Public dialogue on the use of data by the public sector in Scotland

This report presents the findings from a public dialogue on the use of data in Scotland commissioned by the Scottish Government to explore the ethics of data-led projects. The purpose of the panel was to inform approaches to data use by the Scottish Government and public sector agencies in Scotland.


The panel’s starting point

This chapter outlines the various entry points at which participants joined the panel, their reactions to the initial information provided, and the sorts of questions they raised. It provides the baseline against which later findings can be compared, as participants’ views on key topics developed over the course of the dialogue. It also highlights useful lessons for future engagement on public sector use of data.

Members of the panel were recruited from across Scotland and it was emphasised that they did not need any prior knowledge to take part, just a willingness to listen and share views. Participants therefore came with varied knowledge, interests and understanding in relation to the use of data about citizens by the public sector.

In session one, the panel started learning about some of the key concepts that would help them in later deliberations. They heard three presentations which introduced the DIN, outlined data protection and the legal context surrounding data use, and summarised some key concepts in relation to data ethics.

Varied expectations and starting points

At the start of session one, participants were asked to share their hopes and fears about the process that lay ahead. Expectations varied, but common words used were “curious”, “interested” and “intrigued”. Topics they were interested in finding out more about included: how data were protected, how the public sector uses data and why, and the extent to which “personal” or “private” information was accessed by the public sector.

Participants had different starting points in terms of their experience of and interest in data. Some were involved in aspects of data protection in their jobs, for example through working in IT or being data controllers for their projects or clients. Some framed their experience of data in terms of their online lives, for example mentioning that they were concerned about their online footprints and that they disabled cookies or targeted ads to reduce the amount of data being collected about them. Others brought no prior experience or shared any specific perspectives on data. Across the board, however, there was an appetite to learn and explore the topic further.

“I was interested in taking part in the project as data is very important. It's important to understand how data is used and what parts are kept and passed on to other organisations…If organisations have too much data, that can be a concern.” (Session one)

Participants also shared expectations about their involvement in the panel itself and, while there was some trepidation about what it would involve, they generally felt positive about the opportunity to share their views and have their voices heard.

Broad trust in the public sector from the outset

Participants started the dialogue from a broad position of trust in the public sector using data about citizens, but with mixed levels of awareness of how data were used and the legal frameworks that underpin data use.

Before they heard from any external specialists, participants were asked the extent to which they trusted the Scottish Government and the public sector to use data about citizens for the public good. The dominant sentiment at this early stage was one of trust. This was based on the assumption that strict guidelines were in place to govern public sector use of data. It was also driven by a broader sense that the Scottish Government exists to deliver services that are for the public good.

“While data can be misused, you have to assume the majority of people in government are going to want to try to move to something better, helpful and easier for people, and to generally do good things rather than bad things”. (Session one)

Among the few participants who were less trusting in public sector use of data, reasons for this related to a general distrust in government and a feeling that data were “over-shared” and that organisations (not just the public sector) have too much access to individuals’ data. Concerns about potential data breaches were raised, including examples from outside the public sector, such as the Facebook-Cambridge Analytica scandal where the personal data of millions of Facebook users was collected without consent.[12] There was also a sense that the public are not well informed about when and how their data were used, which leads to mistrust.

“I don't think it's that transparent about what data they are collecting and what the purpose is, why they're collecting it. And along with that, how secure and how do they manage to make sure that it's always up to date? I guess I don't have visibility of any of that”. (Session one)

Trust in public sector use of data was framed relative to that of the private sector, of which participants were more cautious. Early in the dialogue, there was less confidence in the safeguarding of data by the private sector than the public sector. There was a perception that government and the public sector took data security seriously, but that standards were not as high or as consistent within the private sector (the findings of the additional workshops which explored private sector involvement in more detail can be found in a separate report).

“From the public sector, I feel fairly confident that there is safeguarding in place…I’m interested in different organisations that may not follow the same safety standards…. Maybe [private sector] organisations need to go through ethical standards training on handling public information.” (Session one)

Mixed awareness and understanding about the legal context

Participants came with mixed levels of awareness of how data was used and the legal frameworks that underpin data use. In session one, participants were given an overview of the UK General Data Protection Regulation (GDPR) and the Data Protection Act (2018) and the key principles of the legislation. Prior to hearing these presentations, participants' awareness of existing data protection legislation had varied, from those who were knowledgeable about data protection law through their own jobs, to those who said these were relatively new terms for them.

Participants considered the legal context to be complex and described the information presented to them as dense and difficult to digest. However, the existence of the legislation provided a sense of reassurance that a system was in place to protect data. Navigating the relationship between the legal and ethical issues associated with data use was an ongoing challenge for the panel as deliberations progressed.

One example of this was the issue of consent. Consent was introduced to participants in session one, both from a legal perspective as a lawful basis for processing personal data under GDPR and from an ethical perspective in terms of balancing individual and public interests. Participants revisited consent at different points throughout the dialogue and there was an ongoing struggle to reconcile consent (i.e. the importance of individuals having a choice about their data being used and the right to privacy) with other issues, such as the quality of data (i.e. gaps in information leading to poor policy decisions) or the context (i.e. needing to respond quickly in an emergency).

Low awareness of levels of identifiability in data

In the first session, participants learned about the different ways in which data was collected, the form it could take, and the varying levels of identifiability in data. There was low awareness initially about what was meant by the different types of data – anonymised, pseudonymised, or de-identified – and the extent to which individuals would be identifiable. Participants asked for clarity on these concepts, and over the course of the dialogue participants continued to revisit these terms and clarify their understanding.

A question raised by the panel in session 1:

  • “When data is shared for research purposes, is it de-identified? And have people consented to their data being shared for this purpose?”

Lack of clarity around the role of the Data and Intelligence Network

The information provided in the presentation about the DIN gave some reassurance that there was a system in place to oversee public sector use of data, in particular the ethical framework[13] that the DIN expected members of the Network to adhere to when running their data projects.

However, following the presentation, participants were still not clear about the role of the DIN. The panel asked a range of questions to build their understanding about the DIN’s purpose, structure, and the extent of its influence:

Some questions raised by the panel in session 1:

  • “Where does the DIN fit within the public sector – are they part of the Scottish Government? Are any private sector organisations involved in their work?”
  • “Is the network mainly just in place to manage ethical standards, or are they a group collective that decides what [data] should be shared between organisations?”
  • “How are decisions made about what kind of data is shared with which kind of organisations?”

Uncertainty about what the exact role of the DIN was persisted for some participants throughout the dialogue, as the distinction of roles and responsibilities between the DIN team and other members of a data-led project team were not clear to them.

Questions over the role of the panel

The presentation on data protection generated further questions around how decisions were made in relation to data ethics and who made those decisions. This also led some to question the role of the panel:

Some questions raised by the panel in session 1:

  • “If data sharing should be done ‘to serve mankind’, who decides what mankind is?”
  • “If GDPR and DPA set policy, what is our role in this public panel?”

The presentation on the ethical issues helped to settle this in participants’ minds to some extent, with the understanding that something might be legally acceptable but not morally acceptable. A further recap on the role of the panel was presented at the beginning of session two; feedback suggested that this made the purpose clearer and enabled the panel to move forward with their deliberations, which included thinking about who should make decisions about data use.

The panel’s appreciation for the complexity and subjective nature of data ethics evolved as they became more familiar with different types of projects.

The following chapters summarise the key findings from the panel’s review of data-led projects that the DIN had been involved in previously, or were considering their future involvement in.

Contact

Email: michaela.omelkova@gov.scot

Back to top