Delivering Data Value and sharing the GDPR Load: a Data Sharing Alliance for London
Do you ever feel that some mountains are just too difficult to climb? In these cases I’m often reminded of a scene from Mission Impossible:
Mission Commander: Good morning, Mr. Hunt. Your mission, should you choose to accept it, involves getting all of the London Boroughs, health trusts, emergency services, voluntary organisations and all of their partners across London to agree to a single data sharing framework that will improve transparency and trust for the citizens of London.
Ethan Hunt: I don’t think I can get them to do it.
Mission Commander: So you think it will be difficult?
Ethan Hunt: Very.
Mission Commander: Well Mr Hunt, this is Mission Impossible, not mission difficult. Difficult should be a walk in the park for you!
That’s how I feel about data sharing in London. At the London Fire Brigade we are involved in more than a hundred different data sharing agreements with London Boroughs and their partnerships, all working in slightly different ways, to different standards, all in the belief that each agreement is the best way to demonstrate compliance with data protection principles.
This is because the people who are most at risk of fire tend to be the same people who need care and support, allowances and benefits, medical assistance, help with heating their home and many other services provided by their local council and other London care organisations. The benefits (by way of increased safety and welfare) of sharing the data associated with these people in a clear, transparent, responsible and legally compliant are well known, as are the consequences of not doing so.
In less than a year (May 2018), we will all be operating under the regime of the General Data Protection Regulations (GDPR). These regulations, that take over from the Data Protection Act, are designed to transform how organisations approach data protection and improve the protection of individuals. The bar for compliance will be raised and organisations will need to do more to show how information governance is at the heart of decision making, as well as go further to engage individuals about how data about them is being held, used and shared.
Data protection is often cited as a reason not to do things. Yes, complying with the data protection laws and guidance requires effort, but it has never been a reason not to do the right thing. And helping people, and providing them with the services that make a meaningful difference to them is the right thing. So, if sharing data is hard now, how much harder will it be done in the world of GDPR?
Well that is a job for Mr Hunt and Impossible Mission Force.
Or is it?
This is why we are calling for the creation of a pan-London Information Sharing Alliance. This will be a place where – whatever your organisation – you have access to an agreed set of highly practical templates and processes that support good data governance; a central place where data sharing protocols, the information sharing agreements, privacy impact assessment and other documentation are easily accessible for the London public to view and access to see how Londoners’ data is being used. There is also the potential for this place to provide a data platform where personal data can be securely uploaded and accessed with appropriate security, logging and tracking. We could also give the individual access to that platform so they could see and manage their own data?
Yes it would be difficult. But it is not impossible.
Geography-wide data partnerships are not a new idea. Indeed, they exist already. Leaders in this field include Essex who have a ‘Whole of Essex Information Sharing Framework (WEISF)’, and Lancashire and Cumbria’s Information Sharing Gateway that hosts 669 data sharing agreements from over 1,000 organisations. There is also a host of good work establishing best practice for compliant data protection documentation. The Centre of Excellence for Information Sharing already publishes model templates for organisations to adopt and Government have been working on an online identity verification scheme that could facilitate an individual’s direct access to the data (gov.uk verify).
Yes, the governance structure of London is different, but it is not so unique that between us we cannot agree one way for doing the same thing?
I believe it can be done. I would go further and suggest that in the world of GDPR it will become a necessity.
Your mission, should you choose to accept it, is to agree.
Dun dun da da, Dun dun da da, Dun dun da da , Dun dun da da, de da doo de da doo de da doo do dut!
What happens next
‘Datashare London’ is an initiative being proposed by the London Fire Brigade together with the GLA teams behind the London Office of Data Analytics (LODA) and SafeStats. Adoption of the initiative will depend on the wider interest and support of the London Boroughs and their partners. To gauge the appetite for this it is intended to roll out the initiative in a number of phases, only moving from one phase to the next is the support is there.
Stage 1: Build a centralised repository for existing data sharing agreements. Using the technology being developed for the City Datastore the GLA will build a document repository into which any existing data sharing agreement can be uploaded for view by partners and the public. A minimal schema will accompany the upload so that the documents can be easily searched and retrieved.
Stage 2: Agree a set of data sharing templates that comply with all information governance principles. These templates would be ‘pre-approved’ as acceptable for use in any data sharing arrangement. This work would be initially lead by a core of interested boroughs and would take advice from the Centre of Excellence for Information Sharing, or legal advisers as necessary. If agreed, this would become the standard for any new agreements added to the repository.
Stage 3: Build a common data sharing platform. The repository would be extended (again using the City Datastore technology) to enable the secure sharing of personal data (covered by the agreements) with full audit, logging and notification processes.
Stage 4: Provide public access to their own records. Consider how the shared data can be correctly assigned to the individual and provide a front end for that individual to see how their data has been used.