Public data in private hands – should we know who manages our data?

When Tesco reportedly planned to sell off its data arm Dunnhumby [1] in January this year, it was a big deal.

Clubcard and the data which deliver customer insights – telling the company who we are, what we buy and how and when we shop using ‘billions of lines of code’ – will clearly continue to play a vital role in the supermarket customer relations strategy, whether its further processing and analysis is in-house or outsourced.

Assuming the business is sold,  clubcard shoppers might wonder who will then own their personal data, if not the shoppers themselves? Who is the data controller and processor? Who will inform customers of any change in its management?

“Dunnhumby has functioned as a standalone outfit in the past few years, offering customer information services to other retailers around the world, and could operate in a similar way for Tesco post-acquisition.”

I haven’t seen in the same media that the Dunnhumby speculation turned into a sale. At least not yet.

In contrast to the commercial company managing customer data for those who choose to take part, the company which manages the public’s data for many state owned services, was sold in December.

For an undisclosed value, Northgate Public Services [2] part of NIS was sold in Dec 2014 to Cinven, a European private equity firm.

What value I wondered does the company have of itself, or what value is viewed intrinsic to the data it works with – health screening, the National Joint Registry and more? It formerly managed HES data. What was part of the deal? Are the data part of the package?

Does the public have transparency of who manages our data?

Northgate has, according to their website, worked with public data, national and local government administrative data since 1969, including the development and management of the NNADC, “the mission critical solution providing continuous surveillance of the UK’s road network. The NADC is integrated with other databases, including the Police National Computer, and supports more than 3 million reads a day across the country.”

Northgate manages welfare support payments for many local authorities and the Welsh Assembly Government.

Data are entrusted to these third parties by the commercial or public body, largely without informing the public.

One could argue that a ‘named owner and processor’ is irrelevant to the public, which is probably true when things are done well.

But when things go wrong or are changed, should ‘the supplier’ of the data, or rather the public whose data it is, not be told?

If so, citizens would be informed and know who now accesses or even owns our public data that Northgate had in the past. Different firms will have different levels of experience, security measures and oversight of their practices than others. To understand how this works could be an opportunity for transparency to create trust.

Trust which is badly needed to ensure consensual data sharing continues.

So what will the future hold for these systems now owned by a private equity firm?

The buyer of Northgate Public Services, Cinven, has experience making a profit in healthcare.

We hear few details of plans available in the public domain about the NHS vision for data management and its future in public research.

We generally hear even less about the current management of the public’s data unless it is in a crisis, as front page stories will testify to over the last year. care.data has been in good company generating anger, with HMRC, the electoral register and other stories of legal, but unexpected data use of citizens’ data.

As a result we don’t know what of our public data is held by whom.

The latest news reported by the DM [3] will not be popular either given that 2/3rds of people asked in research into public trust over the governance of data [4] have concerns about public data in the hands of private firms:

Controversial plans to give private companies such as Google responsibility for storing people’s private personal health data could be revived, a minister has suggested.”

Could there ever be privatisation plans afoot for HSCIC?

It’s going to be interesting to see what happens next, whoever is making these decisions on our behalf after May 7th.

Certainly the roadmap, business plan, SIAM goals, and framework agreement [5] have given me cause to consider this before. The framework agreement specifically says change to its core functions or duties would require further primary legislation.”
[HSCIC DH framework agreement]

hscic_DH_framework

 

Changes to the HSCIC core remit, such as privatising the service, would require a change in legislation which would by default inform parliament.

Should there not be the same onus to inform the public whose data they are? Especially with “protection of patients being paramount”.  One could say protections should apply to our consumer data too.

Regardless of whether data are managed in-house or by another third party, by the state or commercial enterprise, if third parties can be outsourced or even sold, should consumers not always know who owns our data and of any changes in that guardianship?

Taking into account the public mistrust of commercial companies’ data management I would like to think so.

Further privatising the workings of our state data without involving the public in the process would certainly be a roadmap to driving public confidence on data sharing into the ground.

So too, when it comes to public trust, we might find when the commercial sale of consumer Clubcard data goes ahead, every little does not help.

****

Refs:

[1] Computing 14.01.2015 – article by Sooraj Shah: http://www.computing.co.uk/ctg/feature/2390197/what-does-tescos-sale-of-dunnhumby-mean-for-its-data-strategy

[2] Northgate sale to Cinven http://www.northgate-is.com/press-release-nps.html / http://www.northgatepublicservices.co.uk/

[3]  On the future of data handling http://www.dailymail.co.uk/news/article-3066758/Could-Google-look-NHS-data-Controversial-plans-revived-minister-says-technology-firms-best-placed-look-information-securely.html

[4] Ipsos MORI research with the Royal Statistical Society into the Trust deficit with lessons for policy makers https://www.ipsos-mori.com/researchpublications/researcharchive/3422/New-research-finds-data-trust-deficit-with-lessons-for-policymakers.aspx

[5] HSCIC DH Framework agreement http://www.hscic.gov.uk/media/13866/Framework-Agreement-between-the-Department-of-Health-and-the-HSCIC/pdf/Framework_Agreement_between_the_Department_of_Health_and_the_Health_and_Social_Care_Information_Cent.pdf