Nick Rhodes, Data Privacy Lead & Andy Lethbridge, Head of Consulting, Central Government, BAE Systems Digital Intelligence
20 Jun 2022
Data now plays a crucial role in any major public health programme – but seizing the opportunities it presents is one thing, protecting the privacy of individuals is quite another. However, that’s exactly what happened during the Covid-19 response, as Nick Rhodes and Andy Lethbridge explain…
‘Patient dies (but their data's safe)’ is the wrong headline in a pandemic. You don’t need to have a degree in ethics to know that – more like basic common sense. How about ‘Patient data breach affects millions?’ Ouch – that’s no better.
This "imagine the headlines" approach is a common part of daily discourse amongst policymakers – pandemic or no pandemic – and it is often slipped into heated conversations to help clarify what's the worst that could happen.
But in May 2020, with the UK locked down, businesses shuttered and hospitals at breaking point, formalising its use was integral to marrying the need for accurate data with strong information governance and privacy standards.
BAE Systems had been tasked with creating a single platform to house consumable terabytes of data for data scientists and data analysts to use. The platform needed to drive up quality and massively reduce the manual effort to consolidate data and generate insightful reports – all while respecting citizens’ privacy and ensuring the correct legal basis existed for sharing and thus consolidation.
So, how did we do it?
We quickly established a secure engineering and analytics environment to primarily enable research, analysis and statistics. Mindful of obligations to demonstrably apply data protection and secure by design principles, we worked within departmental and programme structures to help develop and iterate a Data Protection Impact Assessment which became a key design document.
It included, for instance, clarification that whilst a research exemption may be applicable, information rights requests would be considered on a case-by-case basis. Additionally, the team considered and applied latest guidance from the regulator, the Information Commissioner’s Office (ICO) – notably the accountability tracker and the data sharing information hub.
In a fast-moving, multi-supplier and collaborative environment the rigour of these external anchors, along with the “Five Safes” (safe data, safe projects, safe people, safe settings, safe outputs) proved invaluable. They served as common points of reference which accelerated decision-making and enabled the swift prioritisation of improvements, particularly when engaging with assurance and compliance functions.
This was all buttressed by a simple “10 point check” to reduce the risks of ingesting contaminated data to the platform, inappropriate processing, and/or inappropriate disclosure. The environment quickly progressed from being a tactical solution to Critical National Infrastructure and continued to be a key enabler as the programme transitioned into an operational agency.
Much of this comes down to basic consulting skills but three elements that proved a particularly effective combination were headline jousting, risk appetite application and accountability framework appraisal.
Ethics conversations tend to be theoretical, nebulous and verbose. Headline jousting, by contrast, requires succinct, specific, credible scenarios. We balance societal rights and freedoms against those of individuals, using the Universal Declaration of Human Rights as a widely recognised starting point. We also factor in orders of magnitude (those affected) and scales of (potential) harm. By reasoning through as a team to a defensible position, the accountable decision-maker is then empowered to act based on the opposing positions charged at one another.
Risk appetite application
One long standing risk management tool is risk appetite. We highlighted this from both data privacy and security perspectives and injected the risks of not-sharing to help decision-makers clarify their positions in terms of risks to the mission, as well as to an individual's privacy.
Accountability framework appraisal
Accountability was the new principle under GDPR and the ICO has helped organisations understand expectations through publication of the accountability framework and its associated tracker. We found this comprehensive deconstruction (there are 300+ items) invaluable to prioritise attention, record progress and clarify our collaboration with other teams.
Welcome to a new era of data sharing
The pandemic was a one-off, right? Not necessarily. In the same way hybrid working looks here to stay, so too does a step change in data sharing – and you don’t have to take our word for it either. The recent meeting of the House of Commons Science and Technology Committee attended by the new Information Commissioner, John Edwards, saw repeated references to this recent report from Professor Ben Goldacre.
The report contains strong statements such as "Seventy-three years of complete NHS patient records contain all the noise from millions of lifetimes. Perfect, subtle signals can be coaxed from this data, and those signals go far beyond mere academic curiosity. They represent deeply buried treasure that can help prevent suffering and death around the planet on a biblical scale. It is our collective duty to make this work."1
And, of course, this opportunity goes way beyond health data.
Governments are uniquely placed and resourced to address such seismic changes head on, all the while ensuring that any changes remain rooted in strong ethics and privacy guidelines.
New legislation and guidelines, rules and procedures, are all taking shape on the horizon. It is incumbent on all of us – public and private sectors alike – to seize the opportunities heralded by data while always revering the enduring rights and freedoms of individual citizens and wider society.
The UK has greater freedom to make choices about how best to exploit the richness of the data it holds, and particularly health data. Doing this ethically whilst garnering maximum value is a balance to strike but it can be done. The unique relationship the NHS has with citizens (the patients) is something that needs to be protected, retaining the sovereignty of our health data will be key to ensuring the strong trust that exists with the NHS today, continues tomorrow.
It’s time to lean in and lead – and that’s exactly what we at BAE Systems intend to do.
Subscribe to Government Insights
Please enter your email address to opt-in and receive our Government Insights.
Thank you for your subscription to Government Insights.
Delivering data dividends: lessons from the pandemic. Data proved to be a pivotal weapon in the fight against Covid-19, but it is vital to draw important lessons from this period to help strengthen the response to future public health challenges. Andy Lethbridge chronicles his experiences navigating uncharted waters at the heart of the UK’s pandemic response
Data, data everywhere, too much for us to link? Policymakers are increasingly reliant on data to strengthen government performance and drive better, more citizen-centric public services. But this evolution does not always run smooth. Here, Andy Lethbridge spotlights the themes and challenges we are seeing in our day to day work across central government
Tuning up data trust. How can governments generate greater trust when it comes to data? Nicola Eschenburg says it can be done, and the sooner the better
Bringing data to the party. Caroline Bellamy is on a mission to transform how the UK Ministry of Defence uses data. She tells Mivy James about her 30-year career in industry and why data holds the key to smarter and faster decision-making across Defence
Homing in on data-driven government. Statistical models, data, and analytics have always loomed large in Andy Gregory’s in-tray, but now he’s putting his expertise to good use at the UK’s Home Office. He tells Dylan Langley about his eclectic career and adjusting to life as a senior civil servant.