As part of its '
midata' initiative to empower consumers, the department of Business Innovation and Skills
has been consulting on a proposal to give the Secretary of State a general power that "might be exercised broadly or in a more targeted way" to compel suppliers to supply transaction data at a
consumer’s request. In the interests of transparency, I've summarised below my response to the consultation. As
previously explained, I should mention that I've been involved in the midata Interoperability Board from its inception in 2011.
General Comments:
'Midata' scenarios involve consumers' transaction data being returned to them in a way that enables them to use it to improve their purchasing decisions. This reflects an existing, yet
evolving commercial trend that is developing positively. Many businesses
provide customers with their personal transaction history through ‘my account’
functionality which enables downloads. In addition to price comparison sites, other intermediaries are evolving to help consumers identify where data is stored, as well as to gather, share and analyse it.
It is acknowledged that there are
certain operational risks involved in the widespread sharing of such data and various suppliers, intermediaries, officials and consumer
representatives are co-operating to address these. One example is the work done by the World Economic Forum ‘tiger-teams’ on “
Rethinking Personal Data” (here's my note of the
London session).
Government is also playing a very helpful role in fostering an environment in
which suppliers can evolve best practice in the management of operational risks, as
illustrated by the Midata initiative. Official guidance
in the area includes the UK
Information Commissioner’s guidance on data sharing.
These initiatives are sufficiently flexible and adaptable to support innovation
rather than to stifle it. There is no
evidence that these approaches are failing to adequately address the
operational issues identified.
Regulation, on the other hand, is more rigid and
often has unintended consequences that are hard to rectify in a timely fashion,
particularly where it is general in nature and not evidence-based. As a general
principle, prior to granting powers there should be clarity concerning the
basis for their exercise, applicable exemptions, sanctions and other checks and
balances.
Risks or undesirable consequences from exercising a power to require certain data to be released electronically could also include:
- undermining the cooperative approach to addressing operational risks and the evolution of best practice described;
- reducing the flexibility and adaptability of risk management measures and stifle innovation;
- paralysing development until market participants are clear on the basis for the exercise of powers, applicable exemptions, sanctions and avenues of review or appeal.
So, while it is worth
exploring whether a power of the kind proposed might encourage
industry participants to act appropriately, it is difficult to support it in the
circumstances described above.
Rather, in my view, the government should
continue to foster (and participate in) an environment in which best practice
can evolve rapidly and flexibly; survey the rate of take-up of appropriate
services and the adequacy of operational risk management; and issue guidance
where appropriate. This would enable an evidence-based approach to regulation
in due course if necessary.
Obligations for Specific Sectors or Data Types?
While all suppliers with consumer or micro-businesses as customers should be encouraged to participate in the 'midata' trend, I would be concerned that a regulatory
obligation to provide transaction data to such customers may cause some businesses to withdraw from those markets.
This trend should also naturally pick up useful data that is not currently in digital format. However, I would be concerned that any mandatory obligation that is focused only on data held electronically will discourage businesses who would ‘digitised’ offline data from doing so.
Impact of the Proposed Mandatory Approach
My concern is that the proposed regulatory approach would be too narrow in its focus and effect. The
WEF process has established that Midata scenarios require a holistic approach to the various challenges inherent in returning data to customers electronically. The value and utility of personal data is a hugely complex dynamic that varies by:
- the context or the activity we are engaged in,
- which persona we are using at that moment,
- the actual data being used or provided,
- the permissions given,
- the rights that flow from those permissions, and
- the various parties involved.
We need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. Such rules must be capable of being simplified at the customer level, understood in terms of specific rights and obligations at the legal and regulatory level, and ‘coded’ to ensure that computers handle the data consistently with these rules.
The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that does not make it impracticable for any necessary participant in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.
By way of example, the current ambition of the WEF is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system ). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.
Who Should Be Able to Request Data?
Consumers and businesses employing fewer than 10 people ("micro-businesses",
most of which are owned and operated by individuals) should be entitled to request a supplier to provide their own transactional data, either to the customer or to a specified third party. Alternatively, a third party who is duly authorised by the customer should be able to seek the customer’s data in electronic format directly from the supplier.
The terms and conditions and other information that are required to be made available to the consumer under applicable law (e.g. Distance Selling Regulations) should be included with the transactional data related to the goods or services covered by those terms and conditions.
Formats and Response Times
The government should not mandate formats, since internet-based technology allows for the development of 'mark-up languages' that allow sharing of data in different formats, as described above.
Appropriate response times will be contextual. Guidance should encourage standing ‘my account’ functionality accessible by the individual logging-in, rather than a request-and-response model. However, where a request-and-response model is adopted, the response should be ‘prompt’.
Should Suppliers Be Able to Charge for Releasing 'midata'?
Suppliers should not be prohibited from charging specifically for releasing transactional data, but be encouraged not to. In effect, however, ‘my account’ functionality is not really ‘free’ in any event since there is a price to the related goods or services.
It's conceivable that some suppliers might wish to be transparent about the price of goods versus the price of supporting services. In cases where few consumers access their data, it may not be appropriate that all consumers may end up paying for the functionality. However, it is important that any directly applicable charges should be reasonably proportionate to the cost of making the data available, including a reasonable profit margin (e.g. 20%). There are similar regulatory requirements in relation to certain fees in the financial services industry, for example.
Enforcement and Supervisory Bodies
It is likely that access to personal transaction data will be included
as a right and/or obligation in customer terms and conditions, and
customers should be free to enforce these in the same manner as any
other provision in that contract, including through the courts or
alternative dispute resolution as necessary.
In the event regulation is required, any enforement activity in this area could be handled in the context of personal data regulation, general consumer regulation, or regulation related to dealing with consumers in specific sectors. Accordingly, appropriate enforcement bodies would include those listed below, with the Information Commissioner's Office taking the lead:
- Information Commissioner’s Office
- Office of Fair Trading
- Trading Standards Institute
- Citizens Advice
- Key sector regulators, e.g.:
- Financial Services Authority
- Ofgem
- Ofcom
Prior to the advent of regulation, these bodies could participate in
fostering an environment in which suppliers, intermediaries, officials and consumer
representatives can evolve best practice in
the management of those risks.
Under any necessary regulation, the enforcement bodies could be empowered to order disclosure and/or fine suppliers, intermediaries, etc for failing to disclose, security breaches and so on.
As this trend develops, one could expect to see a decline in data subject access requests under the Data Protection Act 1998, and any related enforcement activity by the ICO.
I'm interested in your thoughts.