WRITTEN ON July 25th, 2010 BY William Heath AND STORED IN Uncategorized

Getting government IT right isn’t my job – it’s John Suffolk’s job. It’s not even my job to opine about it. So now IdealGov has had that terrific burst of activity and energy getting an ideal government IT strategy during the election period * thank you all involved!!* let us chill for a bit. I propose yet another change of tack for this blog.

There’s too much exciting good stuff going on for me to keep abreast of. And I think the blog has covered the bad stuff many many times. So even if there’s new bad stuff happening – or far-from-ideal stuff persisting – there’s not much new to say about it, and perhaps not much point.

Like I said, I’m now very focussed on two new businesses: Ctrl-Shift Ltd and the social enterprise Mydex CIC. They’re both about customer-driven relationships, empowered customers or VRM which I first wrote about in 2007 here.

So IdealGov is going to focus for a bit on what all this empowered customer/user-driven data stuff can do for government and public services. I’ll declare my interests upfront and again. Ctrl-Shift provides professional research and advice about what this means in detail for large organisations. Mydex CIC is an entrepreneurial social enterprise, incubated by the splendid Young Foundation, which gives individuals the platform to make this happen.

First up, a Minister from the new administration got interested in all this and asked me to draft a broad paper on it, which I did with some help from Jerry and others. Here’s the text below.

Why we should give people their personal data back

The public sector needs to achieve radical efficiencies. It also needs to show improvements: more for less, better ways of meeting people’s essential needs and delivering better services. And not least, it wants to take a step back from the high economic and political costs of authoritarian centralism.

The problem/opportunity: personal data

One of the most damaging legacies of New Labour is in the area of personal data. The centralised “database-state” vision of Transformational Government, ID Cards, ContactPoint and centralised NHS systems including health records is expensive, dysfunctional, unpopular, insecure and prima facie of dubious legality.1

This approach to personal data is expensive and ineffective now, and likely to prove much more so in future if left unchecked. The approach taken shows poor understanding of the potential of the Internet, which is inherently interactive. The Internet can underpin democratising, cost-effective services for the citizen, and is wasted as an expensive control tool for the state. It fails to tackle the key weakness in online services: individuals have no convenient, effective sustained way to gain acceptance as trusted parties and to play a full and responsible role in ongoing relationships.

This short paper describes a far more effective alternative approach to personal data which makes best use of fast-evolving developments in online identity and authentication services, personal data stores, and “selective disclosure” capabilities. It restores responsibility for management and control over personal data where it generally belongs: with the individual.

We argue this will be more flexible, more respectful of people’s needs and preferences, and conform better to government’s human-rights and data-protection obligations. It will help a smaller, revamped public sector transform public service provision. But above all it will save cash in exponentially growing amounts in the short, medium and long term.

The new person-centric paradigm of volunteered personal information lays the foundation for the private sector to offer new entrepreneurial user-driven services, and for the public sector to become vastly more selective in what it does and responsive to people’s needs. Achieving this requires deep and enduring cultural change arising from strong political leadership. It does not, as far as we can tell, require new legislation or infrastructural investment.

First we offer a lay person’s introduction to the basic tenets of user-driven services based on volunteered personal information. If you’re already familiar with this please skip to the next section.

Lay person’s introduction to the personal data store

Here is a lay person’s introduction to how a person-centric approach brings the user into a structured relationship on a trusted basis. The concept it illustrates is variously called (in the UK) buyer-centric commerce or customer managed relationships or (in the US in the Harvard project of that name) vendor-relationship management.

1. Insoluble problems of the prevailing “organisation-centric” approach:

Credit: Cartoons by Alice Osborne of thinkpublic for Mydex CIC.

Today personal data management is all organisation-centric. The “customer-relationship management” approach has been to build large databases to create a “single version” of the truth about the whole customer. This appeared to promise cost-reduction, integrated call centres, outsourcing, cross-selling, targetted messaging, and personalisation.

But on its own this is a flawd model, leading to a failure of data logistics on a grand scale. The data is duplicated, incomplete, inaccurate and replicated again and again, not just over every organisation which claims a relationship with the individual but often many times within the organisation. It proves expensive. More aggressive attempts to improve the data (gather, scrape, buy and share more personal data) alienate the customer and erode trust. It’s incredibly wasteful for each organisation, and this is multiplied over and over again for each organisation. For the individual it wastes a vast amount of their time (perhaps one and a half weeks per householder per year to keep abreast of customer services of every sort).

2. New possibilities of the “person-centric” approach

This person-centric view shows the individual now equipped with a rich personal data store. Generically we call this a PDS. This one is labelled “Mydex”; many other companies are investing in such services. Different platforms will interoperate to emerging standards.2 The individual is able to manage data-sharing. The PDS holds their personal counterpart to the suppliers’ CRM systems. It covers categories such as their suppliers, travel, finance, health, admin.

The PDS record is more complex because unlike the organisation’s CRM record the PDS covers all of life. But the PDS holds far fewer records (just the individual and their dependents). The individual can then invoke third-party authentication or verification to prove claims and entitlement. They can make selective disclosure either per transaction, or on an ongoing basis “subscribe to me”. This is compatible with the public sector’s legacy IT investment, which is not wasted.

3. The big win-win when both work together:

With individuals thus introduced into on-line or mobile relationships in a structured and trustworthy way, the relationship looks outwardly pretty similar. Organisations still hold customer records. But customers are now able to help them deduplicate and correct these records, and to express their needs and preferences. The individual is more trusted, empowered to support claims (“I can drive; I’m over 18; I have credit”), able to “tell them once” and able to configure the messaging they get from business and public services.

It becomes both easier and more efficient to configure exactly the right service around individuals specific needs and circumstances. This underpins participative public services (which maximise self-service and personalisation) and “lean” service management processes (ie working towards producing the right service at the right time at the right place eliminating waste, duplication and guesswork).

This also opens up countless new service opportunities based on structured “volunteered personal information” from the customer. Beyond saving money and improving public services lies a wave of profitable entrepreneurial growth in services provided on the side of the individual.

How much would this save?

The savings from self-service and more rational information logistics come in three stages.

There’s an existing cost to maintaining multiple versions of personal data with today’s bad logistics; a cost to running multiple channels and services with poor data; and a cost to providing the wrong services. The full savings figure will therefore depend on many variables, and on how well the user-driven model is executed. But we would suggest as a starting template:

* short term it’s cheaper to maintain data when customers help. They can merge duplicate records, advise of changes of circumstances, configure their preferences etc. Many organisations can place a cost on each missing email address, each incorrect phone number. Target savings: of the order of £1 per customer per year for the typical customer database: £500m a year for the public sector by 2012

* medium term it’s cheaper to run 100% online services (councils assume face to face costs £12, phone £5 and web 20p per transaction). Online transactions work better when they’re interactive and user-driven, when users are more confident and can accumulate and prove trust. It’s also cheaper to run effective services on the back of clean, verified customer data. You can plan and target better, and eliminate waste and fraud. Target savings: in the order of 10% of public-service admin costs: £5bn a year by 2015

* long-term Disintermediation lies behind the success to date of services such as Amazon and eBay, but real user-driven services go further. It starts to become possible to run “lean” services and to stop doing unnecessary things people never needed or don’t really want. Customers with a trusted channel to share deep preferences and future plans can share a basis on which public services provide just what they need, and little else. This might save 40% of total cost in some major sectors: Target savings: £50bn a year by 2020.

Just as important, and likely to be more substantial, are the aggregate savings to individuals in terms of their time. This is beyond the scope of public expenditure numbers and targets, but it greatly affects productivity and quality of life. Hospital efficiency isn’t just about cost per patient or time spent by staff with each patient: it’s about how much time the patient spends at the hospital before they’re even seen, or how much time they spend getting into the hospital system in the first place. A user-driven approach would quantify this, and we should aim to halve the time wasted by people dealing with public services.

What it will take to get this going?

1. Fix UK online identity (ID) policy. The UK’s policy should utilise the emerging market of third-party ID and authentication providers. Whitehall’s pre 11 Sept 2001 policies articulated this very well in their time. To get back on the right track we should dust them down to create a policy far closer to the current US National Strategy for Trusted Identities in Cyberspace.1

A side-effect of sorting on-line identity will be to make long overdue basics like email and online messaging for all public services more trustworthy. Not that there is any excuse for not supporting them already eg for tax enquiries.

2. Support the emerging personal data store agenda and standards. Dozens of private-sector businesses are now active in this area including several UK entrepreneurs. Mydex starts live service in September 2010 with RB Windsor & Maidenhead, the social network NetMums, and several major public sector bodies receiving change of circumstance data from individuals.

To start this process, public services need to agree to start to receive – as files, by email, or through web services – suitably authenticated feeds of volunteered personal information. Quite quickly it will prove cost-effective to integrate this directly into existing systems. Technically capable organisations will find this straightforward even if some outsourced service suppliers may grumble and try to make onerous charges.

There are emerging standards; commissioning to them keeps the investment safe and helps create an efficient and healthy market.

3. Systematic assessment across all lines of public service of how applicable a user-driven approach is. No-one suggests criminals should be invited to edit their criminal records. But the implications in terms of efficiency and empowerment of personal, portable education records are immense. The implications of personal, portable health records may be bigger still. There are a wealth of sector-specific issues to start to resolve, but many of the issues and benefits will overlap across sectors to a substantial degree. And to the individual the experiences will converge to become the same thing. The same applies to welfare, job-seeking, the census, location-based services, smart energy meter data, services to small business etc

The existing UK trust framework will need to be updated to provide appropriate levels of determination with regard to the level of proof public services require for different purposes. User-driven approaches will rapidly support the highest possible levels of proof. The market will of course get going faster if public services set realistic barriers to the levels of proof they require, broadly equivalent to existing processes in, for example, call centres.

“Give us our data back” day

Once these three steps are taken, (online ID, receiving VPI from personal data stores, and impact assessment by public service line) Government could, if it wishes, announce a series of “Give us our data back” days.

“Give us our data back day” would be a powerful statement of personal liberty, handing back responsibility for personalisation of elective public services to the customer. It is a powerful and coherent official response to the stirrings for “data liberation” or “data independence”arising from users’ frustrations with social networks and other services which purport to serve customers but take their data and then claim to “own” it.

This would see a variety of Ministers responsible for suitable service lines driven by personal data declare a date when the state will return to the individual data the individual needs which can rightly be seen as theirs.

A date in April 2012 might see the return of the education record of attendance and attainment to the individual. Another date could see personal data returned to the job-seeker, and another (after lengthy and careful discussion with the professions) large parts of the health record.

One powerful statement would be the return in structured electronic format of our financial data, including transaction data, from banks. Another would be the return of pension data from the newly-created NEST.

Together these would populate our personal data stores with our financial data and pension records, and also help create much-improved online identity-assurance services for the individual. These actions would be more than enough to catalyse a healthy personal data ecosystem, and richly to populate people’s personal data stores. This would raise the bar for the private sector – supermarkets, credit-reference agencies, on-line shopping services. For years Government has trailed the likes of Google and Facebook in online behaviour; this initiative would have government leading by example in showing the right way to treat people’s personal data.

The mechanism could become very simple: once verified online, the individual could make a one-click “subject access request” under the Data Protection Act, and their entire digital record is restored to the data subject.

This approach to personal data needs to be built into our social DNA quickly. Emerging categories of personal data are even more revealing than CCTV about our personal lives: mobile phone location data; data from smart energy meters. There’s still time to avoid the mistakes of Connecting for Health in how we conceive the smart grid. Detailed energy use data should reside with the individual. The company should store and share no more than it needs for billing.

Individuals can then use their data to apply for jobs, to prepare for care episodes. The power of mashups – so effective for public data sets – can be put to work for the individual too. New services might let them, for example, mix their health data with diet and exercise data to develop personal wellness, or finance and location data to support their travel plans.4 They could sell their feedback to marketing agencies, or sell their intention to purchase cars or insurance in an open market for customer sales leads.

The possibilities are bounded only by our imagination and the energy of the market. But the economic potential is evidently substantial: Ctrl-Shift estimates the flows of such volunteered personal information in the UK will overtake display advertising by 2017 in value and be worth £20bn a year by 2020. That’s ten times as big as Google in the UK today.

Whom do we have to persuade?

It won’t be easy to achieve a change of heart and mind among those who have worked long and hard under false promises towards the existing paradigm of solely organisation-centric “customer-relationship management” as the solution to everything. This is not because there isn’t a powerful case to be made for bringing in the person-centric model – there is. It’s just a substantial undertaking to overturn the vested assumptions and interests of a generation of IT directors, suppliers, finance and customer service experts. But it has to be done.

The easier task is persuading the man in the street, the householder, the voter that their personal data belongs to them. A Ctrl-Shift survey of 3000 UK adults in 2010 found that 92% were “bothered or angered by people holding personal data about them”. People agree, for example, that:

* their personal data should be looked after more carefully
* government has a poor track record as steward of their personal data
* their personal data should be treated as more valuable than it is today
* they are asked for their details too often
* it’s a major hassle
o dealing with customer services
o getting the right messaging from organisations (ie hearing what they need, and avoiding spam and inappropriate communications)
o sorting out all the different services one needs to when moving house or after an episode like losing a wallet
* they need better tools to manage their personal data from usernames and passwords to detailed data backing up their shopping, healthcare, finances and dealings with government
* instead of organisations making them tick meaningless legalese privacy policies they wish organisations had to sign the individual’s privacy policy before acquiring personal data
* that if a profit is to be made from buying and selling personal data, the data subject themselves should be involved, not least because they and only they know the most valuable things about themselves (eg their future intentions)

To date government has thought the answer was for the state to acquire and aggregate more and more of our personal data in massive central databases. That approach failed, with high economic and political costs. The natural and only feasible point of integration for organisation and management of our personal data is, of course, ourselves. That needs to be reflected in the cultural and technical assumptions that underpin government’s approach to the online economy (“Digital Britain”) and the UK’s public services.

The coalition government and its advisers take a more decentralised approach, more in line with human rights and individual liberty and more in tune with the man in the street.

We hope the basic premiss of this paper is easy to accept, and straightforward to start to act on. There will of course be far more questions of detail in this huge change over the next decade than one can predict today. But the present approach has done too much damage already. The time to declare a fresh start is now.

About the authors/declaration of interest:

William Heath is an entrepreneur who also works on digital rights. He’s a cofounder of the public-sector IT research firm Kable (now sold to GNM), the not-for-profit Open Rights Group, the Mydex CIC social enterprise and the research and advisory group Ctrl-Shift Ltd.

Jerry Fishenden has been Microsoft’s chief technology officer, head of business systems for the chief financial services regulator; as head of the Parliamentary data and video network; and as a director of IT in the NHS. He is a visiting senior Fellow at the LSE.

Further contributions and comments by David Alexander, Iain Henderson, Alan Mitchell, Liz Brandt, Phil Booth and others who ask to remain anonymous.

Ctrl-Shift Ltd provides research and advice to large organisations on what to do about the emergence of the empowered customer. Ctrl-Shift’s four founders have 60 years’ aggregate experience in gathering evidence for, articulating and mapping out the user-driven model of service provision and understanding the best future for public-sector IT.

Mydex CIC, a Young Foundation project, is an asset-locked social enterprise which enables people to realise the value of their personal data. Mydex starts the world’s first live service of user-driven data (with independent verification and selective disclosure) in autumn 2010. Mydex can be rapidly scaled up if this approach passes all the tests of social, consumer, technical and political needs.

Footnotes:
1. Database State; Joseph Rowntree Reform Trust, Prof. Ross Anderson et al
2. See for example the World Economic Forum paper Rethinking Personal Data workshop summary, June 2010
3. The first commentable draft appeared 5 July 2010 at http://www.nstic.ideascale.com/
4. See for example FitBit or Philips DirectLife for health, dopplr.com for travel plans and Wesabe.com for finance
4. It is not known how many personal records the public sector holds, but it is often far more than one per organisation; one council might have up to nine records of the same person. Whitehall has certainly 50 and probably more like 200 databases of substantial parts of the population. So we could estimate the total number of records as in the range 1-10bn (ie equivalent of 20 to 200 databases of the entire population). In its client work Ctrl-Shift has found that public-sector costs per record per year vary from under £1 to over £100.