Transparent citizens and opaque government

A year ago this week, the UK government published a report entitled 'Transparent Government, Not Transparent Citizens', authored by Dr Kieron O’Hara. It made fourteen recommendations, the most important of which seem not to have been implemented. Meanwhile, the government continues to release data on citizens, and is accelerating these disclosures with some ambitious new policies.

This inaction on privacy and open data is particularly worrying given the UK’s leading role in open data and the international 'Open Government Partnership'. Where the UK leads, other countries often follow, and we are failing dangerously.

The O’Hara report recommends that the government:

1. Represent privacy interests on the Transparency Board
2. Use disclosure, query and access controls selectively
3. Include the technical paradigm
4. Move toward a demand-driven regime
5. Create a data asset register
6. Create sector transparency panels
7. Implement a procedure for pre-release screening of data to ensure respect for privacy
8. Extend the research base and maintain an accurate threat model
9. Create a guidance product to disseminate best practice and current research in transparency
10. Keep the efficacy of control in the new paradigm under review
11. Maintain existing procedures for identifying harms and remedies
12. Use data.gov.uk to raise awareness of data protection responsibilities
13. Investigate the Vulnerability of anonymised databases
14. Be transparent about the use of anonymisation techniques

Some of these are more relevant in the short and medium term than others. We would like existing procedures to be maintained in improved forms.

On particular recommendations:

1. The loss of Tom Steinberg from the Transparency Board was a serious step backwards from a privacy perspective. That he has not been replaced says much about the respect for the privacy aspects of the transparency agenda. Tom’s privacy credentials are impeccable, and replacing him will not be easy. The announcement today of Gavin Starks as CEO of the Open Data Institute is welcome, given his strong track record on privacy issues. Yet there remains a fundamental difference between an institutional remit and a personal interest. Government plans to release data from Health and Education should be suspended until this is rectified. 

3. It is unsurprising, but unfortunate, that a technical author would suggest more inclusion of the technical paradigm. The lack of references and content from the social sciences world, which has dealt with this issue for decades, is a disappointment, while the medical community believes that the Hippocratic oath and the medical register prevents problems with data sharing, since it stays within the community. The report's choice of focus is less than ideal. The considerations of privacy must be interdisciplinary, and any lack of consideration will lead to continuing problems.

7. We would very much like to see this recommendation implemented well, but there seems to have been no real progress on this procedure. The ICO draft guidance on anonymisation is fundamentally flawed, lacking adequate consideration of the relationship to other datasets, and not understanding the potential impacts. Recent examples of data openness from the Department of Education suggest that any procedure is being ignored.

8.,10. and 11. The use of an accurate threat model is important. The pending DfE data indicates that work on this within government is flawed. The existing procedures for identifying harms need to be updated to cope with an open data world - simply "maintaining" them is insufficient. It is unacceptable for departments to claim that they they are releasing more data into the public domain, without ensuring that their models are appropriate to the avaialble data.

As an example of how this agenda can go wrong, we only need to look at the National Pupil Database appathon, which first ran in July and will happen again on 22nd September. At the last event, it took only a few minutes for one person to generate serious questions about the quality of anonymisation. Privacy International is waiting for a response from the Department for Education to our questions regarding their processes; we told them we would refrain from comment publicly for now, though we hope to provide an update soon.

Had the O’Hara recommendations been implemented, this problem might have been caught internally and fixed. We would have preferred an adequate review that included a multi-disciplinary understanding of the data. We hope that the Cabinet Office will convene such an international and independent review from academia and civil society. The UK is in a leading position to do this, and can signal that it realises the importance of such, when it is about to take on the rotating chair of the Open Government Partnership. We expect the government to use that role to reaffirm Article 8 of the European Convention on Human Rights, and to promote the right for privacy internationally with the government transparency agenda. The UK can deliver something substantial, practical and useful, but the badly anonymised data planned for release suggests that they don’t understand why that would help.