UK Government data sharing
I was at CapitolCamp Today in Albany, New York. A great event for many reasons – especially the forward looking nature of the State Senate, @ahoppin, and all of the great people there. Now I said some things about OpenID and data protection that probably need a bit more explanation. Some things are just too nuanced to explain in a twitter post – so I figured that an explanation of the correct quotes needed a bit more flesh
1. OpenID is not permitted for many services in the UK
For most central government services that are provided online (where authentication is needed) the UK specific http://www.gateway.gov.uk/ is mandated. The mechanism has some similarity to OpenID, apart from the open bit. I do not own my ID, and portability does not enter my thoughts, as it would with my own OpenID.
I am sorry for telling this truth – it is tragically true. The level of mandate is not legislative in most cases – but sufficiently politically focused that OpenID is unlikely, ever. Even where it is an optional to choose either or neither, nither is most likely, followed by gateway. Politics…
2. Government departments are often not legally allowed to share data
The Data Protection Act specifically describes how data can be shared. Some significant points are
- You can only use the data for the purpose provided
- You can only share data with the citizens signified consent (signified here has big connotations)
- If information is collected under statute, you cannot share it even with signified consent
The upshot of this is that if I go and change my address with the DVLA (they issue driving licences and car ownership documents) or with the Inland Revenue (they verify that I paid the correct tax) I provide them my address for that purpose under statute. Changing an address with one cannot update the other – even though I log into both systems with the same ID. Even if this were not a technology challenge currently – it would be legally not permitted.
This prevents an OAuth like sharing of data. A workaround, as weird as it seems, would be to set up a change of address service, which in turn could notify both of the departments. This is absurd – but true last I checked. I would like this to be not true as well – and I am not a lawyer, so other interpretations are possible – this is my best understanding.
3. Few people are sure who owns UK map data
Even though the UK is years ahead in terms of mapping data it is very confusing as to who owns the data, like this:
- Postcodes belong to the PostOffice – if you use them without sublicence from the Post Office you are responsible for paying a fee, depending on how you read the law
- Data derived from Ordnance Survey geo references cannot be displayed on a GoogleMap according to recent OS guidance; what constitutes derived data and whether the Ordnance Survey actually care is unclear.
- The local authority collates data within it’s boundary, and may have a licence to use it. It may or may not have ability to use the data for the bordering organisations, but most likely does not.
It is theoritically simple to do an interesting set of cool stuff with maps and government data – and you could just do it, and wait to see if there were consequences – or you could wait until you found certainty. The latter is optimism.
Summary
Using OpenID is unlikely for UK central government services, and sometime unlawful. Using OAuth is impractical and possibly unlawful in most central government cases, and even non-personal data (like mapping) has constraints.
Fortunately most of the work that our organisation does is at the municipality level – where we would happily advocate using OpenId, OAuth and GoogleMaps. Each of these for each customer on a optional basis is desirable – I certainly hope to do my bit in promoting these technologies where I can.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
Guy, Thank you for the comment – It would make things easier if everybody shared your interpretation of the DPA. What you are saying is in the spirit of what was intended, and certainly concurs with my understanding of the concepts. The letter of the law, and importantly the accompanying guidance, is more ambiguous and tends to support the belief that you had when you started reading it.
Better guidance would help, though I think that the issue is more cultural. Data Protection Officers, or whatever they are called now (Information Officers?) are often the guardians of “No” – and many of the legal departments are just as likely to be looking at buying trucks or employment law as dealing with this subject.
Cases like http://news.bbc.co.uk/1/hi/england/1659807.stm have caused further confusion as people follow the hearsay version (Accountant from Wakefield gave one in the eye to “the man” because of a clear abuse without signified consent) rather than reading the case.
What is really happening on the ground is that organisations take the safest route, starting with blank systems, and joining up customer records and cleaning data as they go, being careful to get consent and record it. Misunderstood or not, the common practice has the organisation balancing the needs of the customer against the earlier (mis?)interpretation.
Do you have any useful references that supports what you are saying that we could share more widely – anything that pushes the conversation and understanding forward, particularly clear government documentation, would help.
Gateway.gov.uk is anything but open, and I also thought this down to the DPA – so the interpretations of the DPA listed are interesting.
More information would be useful for me too.
Sorry, the comment form is closed at this time.
On your point 2, you have misunderstood the protections against data-sharing in English Law, most of which also exist in US law. The Data Protection Act is a feeble piece of legislation which is also misunderstood by most of those who blame it for thisngs they can’t do, or purport to apply it in refusing to do things they don’t want to. It confuses things a lot, because it overlays other more important principles, and because both its fans and its detractors exaggerate its importance.
The issue you describe is one of both ultra vires and common law confidentiality. Information that is confidential cannot be used except for the purpose for which it is given. Quite separately an official body cannot do something it has no legal power to do. These are vital protections of the citizen against the power of government agencies in Britain, where there are no constitutional constraints on the executive.