottish context, could be especially problematic in relation to social security verification obligations.