Tuesday, April 18, 2017

Governments' use of data is scary

The answer to poor government is always more government, at least amongst those who are part of the Leviathan. New Zealand's National Government says it is driven by values of 'personal responsibility' and 'limited government' and Prime Minister Bill English has talked a lot about reducing state dependency and targeting services to those in highest need. He has been explicit about how he plans to do this, most recently in his statement to Parliament in February in which he said, 'the Government will this year further improve the way in which data is used to underpin decision making through initiatives like the Integrated Data Infrastructure.'

The Integrated Data Infrastructure (IDI) is a big database held by Statistics New Zealand that receives feeds from many government and some non-government organisations, including the Ministry of Social Development, Inland Revenue, Ministry of Education, Ministry of Health, Department of Internal Affairs, Ministry of Justice and New Zealand Police. There is a belief that the data in the IDI is anonymous but that is not true. The database uses a common identifier to link the records from the different agencies and, although sufficient personal information to readily identify the person is not usually provided to third parties, the IDI records are linked to real people.

I have had a great deal of experience in the use and protection of information both in the private and public sectors and I believe many people in government have little idea of the risks involved in the aggregation of data. Even if we accept that government agencies are good stewards of people's data (and, as I show below, the evidence is that they are not), the IDI opens up this data to almost anyone who wants to use it. There is an application process but few checks on those who apply. I do not believe those responsible understand the power of technology available to mine and de-anonymise the data and have little appreciation of how it might be used.

An overseas example of the risks is the United Kingdom's experience with care.data, a National Health Service initiative to aggregate health and social care data and make it available for research purposes. Soon after the initiative was launched in 2013, it was rumoured that private sector organisations such as insurance companies were de-anonymising the data to reveal whether customers were withholding information on pre-existing conditions and risk factors such as mental illness. A report into the risks concluded that 'the current care.data program is highly problematic in its flawed protection of patient anonymity, an unsuitable opt-out system, unclear criteria for accessing the collected health data, and the risk it poses to the trust between patients and general practitioners.'

There are many other examples of the lack of adequate protection for individual data in government, including here in New Zealand. The 2012 revelation that Ministry of Social Development's self-service kiosks could be used by anyone to access confidential details of at-risk children is just one example. I have personally seen other examples of significant security flaws in agencies' information systems that have not been revealed publicly. But the risk is not confined to the information falling into the wrong hands - there is also considerable scope to link the wrong data to the wrong person. Statistics NZ admits that 'some records can be linked incorrectly or the link could be missed'. I am sure I don't need to spell out the implications of a law enforcement agency using incorrectly linked data.

I think governments' increasing aggregation of personal information and policies of allowing almost unrestricted access to it, are dangerous and unnecessary. I accept that there is the potential to deliver services to people more effectively by better understanding their needs - after all, this is exactly what Amazon and every other online merchant does - but the risks with governments misusing the information are far greater. The worst Amazon can do is to try to sell you something you don't want, but if the government draws the wrong conclusion from the data, it could destroy your life.

I think it would be better to rethink the role of central government in providing many of the services for which it believes it needs aggregated data. People in need can be better served by local service providers that are closer to the people requiring the services, using information collected from the individuals concerned and those in the community who understand their needs better than any central government agency. The more government tries to manage and target the services it delivers through centralised aggregation of information, the more intrusive into all our lives it needs to become and the greater the risk of wholesale misuse of the data. Central government is always a blunt instrument when it comes to dealing with the problems in individuals' lives and trying to build a sharper sledgehammer is not the answer when what is needed is a scalpel.

1 comment:

paul scott said...

You have invented a new word haven’t you . De anonymising .
A new word and a new meme for the citizens of Big Sister bitch.
A neologism for us to come to grips with. A Kiwi wit writ if you like .
Well at least we have you to tell us what the Orwellian integrated data system actually means.
Imagine Bill English, so sick and patsy,a sallow Slackjaw copy; he posts on face book what he eats.
A Government empty of concern for us; its only policy to be re-elected.
Slackjaw called all this stuff pragmatic Government.
Even in the face of world wide revulsion against empty and dishonest Governments such as this Nat monster, we are still nothing except votes, every so often.