Tag Archives: legislation

legislation

Ignoring the role of time in Data Governance

The words we use to define data

In the 2021 Defend Digital Me report, The Words We Use in Data Policy: Putting People Back in the Picture, we examined why public conversations about personal data often fail. We highlighted the need for systemic changes in how we talk about data to better account for children’s data within the UK’s national data strategy. A central issue is how we think about data—often seen and framed through misleading metaphors. Metaphors like ‘flows,’ ‘footprints,’ or ‘traces’ influence public opinions and policy but oversimplify governance challenges. These framings profoundly affect views on what should be done with data. This matters as the Data Use and Access Bill in Parliament seeks to rewrite UK data protection law, threatening to undermine public trust in administrative data just as AI companies and others lobby for increased access.

Data as language, not a commodity

But imagine instead that data is not a fixed entity or commodity; it is more akin to language telling the story of your life. Data, turned into information, conveys meaning, which varies by source, user, context, and time. Misinterpreting or ignoring these dimensions leads to poor governance and flawed decisions. Data’s characteristics and value are ephemeral and interpersonal. Like Dr Louise Banks in Arrival, policymakers must recognise that UK data governance requires a multidimensional approach to understanding what data is—not just substance, but traceability, context, and meaning across the data life cycle. We need to talk more about the dimension of time in data governance laws.

The Time Dimension in Data Governance

Time reshapes data governance, affecting its accuracy, personal nature, and user relationships. Personal data may shift between personal and non-personal depending on context, use, and linkage over time.

  1. Personal Data Over Time
    Data can simultaneously be personal or non-personal depending on who holds it and what it is combined with. What identifies an individual in Dataset A may not identify another without access to Dataset B but while I hold A and you hold both A and B, then it is only personal data to you. Over time, data’s ‘personal’ characteristic may shift to include me depending on its use or linkage or breadth of access or leaks and more.
  2. Accuracy and Completeness
    Data degrades over time. For instance, a “current address” loses accuracy when someone moves house. But changing systems—such as updated postcode formats to give a new one to the same property or new categorisations (e.g., introducing “White Northern Irish” into a population that may have previously selected “White British” in a census)—can undermine past data’s comparability and completeness. More importantly, how would you know and how will AI systems know if we have no context, no life-cycle ROPA, and give up enforcing the importance of this?
  3. Children’s Data and Vulnerabilities
    Special protections for what is labelled “children’s data” in law raises questions: Do these protections apply only at the time of collection because the person the data is about is aged under 18, or do they persist as a characteristic of the data even after the person it is from, ages into adulthood? The concept of a “clean slate,” as proposed by the High-Level Expert Group on AI (HLEG), goes some way to solving this issue. However, current practices fail to provide such safeguards that the original GDPR deemed necessary. Failures of which, are demonstrated in the National Pupil Database as the prime case study over time.
  4. Evolving Definitions and Legal Changes
    Policy shifts, such as the UK’s Data Use and Access Bill, can change how data is categorised and handled over time by recategorising it as of the law’s commencement date. Such changes affect its characteristics and governance.

Why lifecycle governance matters

Data governance is a constraint on the imbalance of power beyond the lifetime of the data itself and the relationship between the data subject and their user. European data protection laws, rooted in human rights principles, emphasise lifecycle governance. Concepts like data minimisation, retention limitation, and respect for data subject rights ensure that the relationship between individuals and data users remains dynamic and accountable.

The point of data collection is not to produce the KPI, or the report, or benchmark, or even to follow the money in delivery of a public service. The point is the delivery of a public service. Public administrative data collected on the side is a by-product, often opinion based, in the process. Statistical data may follow standards and a review process. Much of the rest of public admin data may not. A return might suggest 100% completion but that is no measure of accuracy. When public policy deifiesthe product” of data as AI, we focus on the wrong end of the process. Data about public administrative services is a set of contextualised inputs, a dynamic and interpretive representation of public-service delivery and the person’s life it involves, not fixed outputs with fixed characteristics or quality. The person must be kept in the picture in a continuous governance process. Engagement in public service delivery must not end when someone walks out the door, if their data continues to be processed.

We must ensure any public policy or AI creating inferences of meaning are built only on data that are correct, and used within the context in which the meaning intended at source is valid over time.

This is a critical period in which AI companies and others are lobbying hard for more access. Ignoring the role of time in data governance avoids accountability for the problems of data quality and contextual collapse, but will mean datasets that are not fit for purpose will become the foundations for public policy, or for building AI to use or to export. Carnegie UK’s research offers a sobering reminder: poorly designed systems can waste taxpayer money, erode public trust, and fail to deliver promised benefits.

Let’s talk more about the exercise of traceability, context, and meaning across the personal data life cycle. We need to talk more about the dimension of time in data governance laws.

politics, transparency

Data Protection Bill 2017: summary of source links

1 Comment
The Data Protection Bill [Exemptions from GDPR] was introduced to the House of Lords on 13 September 2017
*current status April 6, 2018* Report Stage House of Commons — dates, to be announced
Debates

Dates for all stages of the passage of the Bill, including links to the debates.

EU GDPR Progress Overviews

Updates of GDPR age of consent mapping: Better Internet for Kids

Bird and Bird GDPR Tracker [Shows how and where GDPR has been supplemented locally, highlighting where Member States have taken the opportunities available in the law for national variation.]

ISiCo Tracker (Site in German language) with links.

UK Data Protection Bill Overview
  • Data Protection Bill Explanatory Notes [PDF], 1.2MB, 112 pages
  • Data Protection Bill Overview Factsheet [PDF], 229KB, 4 pages
  • Data Protection Bill Impact Assessment [PDF], 123KB, 5 pages
The General Data Protection Regulation

The General Data Protection Regulation [PDF] 959KB, 88 pages

Related Factsheets
  • General Processing Factsheet, [PDF], 141KB, 3 pages
  • Law Enforcement Data Processing Factsheet [PDF], 226KB, 3 pages
  • National Security Data Processing Factsheet [PDF], 231KB, 4 pages
These parts of the bill concern the function of the Information Commissioner and her powers of enforcement
  • Information Commissioner and Enforcement Factsheet [PDF] 223KB, 4 pages
  • Data sharing code of practice [PDF]
GDPR possible derogations

Source credit Amberhawk: Chris Pounder

Member State law can allow modifications to Articles 4(7), 4(9),  6(2), 6(3)(b), 6(4),  8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4),  10,  14(5)(b), 14(5)(c), 14(5)(d),  17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b),  23(1)(e),  26(1),  28(3), 28(3)(a), 28(3)(g), 28(3)(h), 28(4),  29,  32(4),  35(10), 36(5),  37(4),  38(5),  49(1)(g), 49(4), 49(5),  53(1), 53(3),  54(1), 54(2),  58(1)(f), 58(2), 58(3), 58(4), 58(5),  59,  61(4)(b),  62(3),  80,  83(5)(d), 83(7), 83(8),  85,  86,  87,  88,  89,  and 90 of the GDPR.

Other relevant significant connected legislation
  • The Police and Crime Directive [web link] 
  • EU Charter of Fundamental Rights – European Commission [link]
  • The proposed Regulation on Privacy and Electronic Communications [web link]
  • Draft modernised convention for the protection of individuals with regard to the processing of personal data (convention 108)

    [PDF] 161KB, 11 pages

Data Protection Bill Statement of Intent
  • DCMS Statement of Intent [PDF] 229KB, 4 pages
  • Letter to Stakeholders [PDF] 184KB, 2 pages 7 Aug 2017
Other links on derogations and data processing
  • On Adequacy: Data transfers between the EU and UK post Brexit? Andrew D. Murray Article [link]
  • Two Birds [web link]
  • ICO legal basis for processing and children [link]
  • Public authorities under the Freedom of Information Act (ICO) Public authorities under FOIA 120160901 Version: 2.2 [link] 
  • ICO information for education [link]

Blogs on key issues [links in date of post]

  • Amberhawk
    • DP Bill’s new immigration exemption can put EU citizens seeking a right to remain at considerable disadvantage [09.10] re: Schedule 2, paragraph 4, new Immigration exemption.
    • On Adequacy:  Draconian powers in EU Withdrawal Bill can negate new Data Protection law [13.09]
    • Queen’s Speech, and the promised “Data Protection (Exemptions from GDPR) Bill [29.06]
  • defenddigitalme
    • Response to the Data Protection Bill debate and Green Paper on Online Strategy [11.10.2017]
  • Jon Baines
    • Serious DCMS error about consent data protection [11.08]
  • Eoin O’Dell

    • The UK’s Data Protection Bill 2017: repeals and compensation – updated: On DCMS legislating for Art 82 GDPR. [14.09]

Data Protection Bill Consultation: General Data Protection Regulation Call for Views on exemptions
  • New Data Protection Bill: Our planned reforms [PDF] 952KB, 30 pages
  • London Economics: Research and analysis to quantify benefits arising from personal data rights under the GDPR [PDF] 3.76MB 189 pages
  • ICO response to DCMS [link]
  • ESRC joint submissions on EU General Data Protection Regulation in the UK – Wellcome led multi org submission plus submission from British Academy / Erdos [link]
  • defenddigitalme response to the DCMS [link]
Minister for Digital Matt Hancock’s keynote address to the UK Internet Governance Forum, 13 September [link].

“…the Data Protection Bill, which will bring our data protection regime into the twenty first century, giving citizens more sovereignty over their data, and greater penalties for those who break the rules.

“With AI and machine learning, data use is moving fast. Good use of data isn’t just about complying with the regulations, it’s about the ethical use of data too.

“So good governance of data isn’t just about legislation – as important as that is – it’s also about establishing ethical norms and boundaries, as a society.  And this is something our Digital Charter will address too.”

Media links

14.09 BBC UK proposes exemptions to Data Protection Bill

Edits:

11.10.2017 to add links to the Second Reading in the House of Lords