The Government wants a centralised, comprehensive, database of citizens. They tell us that they currently have around sixty databases which are used by a couple of hundred IT systems. Unsurprisingly the Government has difficulty keeping all these databases complete and up to date, so they hold bad data about citizens - out of date address, occupation, marital status, duplicate records, missing records etc. Failing to ensure that personal data is accurate is a breach of data protection. It’s a common problem, many larger organisations used to have multiple databases which were supposed to hold the same, up to date, data, but didn’t. It’s easy to see why the government would want to fix this problem, it must hinder government efficiency, and it is a previously solved problem.
Master Data Management is the jargon used to describe the processes and methods which define and manage the critical data of an organization to provide a single point of reference. There are two common approaches, either create a central database of commonly needed data to which every system refers, or have a central database of that data which automatically updates all the other databases whenever the data is changed. Either method works fine, and in the second method it is customary to include a regular consistency checking process to validate that the other databases still match the master. Because the authors of the software using those sixty Government databases will not have written them to use any database other than the one they designed, having a single master database to which all systems refer is conceptually easy but sometimes practically difficult. In general it is easier to hold a master database which updates all other subsidiary databases,
The government is later than most organisations in addressing this problem, but for good reason - the division of government into multiple legal entities each with responsibility for its own conformance to data protection creates a legal barrier to the idea of a pan-government database. It would be easy for Tynwald to sweep this barrier aside, and the government needs to address the problem to improve efficiency and quality of service, but the potential implications are complex and dangerous - hence some of the concerns voiced by the public. So what are the issues?
Data Sharing: because each Government ministry is a separate legal entity, they can only share our data between departments with either our individual permission or the establishment of law which permits the sharing - so for example it would, rather absurdly, be unlawful for the Cabinet Office to share our names and addresses out to the databases used by individual departments, and vice versa.
Data Purposes: even if sharing were permitted, data permissions are based upon purposes. For example permission to collect and process our personal data for operation of the Electoral Roll, even though it is mandatory for us as residents to provide our information for the Electoral Roll, would not permit that data to be used to see if we exist on Tax or Health databases; the purposes for which our data is used must be pre-declared. This is fundamental data protection law to protect us from undeclared abuses of our data. If the simple name and address data gathered for the Citizen’s Database were used to enable cross-referencing between databases, for instance cross-referencing the electoral roll with health department data to check whether someone who claims to be ineligible for jury service is actually exempt, that would be a clear breach of the law. This example of a potential but currently illegal benefit of the Citizen’s Database was suggested in the evidence given by civil servants to the Tynwald Select Committee on the Operation of the Jury System and would imply that a civil servant could have it revealed to them, without the person’s express permission, that someone was ineligible on health grounds. Whilst no detail about the person’s medical impairment might need be exposed, the very existence of a disqualifying impairment might be considered sensitive personal data which someone would not wish to disclose to anyone but their doctor. Any system which could create new purposes for data could be considered a serious risk to privacy.
Trust and Compulsion: normally when we give up our personal data to an organisation it is a voluntary act and that concept is enshrined in European law, albeit that we may effectively have no choice if we want the service provided by the organisation; however with Government that’s not the case. There are numerous provisions in law to penalise us if we do not provide Government with our data. Despite the penalties the Government has an enormous problem in collecting data; a senior civil servant reported to the Select Committee on the Operation of the Jury system that as many as thirty percent of us eligible to vote and forty percent of us who are eligible for jury service have declined to register on the Electoral Roll despite it being mandatory, giving up our right to vote and risking prosecution, in order to avoid handing our data to the government. The reality is clear that many of us do not trust the Government with our data, and any compulsion to provide data which is not absolutely necessary goes against the whole ethos of European data protection law.
Theft and Abuse: campaigners have raised the spectre that if the Government puts all our data in one place then it will become a more attractive target for cyber criminals, and as many previous large data breaches have proven, there is no such thing as perfect security. Campaigners have also raised the concern, which harks back to trust, that giving Government greater access to our personal data will increase the frequency with which our data is abused for unsanctioned purposes by irresponsible or criminal public sector employees. Misuse and careless custody of citizens’ personal data by public servants has long been a problem both here and across, and theft of bulk data for financial reward has become a criminal industry in its own right with even European governments openly buying stolen data on the black market. Public concerns about weak data protection practices and poor cyber security are sadly probably well founded.
So on the one hand we have an opportunity to help streamline the functioning of Government through the use of Master Data Management, which should result in significant public sector efficiency improvements and a reduction in the cost of Government, but on the other hand there are serious risks both to us as individuals and to the credibility of our data protection regime.
The credibility of our data protection regime is an important consideration. We currently have an EU Data Protection equivalence ruling based upon the old Data Protection Directive - and in some ways we are barely compliant, the island’s penalties for data protection breaches are far lighter than current European expectations. Whilst I am sure our authorities are working out how they will achieve Isle of Man compliance with the new EU General Data Protection Regulation, which brings in much stiffer penalties than the old Directive, if Government really wants to be more sophisticated in its use of our data we need to have appropriate controls and penalties that meet modern European expectations.
Data sharing between departments is a simple barrier to remove - either pass legislation permitting it or make the Government a single legal entity as is already under consideration.
Data Purpose is harder to solve, but possible. Probably the simplest solution is a declared set of purposes (a long list), independent supervision of all Government data usage (perhaps by the Information Commissioner), and the design of new Government reports, systems and data-linkages on a need to know basis such that it is hard for public servants to misuse or inappropriately access our data. It is entirely possible to design most data extracts and reports so that people only see the data appropriate for their individual job roles, but the Government would need to adopt this as an internal design standard and enforce it on all the new data views enabled by data sharing and linkage.
Finally, we can link the Trust, Compulsion, Abuse and Cyber Security issues together, they are all faces of the same problem. Some compulsion to provide data is necessary because not all citizens are responsible or honest, however we’re never going to see high levels of trust in government handling of our data while there are regular reports of personal data abuses and slack security procedures which effectively go un-punished. Currently the maximum fine for a data breach on the Isle of Man is, if I’ve read the rules correctly, five thousand pounds. To match the new EU General Data Protection Regulation that would need to rise to twenty million Euros or four percent of turnover - whichever is greater.
It is however no use fining the Government, all that means is that we the victims wind up paying as taxpayers for public servant’s abuses of our data - a double whammy against the citizen. In order to restore public trust in Government’s handling of our data, and to enable public trust in a Citizens Database, we are going to need a data protection regime which imposes high data protection standards and levies hefty penalties directly onto public servants for any public sector data protection breaches.