As part of its 'midata' initiative to empower consumers, the department of Business Innovation and Skills has been consulting on a proposal to give the Secretary of State a general power that "might be exercised broadly or in a more targeted way" to compel suppliers to supply transaction data at a consumer’s request. In the interests of transparency, I've summarised below my response to the consultation. As previously explained, I should mention that I've been involved in the midata Interoperability Board from its inception in 2011.
'Midata' scenarios involve consumers' transaction data being returned to them in a way that enables them to use it to improve their purchasing decisions. This reflects an existing, yet evolving commercial trend that is developing positively. Many businesses provide customers with their personal transaction history through ‘my account’ functionality which enables downloads. In addition to price comparison sites, other intermediaries are evolving to help consumers identify where data is stored, as well as to gather, share and analyse it.
It is acknowledged that there are certain operational risks involved in the widespread sharing of such data and various suppliers, intermediaries, officials and consumer representatives are co-operating to address these. One example is the work done by the World Economic Forum ‘tiger-teams’ on “Rethinking Personal Data” (here's my note of the London session). Government is also playing a very helpful role in fostering an environment in which suppliers can evolve best practice in the management of operational risks, as illustrated by the Midata initiative. Official guidance in the area includes the UK Information Commissioner’s guidance on data sharing.
These initiatives are sufficiently flexible and adaptable to support innovation rather than to stifle it. There is no evidence that these approaches are failing to adequately address the operational issues identified.
Regulation, on the other hand, is more rigid and often has unintended consequences that are hard to rectify in a timely fashion, particularly where it is general in nature and not evidence-based. As a general principle, prior to granting powers there should be clarity concerning the basis for their exercise, applicable exemptions, sanctions and other checks and balances.
Risks or undesirable consequences from exercising a power to require certain data to be released electronically could also include:
- undermining the cooperative approach to addressing operational risks and the evolution of best practice described;
- reducing the flexibility and adaptability of risk management measures and stifle innovation;
- paralysing development until market participants are clear on the basis for the exercise of powers, applicable exemptions, sanctions and avenues of review or appeal.
So, while it is worth exploring whether a power of the kind proposed might encourage industry participants to act appropriately, it is difficult to support it in the circumstances described above. Rather, in my view, the government should continue to foster (and participate in) an environment in which best practice can evolve rapidly and flexibly; survey the rate of take-up of appropriate services and the adequacy of operational risk management; and issue guidance where appropriate. This would enable an evidence-based approach to regulation in due course if necessary.
Obligations for Specific Sectors or Data Types?
While all suppliers with consumer or micro-businesses as customers should be encouraged to participate in the 'midata' trend, I would be concerned that a regulatory obligation to provide transaction data to such customers may cause some businesses to withdraw from those markets.
This trend should also naturally pick up useful data that is not currently in digital format. However, I would be concerned that any mandatory obligation that is focused only on data held electronically will discourage businesses who would ‘digitised’ offline data from doing so.
Impact of the Proposed Mandatory Approach
My concern is that the proposed regulatory approach would be too narrow in its focus and effect. The WEF process has established that Midata scenarios require a holistic approach to the various challenges inherent in returning data to customers electronically. The value and utility of personal data is a hugely complex dynamic that varies by:
- the context or the activity we are engaged in,
- which persona we are using at that moment,
- the actual data being used or provided,
- the permissions given,
- the rights that flow from those permissions, and
- the various parties involved.
The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that does not make it impracticable for any necessary participant in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.
By way of example, the current ambition of the WEF is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system ). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.
Who Should Be Able to Request Data?
Consumers and businesses employing fewer than 10 people ("micro-businesses", most of which are owned and operated by individuals) should be entitled to request a supplier to provide their own transactional data, either to the customer or to a specified third party. Alternatively, a third party who is duly authorised by the customer should be able to seek the customer’s data in electronic format directly from the supplier.
The terms and conditions and other information that are required to be made available to the consumer under applicable law (e.g. Distance Selling Regulations) should be included with the transactional data related to the goods or services covered by those terms and conditions.
Formats and Response Times
The government should not mandate formats, since internet-based technology allows for the development of 'mark-up languages' that allow sharing of data in different formats, as described above.
Appropriate response times will be contextual. Guidance should encourage standing ‘my account’ functionality accessible by the individual logging-in, rather than a request-and-response model. However, where a request-and-response model is adopted, the response should be ‘prompt’.
Should Suppliers Be Able to Charge for Releasing 'midata'?
Suppliers should not be prohibited from charging specifically for releasing transactional data, but be encouraged not to. In effect, however, ‘my account’ functionality is not really ‘free’ in any event since there is a price to the related goods or services.
It's conceivable that some suppliers might wish to be transparent about the price of goods versus the price of supporting services. In cases where few consumers access their data, it may not be appropriate that all consumers may end up paying for the functionality. However, it is important that any directly applicable charges should be reasonably proportionate to the cost of making the data available, including a reasonable profit margin (e.g. 20%). There are similar regulatory requirements in relation to certain fees in the financial services industry, for example.
Enforcement and Supervisory Bodies
It is likely that access to personal transaction data will be included as a right and/or obligation in customer terms and conditions, and customers should be free to enforce these in the same manner as any other provision in that contract, including through the courts or alternative dispute resolution as necessary.
In the event regulation is required, any enforement activity in this area could be handled in the context of personal data regulation, general consumer regulation, or regulation related to dealing with consumers in specific sectors. Accordingly, appropriate enforcement bodies would include those listed below, with the Information Commissioner's Office taking the lead:
- Information Commissioner’s Office
- Office of Fair Trading
- Trading Standards Institute
- Citizens Advice
- Key sector regulators, e.g.:
- Financial Services Authority
Prior to the advent of regulation, these bodies could participate in fostering an environment in which suppliers, intermediaries, officials and consumer representatives can evolve best practice in the management of those risks.
Under any necessary regulation, the enforcement bodies could be empowered to order disclosure and/or fine suppliers, intermediaries, etc for failing to disclose, security breaches and so on.
As this trend develops, one could expect to see a decline in data subject access requests under the Data Protection Act 1998, and any related enforcement activity by the ICO.
I'm interested in your thoughts.