Exploring GDPR impact on planning data-sharing projects in local borough areas and possible interventions so that data-sharing projects can be designed and implemented with confidence that GDPR requirements are met
Councils and partners collect large amounts of data in the course of their work, which if joined up could bring much greater insight and better inform policy and strategy design. However much of this data is collected for a specific purpose, project or for compliance with particular legislation and is held by a particular team or service separately from other data-sets. There are many examples of ways in which combining data from existing “data silos” could be combined to:
- Provide greater information on clients needs and service use to inform policy and strategy
- Identify areas of greatest need and cohorts/individuals with high levels of service use
- Give a full picture of clients needs to frontline practitioners supporting more efficient and effective interventions
- Support creation of algorithms and use of artificial intelligence (AI) to identify cohorts “on the cusp” of service need who can be targeted for earlier intervention
Most Public Authorities have accepted the benefits of “little big data” and the opportunities and benefits effective exploitation of this data can provide for greater efficiency, cost savings and better services. This is a position which is becoming more and more accepted at every level throughout the public sector.
However alongside this acceptance of the benefits of joined up data there is also the stronger requirement of remaining lawful. Councils accept the principles of, and need for, data privacy, individual’s control over their own data and the individuals right to access their data but are often unsure of how GDPR legislation affects their ability to share and combine data. In the face of potentially large financial penalties, in the context of shrinking local government revenues, the “safest” way to ensure compliance with GDPR is to not share data. This position stymies the ability for greater innovation achieved through data sharing and analysis. “Public sector access to data has been hindered by a complex legal framework that has grown piecemeal over time. Public authorities have found it increasingly difficult to understand what information they can share.” Lee Pope & Paul Blake, Data Policy and Governance Team, DCMS
The purpose of GDPR is not to restrict legal use of data or data-sharing (which can bring positive outcomes for residents and services), however, there is a lack of common understanding across service leads, teams and organisations of the practical implementation of GDPR and its restrictions, which can be applied to proposed data projects across teams, services and local partners. Our discovery project aims to produce guidance on GDPR implications and restrictions in the use of public sector data to establish a shared understanding for data holders, analysts and project/policy leads at all levels of a public organisation.
The creation of this guidance will be reliant upon the findings taken from examples of good GDPR compliant data-sharing practice from existing, successful public sector projects. The relevance of the guidance will be affected by any emerging case law that alters understanding of GDPR implementation and infringement; this will always be the case and waiting for a point when all GDPR implications are fully understood meanwhile retards progress.
Key stakeholders in this work will be Local Authorities (particularly Information Governance leads), their public sector partners and their legal support teams. Other key stakeholder will include MHCLG (particularly the Local Digital Collaboration Unit), the Government Digital Service and the Information Commissioner’s Office. External input will be sought from organisations known to have an understanding of implemention of public-sector data-sharing exercises including LOTI and North West London Collaboration of CCGs
Hypotheses
- Policy and project leads halt data-sharing projects at an early stage due to concerns around GDPR
- Addressing users’ GDPR concerns will result in more data-sharing projects being implemented and the consequent cost savings and better client outcomes
Assumptions
- Public sector data-sharing projects can be implemented without infringing on GDPR requirements and evidence already exists of how this can be achieved
- Potential users are familiar with GDPR responsibilities, but not knowledge/confidence of how to build GDPR compliance into projects
- Better guidance/information will allow users to plan data sharing, analysis and use strategies with reasonable confidence at an early stage enabling more projects to progress.
Current tools in place for GDPR compliance are:
- Software training packages on staff GDPR responsibilities
- Information Management Frameworks to ensure staff awareness of GDPR responsibilities and obligations and Information Management Framework Boards to produce and review IG policies and guidance
- Information Governance (IG) Leads providing advice and guidance
These tools are concentrated on setting out responsibilities and obligations rather than providing tools to enable users to embed GDPR compliance into data-sharing
The Information Sharing Gateway is an existing external tool to assist in the creation and recording of Data Sharing Agreements.
How will this research be undertaken
Establish users
Review of typical types of project / data work where GDPR has implications AND identify data project areas where GDPR has been flagged as an issue or barrier
Establish who makes early stage decision to progress or halt these projects
Method-
- Brain-storming and research to identify types of project work with GDPR implications and projects halted due to GDPR concerns
- Consult with services to understand who (what role, what individual) makes early stage decisions
Establish User Needs
Establishing the GDPR knowledge needs of identified user group to understand where specific lack of knowledge is e.g. establishing privacy impact assessment, understanding of council data sharing policy or knowledge of processes/policies to ensure compliance
Method-
- Work with identified users to explore GDPR understanding; its relevance to their policy area/projects/data-sharing plans, particular areas of uncertainty, assumptions about restrictions
- Understand how user-group accesses knowledge/how they would like to access knowledge on GDPR
- Flexible approach to working with users, options of email questionnaires, telephone/face to face interview or workshops
Establish scale of lost opportunities
Understand the potential level of missed cost-savings, increased efficiency and greater outcomes from halting of data-sharing projects due to GDPR concerns
Method-
- Review halted projects with users and understand estimated cost/improved outcomes benefits
- Create justifiable estimate of unknown projects (based on review of known projects) dismissed before started due to GDPR concerns
Identify best practice/ enabling knowledge
Identify similar data-sharing projects (in the public, private or third sector) that have progressed and undertake research to understand how GDPR issues were surmounted.
Identify exemplar methods for disseminating knowledge on practical project-planning and GDPR issues
Method-
- Corporate knowledge and desk-based research to identify known exemplar projects and effective knowledge dissemination for practical GDPR consideration
- Information and knowledge sought from external stakeholders e.g. Local Digital Collaboration Unit, other public sector organisations. Desk-based and primary research undertaken to identify approach taken to GDPR.
Review best practice/enabling knowledge with users
Review with users halted projects to understand how best practice/enabling information would have allowed these projects to progress. Understand how best practice/enabling information would benefit future data-sharing ambitions
Review with users potential ideas for disseminating/making available on demand best practice/enabling knowledge
Method-
- Workshops with users to understand how project findings could have affected their decision not to progress with their data projects/ encourage them to explore new data-sharing projects, understand questions not answered/remaining areas of ambiguity/uncertainty
- In depth interviews with those planning new data-sharing projects to understand how findings so far might benefit their planning
Review findings and plan for necessary iterations
Review findings from project so far, identify potential for guidance/knowledge as gathered to enable data sharing projects and potential delivery mechanism/s
Identify elements most helpful to users and brainstorm how these could be further developed
Identify areas for further iteration with users
Understanding results and next steps
Analysis of progress; gauge achieved understanding of user needs and progress to meeting them, identify gaps in understanding/best practice identified, review cost benefits/ outcome benefits of solving issue and continuing exploration of issue.
The potential cost of data projects across the public sector being halted due to GDPR concerns, which may not have been a real issue or could have had a possible solution, is difficult to quantify at both the local and national level. As projects which have not been progressed are unlikely to have had cost benefits fully quantified.
Looking at the national picture and potential for cost savings there is ample opinion that data sharing across Local Government could provide savings described as “huge” “significant” and “substantial” but there are little concrete estimates of the overall savings possible. And therefore little to estimate the percentage of savings that are being lost through projects not being progressed due to unfounded GDPR concerns. More commonly there are results and estimates based upon the implementation of certain schemes, for example data sharing through the National Fraud Initiative is estimated to have saved the UK more than £300m across the UK over 2016/17 and 2017/18 financial years.[1] Maggie Moodie of Morton and Fraser stated “Scottish local authorities have avoided costs of more than £1 million as a result of collaborative working within the Local Government Digital Partnership.”[2] Eddie Copeland, Director of LOTI estimated that “Putting in place data-sharing arrangements to make a success of Whole Place Community Budgets across the country could save the public sector between £9.4 billion and £20.6 billion over 5 years.”[3] Similarly it is widely accepted that data sharing will enable better outcomes, “There is huge potential for improving citizens’ lives through data sharing in the UK” (Matt Hancock, 2016 as Minister for the Cabinet Office). Local Government’s important role in realising savings and better outcomes through data-sharing is not contested. Through our project we will explore specific projects that have been halted due to GDPR concerns and after our research will then re-approach the project leads to understand how the evidence we have gathered may have meant that the project progressed further. We will evaluate estimated cost savings from projects that would have gone ahead with better GDPR compliance information and establish the combined figure as a baseline. Expanding this to service areas where similar data sharing issues might have been halted due to GDPR concerns. This will provide an estimate for our partnership and a means by which to measure potential cost to other areas- e.g. a mean of the estimated costs for Brent and Hounslow should provide a good indicator for urban areas, results from Huntingdonshire will give an estimate cost level for rural areas. We are aware that this data will be based on London and SE midlands region information and there may be divergence when comparing with rural area in the NE region or urban areas in the SW. However it should give an estimate of potential lost savings for the London and SE midlands region and allow some (qualified) estimates for the national problem where none previously existed. We have spoken with the London Office for Technology and Innovation (LOTI) who recognise the current issues around data sharing and how different interpretations of GDPR and a non-standardised process can lead to projects being dropped at an early stage when there may be solutions and processes to ensure compliance with GDPR legislation. LOTI are continuing to look at information governance issues and this pilot could provide supportive information and insight for projects they are looking to trial or explore. We will engage with LOTI during our project to ensure we capture their knowledge to feed into our research. |
[1] https://www.publicfinance.co.uk/news/2018/08/government-data-sharing-fraud-initiative-saves-ps300m
[2] https://www.morton-fraser.com/knowledge-hub/data-sharing-public-sector
[3] http://eddiecopeland.me/how-smarter-use-of-tech-data-can-reform-local-government/
The partners in this project and targeted users for research are geographically spread and as such, and for most effective use of time, we will conduct most project management and progress meetings digitally. We will also ensure that the consultancy engaged is experienced and able to carry out its research and interview role via digital means, however we will also consider physical face-to-face research or workshops where the consultancy has justification (e.g. the value of group working to consider how new guidance would have affected project decision making processes or a large number of users available in a single location on a single day).
For the purposes of the project the consultancy engaged will be considered a project partner. Procurement and payment responsibility will remain with LB Hounslow as the lead applicant, however the consultancy will be invited to project meetings/catch-ups, full access to all shared workspace and progress boards, partners will all be able to communicate with each other freely to discuss particular issues and findings.
Tools
- Stand-up meetings to manage sprint planning, progress and backlogs via Skype or similar (LBH has smart meeting rooms and laptops with built-in audio-visual skype conference calling and live document sharing, which can be accessed via any smartphone with camera)
- Dedicated shared project board (Trello or similar) to capture information, progress and share knowledge
- The gathering of user stories from all relevant stakeholders to capture everyone’s wants and the benefit that would bring
Throughout all phases all partners will be encouraged to reconsider initial assumptions, challenge approaches and findings and put forward areas for further development.
Governance
Project Oversight and Advisory Group of key senior project leads to challenge findings, provide advice and sounding board, monitor progress, finance and suggest useful areas for exploration/iteration
Service Manager from LBH responsible for oversight- direct reporting from LBH Project Lead- ensuring information shared with Senior Responsible Officers from other LAs/local partners
The issue this project is looking to resolve is assumed to be present in a number of local authorities across the UK. If the outcomes of this initial “Discovery Phase” are promising then we will be re-submitting the project for Alpha funding (or to explore details further in another Discovery phase), to reinforce our understanding of the details of GDPR issues and investigating the method of delivery to users.
The Local Digital Collaboration Unit’s (LDCU) broader understanding of technology projects across England and experience with dealing with GDPR as part of digital projects would be extremely useful both in this initial stage and in any further stage, particularly in these areas:
- Access to team members for interview, to draw on knowledge of successful data-sharing projects that have surmounted GDPR issues and introductions to relevant involved contacts we can approach for interview or information will strengthen the evidence base for the project
- Advice on consultant procurement and the expertise available in the digital marketplace
- Reviewing the project’s “Discovery” outputs with the project team to evaluate whether better GDPR guidance would have resulted in projects progressing and provide opinion on the best way forward for the project
- LDCU’s understanding of a wide-range of digital projects which have a staff training/information dissemination aspect would be useful to draw on in understanding digital solutions that would enable GDPR project guidance to be delivered to relevant officers in the most effective way.
- Advice and guidance on how best to promote any solution to LAs and public sector bodies across the UK