Over the summer, in partnership with Scott Logic, the Institute for Government (IfG) ran a series of roundtable discussions with senior civil servants and government experts on the topic of Data Sharing in Government. This is the second in a series of blog posts in which I reflect on the key themes that came out of those discussions. You can read the first post in the series here on ‘Why you should get the right people in the room from the start’.

A few years ago while working on a digital product in a government department, my team learnt a valuable lesson: rules can help you go faster.

This was before the Digital Economy Act and Data Protection Act had come into force. We considered the question of whether to introduce new legislation to underpin the development and support the strategy in the area we were working in. Ultimately, we felt that the absence of a legislative framework could help us to be more fleet of foot, more nimble and more agile while we considered how the service needed to operate.

In hindsight, this began to feel like a mistake. Momentum slowed and focus began to shift, whereas when we looked across at other countries, we could see that equivalent projects underpinned by legislation were succeeding. Without a legislative framework, our product roadmap didn’t have enough support or an agreed destination and it was easy for leadership changes and shifting priorities to send it off course.

Even in the fast-moving environment of bleeding-edge technology development, legislation can: help to crystallise focus; provide something ‘solid’ with which civil servants can resolve uncertainties during the development of a service; build and maintain collective momentum; and instil in stakeholders the confidence that what they’re doing is right. Rather than introducing obstacles, regulatory and legislative frameworks can help to clear the way and speed up delivery.

This theme came up repeatedly in the roundtable discussions. It’s no exaggeration to say that the Government’s pandemic response would have been significantly slower if there had not been a range of pre-existing legislative frameworks in place to support design and delivery.

How legislation accelerated the pandemic response

When the UK went into lockdown in March 2020, the need to support and protect the most vulnerable people in society compelled an unprecedented sharing of data and personal health information across government departments. Participants in the roundtable on the Clinically Extremely Vulnerable People Service (CEVPS) agreed that these circumstances demonstrated the level of flexibility and permissibility within the Digital Economy Act and General Data Protection Regulation (GDPR). Those frameworks helped to identify a clear legal route that gave departments confidence to work together on the rapid implementation of the service.

Just as the frameworks swiftly clarified what was permissible, they also enabled the CEVPS team to be decisive about what should not be in scope. A roundtable participant recounted an occasion when they were approached by an external organisation for access to data for purposes unrelated to supporting vulnerable people. This could be quickly refused – not only with reference to the overarching legal frameworks, but also the Data Protection Impact Assessment (DPIA) for the project.

DPIAs are required by GDPR and provide a process to help identify and minimise the data protection risks of a project. Pre-existing DPIAs helped accelerate aspects of the early pandemic response. When the Department of Health and Social Care produced and published its DPIAs, it created a sense of transparency and accountability that might not have otherwise existed, and gave the public confidence that the department’s sharing of data would be proportionate. In another example, a roundtable participant explained how DPIAs compelled the right conversations from the start of a project, forcing hard questions to be addressed up-front and placing data protection at the heart of the process.

The legislative frameworks that facilitated the initial pandemic response were superseded in March 2020 with the release of the Control of Patient Information (COPI) notice by the Secretary of State for Health and Social Care. COPI was integrated into DPIAs and created a ‘COVID-19 purpose’ for the sharing of confidential medical information across organisations within and beyond the healthcare service. This covered activities to protect public health, provide healthcare services, and monitor and manage the outbreak.

For the NHS COVID-19 Data Store, COPI enabled data sharing agreements to be put in place in days and weeks, rather than months. One participant in the roundtable described how this helped to reassure everyone – from government departments to NHS Trusts to GPs – that they were covered and that data sharing was safe.

What slows things down

However, COPI notices didn’t solve everything, and there’s an important underlying reason for that which needs to be addressed.

Without a widespread understanding across all levels of government of what the law allows, progress will be hampered. Even with the COPI notices in place, there were still people who did not share data when needed, fearing that they would be doing the wrong thing.

New technologies, supported by new legal frameworks and good governance, are enabling the government to conceive of ambitious improvements to public services by sharing data within and across departments, and beyond. This improved connectivity between departments and services will enhance our preparedness and increase our resilience in the face of emergency situations in the future.

But for those ambitions to be achieved, it will require data-literate leaders to foster data-literate cultures in which everyone truly understands the rules within which they’re operating and the risks that need to be managed.

And that will be the subject of my next post.

Join us for ‘Lessons from data sharing during the pandemic’

On Wednesday 8 February, I’ll be speaking on a panel at an IfG event with fellow panellists Ming Tang (National Director of Data and Analytics for NHS England and Improvement), Juliet Whitworth (Head of Research and Information, Local Government Association) and Paul Shepley (Data Scientist at the Institute for Government). We’ll explore themes and case studies from the upcoming IfG report, produced in partnership with Scott Logic: Data sharing during the pandemic.

Register here to join in person or online