11th Mar 2016
Steve Reed (Co-chair)
Philip Davies (Co-chair)
Christopher Graham, The Information Commissioner
Jonathan Cowie, Chief Executive, CityWest Homes Limited
Julia Corkey, Director of Communications and Strategy, Westminster City Council
Paul Worthington, Senior Account Manager, Cicero Group
Del Heppenstall, Director of Information Protection Practice, KPMG
Jamie Hope, Parliamentary Researcher/Assistant for Amanda Milling MP
Joanna Causon, Chief Executive, The Institute of Customer Service
Oliver Rawlings – The Institute of Customer Service
Mike Petrook – The Institute of Customer Service
Philip Davies welcomed everyone to the meeting asking attendees to introduce themselves and offer opening remarks.
Lord McNally noted that his experiences, firstly with the Data on Demand project when in government and then with the Youth Justice Board, had led him from suspicion of big data to appreciate the opportunities if it is done properly.
Chi Onwurah noted that Labour’s Making Digital Government Work for Everyone report looked at public sector data sharing. She said it highlighted the difficulty with the concept of citizens owning their data as no such property rights existed. The challenge, therefore, was that both technology and consumer expectations are evolving and there was a need to re-establish trust to ensure people support data initiatives.
Jo Causon set out the research conducted by the Institute of Customer Service on what consumers thought about data and security issues.
She said it was clear that cyber-attacks are an increasing problem and that the research reflects this. Over half the people surveyed by the Institute had suffered from a data security breach and 43% were concerned that cyber-attacks might compromise their personal information.
She noted the consumers understood the reality of data security breaches with a large proportion (66%) of consumers thinking that these problems are inevitable and that data security breaches are a part of life and will happen from time to time.
Causon reflected that the issue for consumers regarding data breaches centred around financial loss rather than having their identity stolen [53% vs 16% respectively]. This indicated that what businesses do after the inevitable attacks or data loss is important.
She noted the effects of data breaches on consumer trust. 54% of people were confident that organisations look after their personal information and commented that this is not as high as it could or should be. Additionally she noted that, for business, 22% of people explicitly stated they no longer trust companies that suffer data breaches. This is important because Institute research showed that customer satisfaction, loyalty, recommendation and trust are highly correlated and with big data such a valuable and currently underused resource in the economy, new emerging technologies need consumer trust.
She highlighted what consumers were saying business needed to do. These were to specify what actions they are taking to protect customer data; ensure data management is robust and transparent; and keep customers informed about the security of the information as part of a wider relationship with customers. Specifically, 27% of people said in the event of a breach, installation of new security programmes could restore trust and 24% suggested an outline of what will be done to prevent a repeat would be essential. She also noted that knee jerk compensation was not the answer – as following a breach only 23% wanted compensation above all else, whereas 41% wanted immediate notification.
Finally, Causon set out what consumers thought government should do. This was principally around ensuring that regulation was sufficient and by developing better education programmes to inform consumers
Summing up she said consumers are pragmatic – that they are concerned about how their data is used but they are willing to share it if they can be reassured it will be used appropriately. Causon concluded that business needs to reassure customers – and that using consumer data is key to personalisation and the future of business relationships with their customers. Organisations need to focus not just on preventing data loss in the first place but also what happens when the inevitable breach happened.
Philip started by noting that different people had different tolerances when it came to how much of their data they were prepared to share. There was a general consensus that trust was a key driver for consumers that needed to be addressed in a variety of ways.
Lord McNally highlighted the problems with public perceptions driven by the media. He gave an example from when he was in government of the desire to give people’s redacted health data to medical researches which was heavily campaigned against by the media [the care.data programme]. He noted there were risks that polarised views regarding data could obstruct progress on data sharing.
Chi Onwurah noted that trust is about control. If people feel they are in control and that they have a choice over how their data is used then they are trusting. It was, therefore, important to focus on empowering consumers and there was a need for principles to be set down to achieve this.
Philip Davies raised the issue of small print opt outs when the option to not share data is not made obvious to consumers in terms and conditions. He queried whether this showed that organisations did not think it was important or whether they were actively trying to deceive consumers. He commented this was contrary to empowering consumers. There was a brief discussion about how much control consumers feel in regard to terms and conditions when they are aware that they must accept them to use the product or service. Del Heppenstall noted that there was the increasing use of self-service for customers and there was the possibility of a more granular approach to consenting to data usage – i.e consenting to specific uses on a staged basis.
Christopher Graham said the Institute of Customer Service research clearly showed that data losses represent big problems for business – commenting ‘this is corrosive stuff’. He concluded that organisations can share lots of data as long as they are clear what they are doing with it – he referenced research by Telefonica that showed people value data exchange as long as they understood it. Smart businesses are already addressing these issues he said.
Del Heppenstall noted many businesses had the perception that data loss is something that will not happen to them and therefore may not be addressing the challenges. He continued that these challenges may be significant for some – they may not know where all their data is and therefore securing and being able to account for it would be difficult.
Steve Reed highlighted the difficulties of implementation. He gave an example of his time in local government at Lambeth Council where they adopted a simple data charter – all data will be published unless they were legally prohibited from doing so. However, they struggled to fulfil this as much of the council’s data was held in different places and in different formats making it difficult to publish in a useful way. He asked how public bodies can move incrementally towards a position of having data which can be interlinked.
Jonathan Cowie highlighted the difference between the private and public sectors in relation to consumer trust. All organisations had to address the increasing pace of change in use of data and consider how they manage data – both its security and how to publish it. However, the customers of public sector organisations cannot choose to go to another provider if they lose trust in the organisation’s ability to look after data – and this can have a particularly damaging effect on public organisations uptake of big data ideas.
Lord Scriven noted the growing tendency of consumers to assert that they own data rather than organisations and there was a significant difference between trust in a brand and trust in government.
Christopher Graham noted that most complaints received by the Information Commissioner’s Office were about nuisance phone calls but also cautioned that it was important to note that some data breaches are dressed up as cyber-attacks when they are more often the result of a failure by the organisations or individuals – leaving a laptop on a train for example.
Del Heppenstall said that there was an element of regulatory confusion in business as some aren’t sure of their responsibilities – particularly in relation to the upcoming EU General Data Protection Regulation.
Phillip Davies commented that whilst the discussion was about the importance of regulation in protecting information there was the opposite side to the data protection regulation debate – that many people are told by organisations that they cannot do something because of data protection rules. Christopher Graham said that it was certainly true that many organisations use data protection as an excuse. He highlighted the current consultation from government on data sharing in the public sector and of the need to be clear with customers about data sharing policies. He noted in particular the need for government to be much better at communicating what it is intending to do – he said this was the principle failure of the care.data scheme. Nothing can substitute explaining clearly to customers what you will and what you will not do with data; all organisations should do this.
Steve Reed noted the potential conflict in government adoption of big data initiatives –that whilst government may want to make more and more use of data justified by benefits to citizens, people may disagree with increased data collection and sharing.
Lord Scriven stressed the importance of a strategic approach to data management, rather than just technically how it is handled.
Chi Onwurah agreed that the issue was about management and not technical solutions, hence the need to focus on principles which empower the consumer/citizen.
There was a general consensus that the issue of importance was how organisations managed their data and the strategy they had behind its collection, protection and use, as opposed to just technical solutions to protect data.
Philip Davies brought the discussion to a close by asking for views on what government needs to do.
Christopher Graham highlighted the un-commenced Section 77 of the Criminal Justice and Immigration Act 2008 which would provide for prison sentences for criminal breaches of the Dara Protection Act. Currently only fines are available to sanction individuals and he stated that this was not a sufficient deterrent as many could just see the fine as a business cost.
Lord Scriven said we needed a policy from government around ownership of data and empowerment of consumers.
Lord McNally suggested a debate in Parliament on the issues as well as encouraging people to look at the government consultation on data sharing.
Jonathan Cowie thought that there was no specific action for government but that it was organisations’ responsibility to improvement trust amongst consumers.
Philip thanked everyone for attending and for their contribution.