Public Acceptability of Cross-Sectoral Data Linkage

4 THE DATA LINKAGE FRAMEWORK

4.1 Participants were given a presentation by the research team on data linkage and the Data Linkage Framework (A copy is provided in Appendix B). This covered:

• what data linkage is and how it is undertaken
• benefits and risks of data linkage (with reference to case study examples)
• why a Data Linkage Framework is deemed necessary
• the proposed Framework, including the Guiding Principles

4.2 This chapter explores participants' overall reactions to the Data Linkage Framework and the extent to which the Guiding Principles reassured them that data linkage would be governed appropriately. It also considers views around ongoing public engagement in the development of the Framework and how this might be achieved.

Overall reactions to the Data Linkage Framework

4.3 Similar to Aitken's (2011a) findings on attitudes to the linking of social care, housing and health data, most participants' initial reaction to the Data Linkage Framework was one of qualified support: They felt that it was a good idea in principle, but that its success would depend on it not being "abused" or "manipulated", either by public bodies or individuals within those bodies. It was clear that the provision of information about linkage had gone some way towards ameliorating many of participants' initial concerns about it, particularly in respect of anonymity, sanctions and, more generally, the types of research that would be conducted using linked data.

4.4 Stated benefits of data linkage that participants found particularly compelling were:

• the more efficient use of public resources - it was acknowledged that more data linkage would help to reduce duplication in data collection and research. (One participant suggested that the Scottish Government should publish details of how much money the scheme would cost to set up and run and how much it would save)
• improvements to service provision through the better use of data to identify which services are required and where
• the formalisation of procedures to improve the protection of personal data - many participants thought that data linkage was already happening in Scotland and were reassured that it would now be subject to greater control.
• benefits for the Scottish economy through investment in research and job creation

4.5 A small minority of participants remained very sceptical about data linkage, however, regarding the Framework as the "thin end of [a] wedge" that would ultimately lead to the Government holding large databases of information about every aspect of individuals' lives - the term "big brother" cropped up again here. Several of these participants went on to express concern that the databases could be sold to commercial companies in order to generate much needed public finance.

And what's the next step? Are we going to be integrating this, that and the other?… I'm a bit dubious, because that's where it seemed to be steering towards, the creating of resource for somebody who may not technically have our best interests at heart.
(Male, aged 35-49, Glasgow)

4.6 Regardless of whether their overall initial reactions to the Framework were generally positive or negative, most participants went on to engage critically with the information provided in the presentation, raising a number of concerns and issues for discussion. These broadly reflected the main themes that had emerged earlier in the events and centred around:

• who would oversee the operation of the Framework
• who would have access to linked data, and specifically whether this would include commercial companies
• challenges involved in keeping the data secure
• how individuals' privacy would be protected; in particular to prevent unsolicited contact from commercial companies
• the potential use of linked data for greater 'profiling' or 'labelling' of individuals and groups - there was a sense in which the presentation has served to heighten these concerns for a number of participants, some of whom were moved to describe very specific personal experiences of labelling and the negative impact this had on their lives
• where overall accountability would lie if linked data was lost or stolen

4.7 These issues, along with participants' suggestions for how they might be addressed in the context of the Framework, are considered over the remainder of this chapter, which explores in detail views around the Guiding Principles.

4.8 Notably, the issues were discussed in relation to data linkage generally. There was very little explicit differentiation between particular sector-to-sector linkages; notwithstanding some remaining sensitivity around linkage involving criminal justice data and the potential for this to result in individuals experiencing discrimination across multiple spheres.

The Guiding Principles

4.9 To facilitate discussion of the Guiding Principles, participants were provided with a one page summary of these; a copy of which is provided in Appendix B).

4.10 Overall perceptions of the Principles were somewhat mixed. On the one hand, participants often commented that the Principles covered all of main areas of concern about data linkage that had been expressed over the course of the events, and that nothing important appeared to be missing. Many went on to say that they felt reassured that linkage would be carried out appropriately and securely.

4.11 On the other hand, a common concern was that the Framework in general, and the Principles specifically, were too "vague" or "general" and therefore open to interpretation and manipulation by vested interests. A few participants took this further, contending that the Principles had probably been left deliberately vague so that the Scottish Government is able to justify any linkage it might deem necessary in the future. As is discussed more fully below, such concerns were compounded when participants identified a few specific clauses within the Principles which they regarded as "loopholes" that were ripe for exploitation - for example, giving an oversight body the right to grant authorisation to use named data when it is not possible or practicable to obtain consent.

4.12 Notwithstanding these mixed views, there was a consensus that all of the Principles were essential and needed be accorded equal priority to ensure the proper governance of data linkage. For example; it was acknowledged that in order to ensure privacy, the removal of names and direct identifiers was required, which in turn required security to ensure that data could not be linked back to personal details.

If you take one [principle] out then it's gone, it collapses.
(Male, aged 50 or over, Inverness)

Public interest

4.13 In order to ensure the correct balance between the benefits of data linkage and the protection of individual privacy, participants felt that a minimum requirement of any research involving data linkage should be that it is 'in the public interest'. However, there was also considerable concern about how public interest could be defined. The term was regarded as fairly nebulous and open to varied and shifting interpretation, which in turn led many participants to feel that it could be used to justify virtually any use of linked data.

Over time, opinions of public interest can change. What is determined to be acceptable now… wouldn't have been quite acceptable [ten years ago]. So that leaves a bit of a gap as well.
(Female, aged 35-49, Glasgow)

4.14 There was particular concern about how companies and political actors might interpret 'public interest'. Reinforcing findings reported in the previous chapter, participants asserted firmly that the public interest justification should not be used by elected officials to commission research aimed at furthering their own political ends, nor by companies - nor individuals/bodies sponsored by companies - for commercial gain.

A lot of what people have got a problem with is vested interest, greed, people pursuing their own agendas. This kind of evidence based stuff is the opposite of that, because this is hard facts; it's evidence, it speaks for itself and the problem comes when politicians start interpreting it and put their own spin on it.
(Female, aged 35-49, Stirling)

Don't get me wrong, I trust scientific research, but who is backing them and who is funding them? You can get independent scientist that are getting funded and they don't know who they are getting funded off, which could make it corrupt that they are eligible for that information.
(Male, aged 18-34, Stirling)

4.15 As indicated earlier in the report, participants tended to conceptualise the 'public interest' in terms of tangible benefits for individuals and groups such as medical advancements, and improved service provision. The consensus was that any researcher making a request to access linked data should be required to justify to a commission or panel of experts why their research is in the public interest, and that the "bar should be set quite high" to ensure the system is not abused.

Governance and transparency

4.16 Perceptions surrounding the governance and transparency principle were underpinned by the lack of trust in some public bodies, discussed in Chapter 3 and, related to this, by a view that too often important decisions are made "behind closed doors", without any public involvement.

[Data linkage] might be completely transparent but I don't think necessarily everyone will believe it is transparent.
(Female, aged 18-34, Stirling)

4.17 There was a consensus that all procedures and processes surrounding data linkage should be as "accessible" as possible to help address public concerns. Specific suggestions put forward in this regard included publishing:

• full details of the requirements that individuals or organisations applying for access to linked data must meet and the procedures the oversight body would adhere to when evaluating applications
• all requests for access to linked data, including who has been making requests, how often and why
• all results and reports based on analysis of linked data

4.18 Such steps, it was felt, would enable external groups and members of the public to monitor any activity taking place under the Framework and raise objections in the event that they felt the Principles were not being adhered to.

You make it accessible and understandable. If people were all engaged in it and all understood it and all knew what was going on then people would be more likely to track the changes and see if their information's getting used for something [it shouldn't be] and pull someone up for it.
(Female, aged 18-34, Glasgow)

4.19 Participants strongly supported the proposed establishment of an oversight body to ensure the proper governance of the Framework and facilitate transparency. It was widely felt that this body should have responsibility for granting or refusing data linkage requests, ensuring that the Principles are upheld and administering sanctions as required.

4.20 Participants frequently raised the question of who would be on the oversight body, often commenting that the Principles are too vague on this point. Asked who they would like to see on the body, they commonly suggested that senior public sector professionals should have a pivotal role, although there were different views on what this would mean in practice.

4.21 Some participants favoured the establishment of a large pool of professionals representing a range of sectors (such as health and education) from which smaller panels could be drawn on a case-by-case basis, reflecting the nature of a linkage request - it was felt that this would minimise the likelihood of individuals with "vested interests" having too much influence on decisions. Others suggested that the professionals should be data linkage experts with extensive experience and training, as well as enough understanding of each others' areas of work to be able to challenge one another to ensure a rigorous process. Still others said they would like to see a mixed body of professionals and lay members drawn from a cross-section of society (two participants cited the Children's Panels as a possible model). It was felt that the professionals would be able to consider and provide advice on technical points while lay members would represent public concerns.

It's a very responsible sounding job, so you're not looking for volunteers or anything. You're looking for high quality individuals or [a] high level of training.
(Male, aged 35-49, Glasgow)

Instead of having a fixed panel, you've got 100 people to choose from, and if you know that this person has an association with a drugs company, I'm sorry you can't be on the panel. These are completely independent people from the people putting the [submission] in to have the information.
(Male, aged 35-49, Stirling)

4.22 Accountability was regarded as crucial to ensuring that governance and transparency are properly administered. Again, however, there were differing views on how accountability should operate. Some participants felt that data linkage should fall under ministerial remit, while others felt it should come under the auspices of an independent professional or senior civil servant to ensure impartiality.

[The person responsible for overseeing data linkage] should be elected and if not should be having an elected official looking over them […] like a minister for information.
(Female, aged 50 and over, Inverness)

I think it would have to be some kind of independent ombudsman. It couldn't possibly happen without that because you can't manage yourself. You've got to have somebody who is completely distanced from it and impartial.
(Male, aged 35-49, Glasgow)

Privacy and the removal of names and direct identifiers

4.23 As discussed in Chapter 3, many participants felt more positively disposed to the idea of data linkage after being informed that, in most cases, the data would be anonymised. After the presentation they often felt further reassured on this point, sometimes commenting that they "couldn't see any problem" with data being used in this way. However, perceptions were mixed when the use of named data was considered.

4.24 Some participants, most of whom were in the youngest age category, said they were indifferent about the use of named data, provided they were not contacted and their data was kept secure. They tended to say that they had "nothing to hide" and so had no qualms about their personal details being used in research; or that researchers working with the data wouldn't know the data subjects, meaning there would be no threat to those subjects' privacy.

If it is going to [result in] a cure for cancer then here is all my medical stuff; have it. That's how I would be, but I don't see why there is this whole, take your name off it and then we'll take it.
(Female, aged 18-34, Stirling)

4.25 However, most participants expressed concern about the possibility of being identified in research. They felt that named data was more sensitive than non-identifying data and that consequently it required greater protection (see 'security' and 'consent' below). As a result, they expressed strong support for the privacy principle and often followed this up by repeating their assertion that commercial companies should not be granted access to their contact details.

4.26 As discussed in Chapter 3, most participants were happy for their data to be used for research if it was anonymous. Still, others remained concerned that their data could always be linked back to their contact details, and that this in turn would leave it open to misuse.

[Linkage] would require each [bit of my data] having a unique identifier that is the same. That means that if you did have somebody's personal identifier then you could go round and access all their data.
(Male, aged 35-49, Glasgow)

You can trace it back to whoever it is [...] I don't have the first clue, obviously, but there is people out there that do and they are experts in that field.
(Female, aged 18-34, Inverness)

4.27 On a related point, some participants focussed in on the statement within the principle that read: any departure from [removing names and direct identifiers] must be justified and approved. The grounds on which such action would be justified, and who would be responsible for approving it were questioned. In essence, it was felt that the statement was a "loophole" that diluted the intention and rigour of the Principle, and could further leave data open to misuse.

"Any departure from that must be justified". I'm afraid I'm still worried about that […] It seems to me it's just a get-out clause.
(Male, aged 35-49, Inverness)

Consent

4.28 There was strong agreement that consent should be obtained for the use of named data. Many participants stated that too often, consent is obtained implicitly through the 'small-print' in documents or through vague statements, and that, in the case of data linkage, therefore, explicit parameters should be set around what consent is being given for (i.e. the types of research and/or the public bodies who will have access to the data), with any divergence requiring further consent.

As long as you're fully consenting and aware of what the information is being used for then I don't see a problem. It's when it starts being used for a purpose that you didn't intend it for; that's the issue.
(Male, aged 35-39, Glasgow)

Maybe there should be a field where you say 'I agree for medical research, I agree for anything for the benefit of the community but when it comes to third party companies wanting to find out my details, no way'.
(Male, aged 18-34, Stirling)

4.29 Participants were conflicted over the frequency with which their consent should be sought for the use of their personal data. After initially suggesting that consent should be obtained each time the data might be used, many soon came to acknowledge the potentially prohibitive time and cost implications of this. They subsequently suggested that their consent could be obtained on a periodic basis (e.g. annually) or via a system that would enable them to make a request to public bodies that their data not be used for research.

4.30 A particular area of concern for participants was the prospect that an oversight body would have the authority to grant consent in cases where it was not possible or practicable to obtain consent from an individual. Although participants recognised that there would be instances where it would not be possible to obtain individuals' consent, the prevailing view was that an external body should not have the right to grant proxy consent. Only a small number of participants took a different view, suggesting that the oversight body could intervene solely in cases where all other avenues have been exhausted.

It's either the person gives consent or they don't. It shouldn't be up to anybody else whatsoever.
(Female, aged 35-49, Inverness)

…maybe the person didn't have anybody else and maybe the only way you could sort it would be an oversight body […] but for me I think it would have to be a very, very, very last resort.
(Female, aged 55+, Stirling)

4.31 A minority of participants felt that consent should be extended to all uses of linked data, not just cases where named data might be used, as this would provide greater reassurance that individuals' privacy will not be compromised. However, they did acknowledge that this would be difficult to administer and may serve as a barrier to research in the event that people habitually refuse consent out of a generalised distrust in government and/or researchers.

Security

4.32 Participants were unanimous in the view that data linkage must conform to the highest standards of security but reiterated concerns that security can never be guaranteed due to the potential for incompetence (public officials losing data sticks) or maliciousness (hackers and "rogue" employees who set out to steal data).

4.33 Participants were wary of merged datasets being stored in a single location and felt that the process of sending data from one computer to another during the linking process would further increase the potential for information loss or theft. Some participants went on to express concern that, because technology changes so quickly, public bodies and other researchers accessing data may not always have the most up to date electronic security systems in place. It was suggested that a minimum security requirement should be built into the Framework, that is reviewed and updated frequently, and that anyone requesting access to data would have to prove they can meet.

4.34 Having established that security is difficult to guarantee absolutely, participants' took opposing stances in respect of the level of risk this presented. Most felt that the risk was acceptable, provided the highest possible security systems and procedures are in place. However, a significant minority disagreed, contending that the risk represented sufficient grounds for not proceeding with data linkage.

Access and personnel

4.35 Participants agreed strongly that any researcher or official with access to the data should be appropriately vetted. A number of specific suggestions for possible vetting mechanisms were put forward, which included:

• a certified training course on data linkage and data security, supplemented with regular 'refresher' courses
• a comprehensive procedure, along the lines of a Disclosure Scotland check, for assessing whether an individual should be given access to data
• an accreditation scheme which signifies that an individual and/or organisation has met all of the criteria required to enable access to the data
• the introduction of a duty on public bodies to ensure that all researchers and officials with access to linked data are fully vetted, trained and monitored.

4.36 Participants went on to suggest that the oversight body should be responsible for checking that applicants meet the required criteria and should be held accountable if access is granted to anyone who does not. As already mentioned, transparency - in the sense of the public being able to access information on anyone requesting access to linked data - was also considered important.

4.37 There was agreement among participants that it was important for strict access procedures to be formalised and that these should be explicit in the Principles for the avoidance of doubt. One participant suggested that these should also specify the grounds on which access would be denied.

Data sharing agreements and sanctions

4.38 Participants agreed that data sharing agreements should be implemented and strongly supported the imposition of sanctions if agreements are not followed. The consensus was that such agreements should explicitly set out the roles and responsibilities of each individual and organisation involved in data linkage in relation to each of the Principles, particularly those concerning data security. It was felt that this would create greater accountability among individuals and organisations.

4.39 Participants also suggested that data sharing agreements should contain contingency plans to cover data breaches or losses. Again, they felt these should be explicit so that each individual involved would know exactly what to do in the event of an issue arising. Some people went on to say that this would help to mitigate the impact on the individuals whose data has been compromised and minimise adverse media coverage.

4.40 Participants were very keen to see incorporated into the Guiding Principles a range of specific sanctions; firstly, to deter individuals or organisations who may consider stealing or selling data; and, secondly, to ensure that any individual or organisation that does breach the Principles is punished appropriately.

Somebody is not going to break security if they know the consequence…
(Male, aged 35-49, Inverness)

4.41 There was a consensus that sanctions should be very strict to deter anyone who may consider breaching the Principles. Specific suggestions included:

• banning culprit individuals and organisations from using data linkage or accessing data in the future, including closing loopholes that may allow them to access data through different or new organisations
• ensuring individual culprits lose their jobs - this was considered a particularly strong deterrent for professionals whose careers depend on their being able to access data
• issuing fines appropriate to the scale of the breach and also the circumstances of the individual or organisation being punished
• issuing judicial sentences to individuals, including community service or prison, again depending on the scale of the breach.

4.42 As is evident in these suggestions, there was broad agreement that sanctions should apply to both individuals and organisations. It was felt that this would incentivise organisations to ensure that relevant employees are fully trained and monitored in respect of data linkage. However, participants were keen to point out that sanctions should be considered on a case by case basis to ensure that the correct culprits are punished; for example, so that an organisation is not punished for the actions of an individual employee if it can prove that it has taken every possible step to prevent breaches occurring.

Outstanding issues

4.43 The various concerns and issues raised by participants in respect of the Guiding Principles, detailed above, were reflected in their responses to the end of event questionnaires. Participants were asked which issues they felt it was most important to consider or resolve as the Framework is developed. The most common responses were ensuring data security (mentioned by 45% of those who completed the question), ensuring transparency/ keeping the public informed (31%) and improving trust (22%).

'Beyond 2011'

4.44 Beyond 2011 is a project is being run by the National Records of Scotland to assess alternative options for producing population and socio-demographic statistics, including the use of administrative data sources.

4.45 The project was briefly outlined in the presentation as an area of work that might benefit from improved data linkage, and participants were asked for their views on this. There was broad support for the objectives of Beyond and it did not raise any new privacy issues; indeed, there was a sense in which several participants felt that the census was more intrusive than research given that individuals are chased up and sometimes fined for non-completion of their forms.

4.46 Ten years was generally considered too long a gap between censuses, with younger participants, in particular, pointing out that individuals' circumstances, and society generally, change much more rapidly than this meaning data soon becomes obsolete. Additionally, several participants recognised that the census is expensive to deliver and questioned whether it is worth the money given the identified shortcomings of the data.

I filled in my census; two years ago was it? My situation's changed since then, so it doesn't give a true reflection.
(Male, aged 18-34, Glasgow)

I think the world moves too fast now. Ten years is far too long, far too long.
(Male, aged 35-49, Inverness)

Further public engagement

4.47 There was a strong appetite among participants for ongoing public involvement in the development of the Data Linkage Framework. This was underpinned by two main considerations: Firstly, a widely held view that the Government generally needs to do more to consult the public on important issues in order to engender a greater sense of confidence in its decisions and policies; and, secondly, a perception that the events provided important reassurances about data linkage and related issues (particularly around data security), and that more public engagement could similarly allay potential concerns among the wider public, and also serve to counter any media scare stories that may emerge as the Framework is implemented.

4.48 Participants acknowledged that it could be difficult to recreate the events on a wider scale - and, indeed, that many members of the public may not be interested in engaging so proactively on the subject of data linkage - so suggested a range of alternative initiatives that the Government could pursue to at least keep the public informed about the Framework. These included: media advertising campaigns; the distribution of leaflets (both to households and public places such as council offices); and the setting up of a dedicated website that could serve as a 'one stop shop' for everything members of the public might want to know about data linkage - including research studies that are underway - and that could be referenced in any advertisements or leaflets produced. Some of the older participants were keen to emphasise that the Government should use a variety of methods to communicate with the public so that people who, for example, don't have internet access, are not excluded from engaging fully with the issues.

A paper pamphlet giving you the basic outline […] and then linking to, say, a website with more detailed information on it for anybody who really wants to know [more].
(Male, aged 35-49, Glasgow)

4.49 Data from the questionnaires completed by participants at the close of the events reinforces the potential for information provision to impact positively on public perceptions around data linkage. Just over half of participants (52%) who responded to Q6 of the questionnaire (n=52) reported that the events had changed their views on data linkage or the use of data in research, with most specifying that it had increased their understanding of data linkage in general, or of the beneficial ways in which linked data can be used. Around one in five stated explicitly that the event had increased their support for data linkage and/or the holding of data and information by public bodies.

4.50 Still, there was also a common suspicion that consultations and other forms of public engagement are just "tick-box" exercises to "rubber stamp" the Government's plans and that the Framework will be implemented regardless of public opinion.