In the last few months, there have been several stories of councils developing predictive algorithms to identify families where children may be at risk from abuse or gang exploitation. According to research by The Guardian, algorithms have been developed via data from at least three separate agencies: school attendance and exclusion data, housing association repairs and arrears data, and police records on antisocial behaviour and domestic violence.
Such insight from data analysis is invaluable to councils. Supporting vulnerable families is arguably the most important task that councils can provide and for many councils the combined budgets for adult and child care account for more than half of their total spend. Early intervention has the potential to both improve outcomes by preventing difficult situations spiralling out of control and to reduce long term costs.
How does this affect data privacy?
However, for public sector organisations to make the most out of their data, there are several steps they need to undertake first, including ensuring they are aware of all relevant data protection laws and are abiding by ethical standards.
This issue is growing ever more prevalent as the rise of machine learning and use of predictive models by organisations raises important questions, both ethical and legal. For example, what constraints need to be considered? Also, what safeguards and oversights are needed to ensure that privacy laws aren’t broken?
With data being collected and stored at an unprecedented rate, it is easier than ever for firms to share, merge with other data and analyse to gain valuable insight. However, organisations must not forget that the rights of the individual, the data subject, are enshrined in new laws including what may and may not be done with their personal data. There is a tension between what can be done (technically) and what may be done (legally).
Data privacy in the UK is covered by the Data Protection Act 2018, which replicates the EU’s General Data Protection Regulation (GDPR) and provides a principle-based legal framework for processing personal data in ways that respect individuals’ rights.
Starting with the rights of the individual, a data subject has the right to be informed about how their data will be used, which implies that this information is available at the point when the data is first collected. In simple terms it means that the following questions require clear unambiguous answers: What data of mine do you need? Why do you need it? What will you do with it? How will you keep it safe? Who will you be sharing it with? And what will you do with it when you no longer need it?
Maintaining citizens' trust
On top of the operational challenges that councils face, maintaining a trusting relationship with their citizens is paramount. More still needs to be done as Civica research found that only 11% of the UK public completely trust their local authority or the government to handle their data. Although councils are continuing to transform their services through insight-driven models, more work is needed for improved data transparency, security and shared access.
On the positive side, 48% of the UK public agreed that sharing more information will lead to better services, so they are open to building that relationship further.
Data analysis vs data collection
Regarding the primary purpose of data collection, it may well be straightforward. For a council, data may be collected with the aim of collecting council tax, providing social housing or the day-to-day management of schools.
Data analysis is different. It rarely starts with the collection of fresh data. It typically starts with a question and then looks for the answers in data that is available, which is usually in multiple databases, collected over years for diverse and unrelated purposes. In the case of the councils, a reasonable question might be, “is it possible to identify families where children are at an increased risk of abuse?” This leads to a series of hypotheses about the selection of existing datasets held by the council and other public services. It is very unlikely that local residents ever thought that their council tax payment records might one day be combined with police records and used to assess the risk of child abuse.
A proven model for insight and data privacy
To address current and future data regulation challenges and enable analysis and data sharing between agencies under GDPR/DPA18 requires a reliable, robust data governance framework, including:
1. Data review and roadmap – reviewing the personal data you have, how and why it was collected and its limitations.
2. Scope of analysis – what data will be included in the scope of the analysis, whether or not personal data is required, and if so, whether or not there is a legitimate legal basis for the processing.
3. Validation & governance – designing governance processes that include Data Protection Impact Assessments (DPIAs) to help validate and approve the use of personal data for specific new purposes? Identify any necessary steps or precautions that are required to stay within the law and to prepare any necessary communication. When data is shared between agencies, this will include multi-agency governance.
All three of these aspects form part of good data governance practice and create leading insights-driven organisations - reconciling the need for high-value data whilst respecting comprehensive data protection laws.
Ultimately, organisations which can demonstrate that they can be trusted with other people’s data will gain an advantage over those who can’t. Not only will they reduce the risk of large scale fines, but they’ll also reduce the much more serious risk of losing the trust of their customers or citizens. Because we all know that public trust is hard to win but very easy to lose.