Tag Archives: law

datasharing, politics, privacy

Mutant algorithms, roadmaps and reports: getting real with public sector data

The CDEI has published ‘new analysis on the use of data in local government during the COVID-19 crisis’ (the Report) and it features some similarities in discussing data that the Office for AI roadmap (the Roadmap) did in January on machine learning.

A notable feature is that the CDEI work includes a public poll. Nearly a quarter of 2,000 adults said that the most important thing for them, to trust the council’s use of data, would be “a guarantee that information is anonymised before being shared, so your data can’t be linked back to you.”

Both the Report and the Roadmap shy away from or avoid that problematic gap in their conclusions, between public expectations and reality in the application of data used at scale in public service provision, especially in identifying vulnerability and risk prediction.

Both seek to provide vision and aims around the future development of data governance in the UK.

The fact is that everyone must take off their rose-tinted spectacles on data governance to accept this gap, and get basics fixed in existing practice to address it. In fact, as academic Michael Veale wrote, often the public sector is looking for the wrong solution entirely.The focus should be on taking off the ‘tech goggles’ to identify problems, challenges and needs, and to not be afraid to discover that other policy options are superior to a technology investment.”

But used as it is, the public sector procurement and use of big data at scale, whether in AI and Machine Learning or other systems, require significant changes in approach.

The CDEI poll asked, If an organisation is using an algorithmic tool to make decisions, what do you think are the most important safeguards that they should put in place  68% rated, that humans have a key role in overseeing the decision-making process, for example reviewing automated decisions and making the final decision, in their top three safeguards.

So what is this post about? Why our arms length bodies and various organisations’ work on data strategy are hindering the attainment of the goals they claim to promote, and what needs fixed to get back on track. Accountability.

Framing the future governance of data

On Data Infrastructure and Public Trust, the AI Council Roadmap stated an ambition to, “Lead the development of data governance options and its uses. The UK should lead in developing appropriate standards to frame the future governance of data.”

To suggest we not only should be a world leader but imagine that there is the capability to do so, suggests a disconnect with current reality, none of which was mentioned in the Roadmap but is drawn out a little more in the CDEI Report from local authority workshops.

When it comes to data policy and Artificial Intelligence (AI) or Machine Learning (ML) based on data processing and therefore dependent on its infrastructure, suggesting we should lead on data governance, as if separate from the existing standards and frameworks set out in law, would be disastrous for the UK and businesses in it.  Exports need to meet standards in the receiving countries. You cannot just ‘choose your own’ adventure here.

The CDEI Report says both that participants in their workshops found a lack of legal clarity “in the collection and use of data” and, “Participants finished the Forum by discussing ways of overcoming the barriers to effective and ethical data use.”

Lack of understanding of the law is a lack of competence and capability that I have seen and heard time and time and time again in participants at workshops, events, webinars, some of whom are in charge of deciding what tools are procured and how to implement public policy using administrative data, over the last 5 years. The law on data processing is accessible and generally straightforward.

If your work involves “overcoming barriers” then either there is not competence to understand what is lawful to proceed with confidence using data protections appropriately, or you are trying to avoid doing so. Neither is a good place to be in for public authorities, and bodes badly for the safe, fair, transparent and lawful use of our personal data by them.

But it is also lack of data infrastructure that increases the skills gap and leaves a bigger need to know what is lawful or not, because if your data is held in “excessive use of excel spreadsheets” then you need to make decisions about ‘sharing’ done through distribution of data. Data access can be more easily controlled through role-based access models, that make it clear when someone is working around their assigned security role, and creates an audit trail of access. You reduce risk by distributing access, not distributing data.

The CDEI Report quotes as a ‘concern’ that data access granted under emergency powers in the pandemic will be taken away. This is a mistaken view that should be challenged. That access was *always* conditional and time limited. It is not something that will be ‘taken away’ but an exceptional use only granted because it was temporary, for exceptional purposes in exceptional times. Had it not been time limited, you wouldn’t have had access. Emergency powers in law are not ‘taken away’, but can only be granted at all in an emergency. So let’s not get caught up in artificial imaginings of what could change and what ifs, but change what we know is necessary.

We would do well to get away from the hyperbole of being world-leading, and aim for a minimum high standard of competence and capability in all staff who have any data decision-making roles and invest in the basic data infrastructure they need to do a good job.

Appropriate standards to frame the future governance of data

The AI Council Roadmap suggested that, “The UK should lead in developing appropriate standards to frame the future governance of data.”  Let’s stop and really think for a minute, what did the Roadmap writers think they meant by that?

Because we have law that frames ‘appropriate standards.’ The UK government just seems unable or unwilling to meet it. And not only in these examples, in fact I’d challenge all the business owners on the AI Council to prove their own products meet it.

You could start with the Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01). Or consider any of the Policy, recommendations, declarations, guidelines and other legal instruments issued by Council of Europe bodies or committees on artificial intelligence. Or valuable for export standards, ensure respect for the Convention 108  standards to which we are a signed up State party among its over 50 countries, and growing. That’s all before the simplicity of the UK Data Protection Act 2018 and the GDPR.

You could start with auditing current practice for lawfulness. The CDEI Roadmap says, “The CDEI is now working in partnership with local authorities, including Bristol City Council, to help them maximise the benefits of data and data-driven technologies.” I might suggest that includes a good legal team, as I think the Council needs one.

The UK is already involved in supporting the development of guidelines (as I was alongside UK representatives of government and the data regulator the ICO among hundreds of participants in drawing out Convention 108 Guidelines on data processing in education) but to suggest as a nation state that we have the authority to speak on the future governance of data without acknowledging what we should already be doing and where we get it wrong, is an odd place to start.

The current state of reality in various sectors

Take for example the ICO audit of the Department for Education.

Failures to meet basic principles of data protection law include knowing what data they’ve got, appropriate controls on distribution and failure to fair process (tell people you process their data). This is no small stuff. And it’s only highlights from the eight page summary.

The DfE don’t adequately understand what data they hold and not having a record of processing leads to a direct breach of #GDPR. Did you know the Department is not able to tell you to which third parties your own or your child’s sensitive, identifying personal data (from over 21m records) was sent, among 1000s of releases?

The approach on data releases has been to find a way to fit the law to suit data requests, rather than assess if data distribution should be approved at all. This ICO assessment was of only 400 applications — there’s been closer to 2,000 approved since 2012. One refusal was to the US. Another the MOD.


For too long, the DfE ‘internal cultural barriers and attitudes’ has meant it hasn’t cared about your rights and freedoms or meeting its lawful obligations. That is a national government Department in charge of over fifty such mega databases, the NPD is only one of. This is a systemic and structural set of problems, as a direct result of Ministerial decisions that changed the law in 2012 to give our personal data away from state education. It was a choice made not to tell the people whom the data were about. This continues to be in breach of the law. And that is the same across many government departments.

Why does it even matter some still ask? Because there is harm to people today. There is harm in history that must not be possible to repeat. And some of the data held could be used in dangerous ways.

You only need to glance at other applications in government departments and public services to see bad policy, bad data and bad AI or machine learning outcomes. And all of those lead to breakdowns in trust and relations between people and the systems meant to support them, that in turn lead to bad data, and policy.

Unless government changes its approach, the direction of travel is towards less trust, and for public health for example, we see the consequences in disastrous responses from not attending for vaccination based on mistrust of proven data sharing, to COVID conspiracy theories.

Commercial reuse of pubic admin data is a huge mistake and the direction of travel is damaging.

“Survey responses collected from more than 3,000 people across the UK and US show that in late 2018, some 95% of people were not willing to share their medical data with commercial industries. This contrasts with a Wellcome study conducted in 2016 which found that half of UK respondents were willing to do so.” (July 2020, Imperial College)

Mutant algorithms

Summer 2020 first saw no human accountability for grades “derailed by a mutant #algorithm — then the resignation of two  Ofqual executives. What aspects of the data governance failures will be addressed this year? Where’s the *fairness* —there is a legal duty to tell people how what data is used especially in its automated aspects.

Misplaced data and misplaced policy aims

In June 2020 The DWP argued in a court case that, “to change the way the benefit’s online computer calculation system worked in line with the original court ruling would undermine the principle of universal credit” — Not only does it fail its public interest purpose, and does harm, but is lax on its own #data governance controls. World leading is far, far, far away.

Entrenched racism

In August 2020 “The Home Office [has] agreed to stop using a computer algorithm to help decide visa applications after allegations that it contained “entrenched racism”. How did it ever get approved for use?

That entrenched racism is found in policing too. The Gangs Matrix use of data required an Enforcement Notice from the ICO and how it continues to operate at all, given its recognised discrimination and harm to young lives, is shocking.

Policy makers seem fixated on quick fixes that for the most part exist only in the marketing speak of the sellers of the products, while ignoring real problems in ethics and law, and denying harm.

“Now is a good time to stop.”

The most obvious case for me, where the Office for AI should step in, and where the CDEI Report from workshops with Local Authorities was most glaringly remiss, is where there is evidence of failure of efficacy and proven risk of danger to life through the procurement of technology in public policy. Don’t forget to ask what doesn’t work.

In January 2020  a report from researchers at The Turing institute, Rees Centre and What Works Centre published a report on ethics in Machine Learning in Children’s Social Care (CSC) and raised the “dangerous blind spots” and “lurking biases” in application of machine learning in UK children’s social care— totally unsuitable for life and death situations. Its later evidence showed models that do not work or wuld reach the threshold they set for defining ‘success’.

Out of the thirty four councils who had said they had acute difficulties in recruiting children’s social workers in December 2020 Local Government survey, 50 per cent said they had both difficulty recruiting generally and difficulty recruiting the required expertise, experience or qualification. Can staff in such challenging circumstances really have capacity to understand the limitations of developing technology on top of their every day expertise?

And when it comes to focussing on the data, there are problems too. By focusing on the data held, and using only that to make policy decisions rather than on the ground expertise, we end up in situations where only “those who get measured, get helped”.

As Michael Sanders wrote, on CSC, “Now is a good time to stop. With the global coronavirus pandemic, everything has been changed, all our data scrambled to the point of uselessness in any case.

There is no short cut

If the Office for AI Roadmap is to be taken seriously outside its own bubble, the board need to be and be seen to be independent of government. It must engage with reality of applied AI in practice in public services, getting basics fixed first.  Otherwise all its talk of “doubling down” and suggesting the UK government can build public trust and position the UK as a ‘global leader’ on Data Governance is misleading and a waste of everyone’s time and capacity.

I appreciate that it says, “This Roadmap and its recommendations reflects the views of the Council as well as 100+ additional experts.” All of whom I imagine are more expert than me. If so, which of them is working on fixing the basic underlying problems with data governance within public sector data, how and by when? If they are not, why are they not, and who is?

The CDEI report published today identified in local authorities that, “public consultation can be a ‘nice to have’, as it often involves significant costs where budgets are already limited.” If it’s a position the CDEI does not say is flawed, it may as well pack up and go home. On page 27 it reports, “When asked about their understanding of how their local council is currently using personal data and presented with a list of possible uses, 39% of respondents reported that they do not know how their personal data is being used.” The CDEI should be flagging this with a great big red pen as an indicator of unlawful practice.

The CDEI Report also draws on the GDS Ethical Framework but that will be forever flawed as long as its own users, not the used, are the leading principle focus, underpinning the aims. It starts with “Define and understand public benefit and user need.” There’s very little about ethics and it’s much more about “justifying our project”.

The Report did not appear to have asked the attendees what impact they think their processes have on everyday lives, and social justice.

Without fixes in these approaches, we will never be world leading, but will lag behind because we haven’t built the safe infrastructure necessitated by our vast public administrative data troves. We must end bad data practice which includes getting right the basic principles on retention and data minimisation, and security (all of which would be helped if we started by reducing those ‘vast public administrative data troves’ much of which ranges from poor to abysmal data quality anyway). Start proper governance and oversight procedures. And put in place all the communication channels, tools, policy and training to make telling people how data are used and fair processing happen. It is not, a ‘nice to have’ but is required in all data processing laws around the world.

Any genuine “barriers” to data use in data protection law,  are designed as protections for people; the people the public sector, its staff and these arms length bodies are supposed to serve.

Blaming algorithms, blaming lack of clarity in the law, blaming “barriers” is avoidance of one thing. Accountability. Accountability for bad policy, bad data and bad applications of tools is a human responsibility. The systems you apply to human lives affect people, sometimes forever and in the most harmful ways.

What would I love to see led from any of these arms length bodies?

  1. An audit of existing public admin data held, by national and local government, and consistent published registers of databases and algorithms / AI / ML currently in use.
  2. Expose where your data system is nothing more than excel spreadsheets and demand better infrastructure.
  3. Identify the lawful basis for each set of data processes, their earliest records dates and content.
  4. Publish that resulting ROPA and the retention schedule.
  5. Assign accountable owners to databases, tools and the registers.
  6. Sort out how you will communicate with people whose data you unlawfully process to meet the law, or stop processing it.
  7. And above all, publish a timeline for data quality processes and show that you understand how the degradation of data accuracy, quality, and storage limitations all affect the rights and responsibilities in law that change over time, as a result.

There is no short cut, to doing a good job, but a bad one.

If organisations and bodies are serious about “good data” use in the UK, they must stop passing the buck and spreading the hype. Let’s get on with what needs fixed.

In the words of Gavin Freeguard, then let’s see how it goes.

activism, engagement, leadership, politics

Human Rights proposals – stripping away the Spirit of the Human Rights Act (1998)

News today confirms what has been on simmer for some time in England:

“A majority Conservative Government will scrap Labour’s Human Rights Act, and will end the ability of the European Court of Human Rights to order changes to British laws.” [Jack of Kent, October 2nd]

The Rt Hon Lord Howard of Lympne, CH, QC said:

“The argument is not about human rights, to which we all subscribe […] the way in which the Convention on Human Rights has been interpreted is far removed from its founders’ intentions.

“We are simply restoring parliamentary sovereignty, and some much needed common sense, to our human rights laws.”

If it is truly only about common sense, everyone with common sense must support it. So why the wide press and social media uproar, and statements by other parties they would vote against such a proposal in Parliament?

“No, the argument today is whether arrangements such as the European Court of Human Rights and the Human Rights Act actually help to protect such rights or, by the way in which they have operated, bring the concept into disrepute.”

The argument appears to suggest, that there should be no need to be concerned about the removal of laws which ‘protect such rights’, that there is nothing to hide, nothing to fear. That in fact, we will do better by removing the framework which supports the common sense process. Common sense will operate and prevail without legislation.

If we believe the policy statement that under these changes, in effect, little would change for many people, why are the changes needed? By many accounts, many good results of the 1998 Act affect many of us.

Those much better informed than me, are debating this in the media and online, and is worth following. But I think we should be careful we don’t get so caught up in looking ahead, that we miss changes going on now.

The debate makes me ask myself, what is the purpose of a law, and whom should it serve?

If we are convinced change is needed, we assume a belief that the current process is flawed.  This comes in part from myths and misrepresentations in isolated cases. We should in discussion see past the UKIP defection, knee-jerk reaction which conflates everything ‘Europe’, into something from which which the UK could ‘opt out’ and what risks and benefit it would actually bring for whom.

Even if these changes were simply a case of choosing to ‘opt-out’ from the protections of the European Court for UK Citizens (which it is not) and even if one were to agree common sense can make better decisions without legal protection, one must consider that by removing the UK Human Rights Act [which had cross party support in 1998], and the European aspect of the laws, and by suggesting amendments to the 1951 European convention on human rights, changes would remove a layer of external protection and last support channel outside the UK system, for us as citizens.

Stripping away a spirit of Governance

Does this affect the opportunity for citizens and courts to benefit from external objectivity?

The 1998 Act was intended to reduce the number of cases going to the European Court. You can still take a case to the European Court, but the Human Rights Act meant a case has to go through the UK courts first. Whilst Scotland (and Wales to a lesser extent) has some devolved and historically founded independent law making processes, the 1998 Human Rights Act covers the whole of the UK. As does the ability to go to the European Courts as an extra layer of legal protection, guidance and enlightenment if exhausted at home. 

Will we no longer be able as legitimately, to call on bodies with cross-border, external best practices to learn from which has any accepted weight? Or cases to set precedence? But does the European Court have these powers anyway or do these policy statements just cause confusion?

Former Attorney General Dominic Grieve said the plans were flawed. The Tory MP said they would be “difficult to implement” and risked “undermining” the UK’s – and his own party’s – tradition of upholding human rights.
Proposals state: ‘In future ‘Britain’s courts would no longer be required to take into account rulings from the Court in Strasbourg. This would make our Supreme Court the ultimate arbiter of human rights matters in the UK.’

The statement gives the strong impression that the UK will regain a lost level of independence as a deal for giving up a layer of objectivity and governance.

In fact, we would not do so by repealing the 1998 Human Rights Act, the European Court would keep its role in the UK in practice.

Liberty clarified: “The Human Rights Act did not make Strasbourg a precedent-setting Court, as the proposals claim. This proposal will not increase the Supreme Court’s constitutional standing. It is already the ultimate arbiter of human rights cases in the UK but, if we remain part of the Convention, British people will still be able to take claims to Strasbourg once domestic litigation is exhausted. The dilution of Convention rights proposed makes it more likely that Strasbourg will find against the UK. The Court has no ability to require the UK to change British laws. Parliamentary sovereignty is intact, as made clear by the non-implementation of the prisoner voting judgment. But the British Government has ratified the Convention and so undertaken to comply with its international law obligations to respect the decisions of the Court.” [Liberty]

However the side comments on the 1951 Convention are of much more concern to me.

Are the Conservative proposal really going so far as to say it would remove that Convention undertaking, and no longer respect international law? Surely not in practice, but in spirit, it seems to suggest just that.

They would seek to: “Clarify the Convention rights, to reflect a proper balance between rights and responsibilities.”

that would be a huge change with respect for our position towards international law.

It seems to suggest that there would be a trade off giving up the universally applicable nature in the 1951  convention on Human Rights, to enable selective decisions which and when, rights would apply.

 

Stripping away the rights which apply to all

The basic principles of universality, inalienability and indivisibility, [outlined here by Liberty] are under threat through these changes:

 

“Human rights are universal. They apply to all people simply on the basis of being human.

Human rights are inalienable. They cannot be taken away simply because we do not like the person seeking to exercise their rights. They can only be limited in certain tightly-defined circumstances and some rights, such as the prohibition on torture and slavery, can never be limited.

Human rights are indivisible. You cannot pick and choose which rights you want to honour. Many rights depend on each other to be meaningful – so, for example, the right to fair trial would be meaningless without the prohibition on discrimination, and the right to free speech must go hand in hand with the right to assemble peacefully.”

Isabella Sankey, Director of Policy has taken apart some of the implications here. Her post is worth a thorough read.

Stripping away rights of access

 

It appears that we are moving towards a state in which the suggestion is that laws from the top down to control citizens’ rights will be applied universally, whilst at the same time, the rights of those who may feel unfairly treated by them are becoming restricted, through policy and in practical terms.

 

If British citizens would still be able to take claims to Strasbourg once domestic litigation is exhausted, they have to be able to not just in theory, but practice.

Courts which exist as channels to a fair appeal are only applicable to all as a right effectively, if they can be accessed by all. In the UK the  judicial review practices have changed on charging, which make universal access to judicial review harder. Recent changes to legal aid funding mean fewer people can afford access to representation.

 

This report from the International Council on Human Rights Policy may be ten years old, but is still I feel, relevant.

“…individuals, particularly those who are vulnerable because of exclusion, poverty and discrimination, unable to obtain benefits and rights to which they are entitled in law? This report examines the impediments that obstruct large numbers of people from accessing the full range of human rights. It analyses the performance and responsibilities of governments and other institutions, and identifies new forms of action that official and human rights organisations might need to undertake if access is to be improved.”

If Human Rights law is not accessible to all, and does not apply equally to all, it is not universal. Either not all are humans or they are not rights. Either way, the law is flawed.

 

I believe being universally applicable must also ensure universal access in order to be meaningful.

 

Stripping the Spirit of accepted Human Rights

Whilst the Acts  and declarations have legal weight which are of intrinsic importance and value, I believe it is also of importance to value the philosophy of the principles. It is this loss which worries me as much as the thought of losing concrete governance. We risk losing not only the protections of the law, but the Spirit of the law.

The spirit acts as an additional layer of conscience accompanying lawmakers and politicians in their decision making process.

I fear that he spirit of the values the state places on human rights,has been injured in recent times.

 I fear an ‘accepted’ element of barbarism has crept into our own humanity in the treatment of our ‘prisoners of war’.

 

The right not to be tortured or treated in an inhuman or degrading way is an absolute right. It should never be limited and it is a commonly held belief that there are no circumstances where this type of treatment of people can be justified.

 

However torture has become apparently justifiable recently. Justified by the highest authority in the US, some may see as the highest ‘western world power’. “We tortured some folks” was justified with the near flippant tone of a bumper sticker. Little official repercussion  appears to follow.

 

In doing so, the affiliated powers revealed how far we have fallen from our ideals of humanity embodied in the Universal Declaration of Human Rights.

Our values and self created global ethic in which some human rights are absolute.

It appears we have allowed through our government’s use of torture, an absolute boundary to be broken. So should we be surprised if that was only a first step? What is perceived as acceptable in how our government treats others, can only lead to a contagion in perception of what is right and acceptable in how others will treat our people abroad.

Crucially, I believe it also affects our own public perception of acceptance and ‘the norm’ in how we treat our own people.

Yet again, at home in human rights law, perception may be that this will not affect us. Not ‘our own’ kind of people. It will only affect ‘others’.

But the others in the case of human rights in the UK, may be our own gender or racial discrimination case at work. It may be how our friend or family member is treated by the authorities in sexual discrimination or in disability claims process.  Those in prison, the poor, minorities – these groups suit some agendas to portray as ‘other’. To thrive, I believe we must strive to remember our togetherness as a society which looks after one another, not treats ‘others’ as outside our realm of protections. As somehow, less ‘entitled’.  Less entitled to welfare. Less entitled to vote. Less entitled to universal rights.

If you think, no not me, then let’s consider closely our own reaction to the arrival of travellers in a local field. Or news of immigrants awaiting asylum rulings being housed in bed-and-breakfast accommodation.

It seems that to whom our human rights should apply, would become discretionary.

Are some Human Rights Claims more Trivial than Others? What about the same Human Rights for all?

If the majority of rights are non-absolute and can be limited or restricted in certain circumstances, we should not be surprised if these too are now trampled on if found to be ‘trivial’. The circumstances in which there is a need to take into account the rights of other individuals or wider society would become  discretionary.  How would that be defined and by whom?

“Limit the use of Human Rights laws to the most serious cases.”

There will be a threshold below which Convention rights will not be engaged, ensuring UK courts strike out trivial cases.

It appears that which subjects and in which circumstances individuals should be entitled access to human rights protection would become discretionary.

By saying some ‘trivial’ cases would not be relevant for consideration, you throw out the spirit of the universal applicability of Human Rights’ legislation.

Where does this leave the Spirit of our Human Rights in practice?

Politicians may say that in practice, any change will continue to ensure that:
“We promote the values of individual human dignity, equal treatment and fairness as the foundations of a democratic society.”

But current reality is that changes have already made universal access to judicial review harder. Reality is that the changes to legal aid funding already means fewer people can afford access to representation. Minority groups find access a challenge. Mothers without means are representing themselves in divorce cases. People are facing abusers in court.

If now we further undermine both access and applicability, the reality is under the law some will be more equal than others.

So what of our basic principles?

Human rights are universal. They apply to all people simply on the basis of being human.

Human rights are inalienable. They cannot be taken away simply because we do not like the person seeking to exercise their rights.

Human rights are indivisible. You cannot pick and choose which rights you want to honour.

Whether this policy ever becomes reality or not, it harms the perception of the value we place on human rights, at home and abroad.

Universality of application and universal access are already under real threat, creating inequality for which humans, these laws offer support.

These proposals normalise what is in fact nonsense.

Whilst at least for now, it makes no difference in legal practice, I think the Spirit of Human Rights in the UK under this proposal, just had her wings stripped off.

 

***

Chris Grayling’s eight-page strategy paper http://s3.documentcloud.org/documents/1308660/protecting-human-rights-in-the-uk.txt

[Liberty useful listing of what the Human Rights Act covers.]