Local councils are increasingly turning to the shared services model as a means to reduce costs. But, by focusing their efforts purely on cost, authorities risk neglecting their data protection responsibilities.
John Kost, a senior manager at research firm Gartner, believes that many councils have not even considered the data protection challenge of shared services. The resulting governance issues, he said, are “severe and difficult to deal with”.
One man who is well qualified to comment is David Wilde (pictured), CIO of Essex County Council. Before taking up his current post, Wilde was CIO of Westminster City Council, where he was in charge of the UK’s first major local government shared services initiative, which saw Westminster pool resources with Hammersmith & Fulham and Kensington & Chelsea councils.
Wilde said that when he started at Essex the council had already set up an information sharing protocol between all of the public sector bodies in the county, dubbed the “Essex Trust Charter”.
He believes that the Charter is a good example of how councils should tackle data governance, adding that worries over compliance with data rules should not deter public bodies from going down the shared services route.
“Agencies may default to not sharing information because that is perceived as an easier way to be compliant with the law. I think that’s the wrong answer,” said Wilde.
“The right way is to ask yourself as a council: Who are you providing services for? How can you best provide for them? What information do you need to do that? And what do you need to do to ensure that the rights of the individual are protected?”
Wilde said Essex council was very much the driving force behind the Essex Trust Charter. “The council pulled together the information champions from the other agencies, and together they wrote and signed an agreement on how the sharing process would work.
“The Information Commissioner’s Office and the Care Quality Commission both oversee the councils to ensure compliance. Each organisation has its own internal machinery to make sure it’s compliant within our respective agencies and the Charter is then enforced,” he said.
Wilde explained that the Essex Trust Charter covers core legislation such as the Data Protection Act, the Human Rights Act, the Freedom of Information Act and the Regulation and Investigatory Powers Act, as well as legislation covering broader social care issues.
“We don’t just stick to the core legislation, we ask what it means to comply with the ‘Every Child Matters’ legislation that came through a few years ago and the Children’s Act 2004 for sharing information around case management for children services, for example,” he said.
Essex’s shared services set-up is a totally public-sector operation, but what happens when a private company is also involved?
For example, NHS Shared Business Services (SBS) is a 50:50 joint venture between the NHS and IT services provider Steria. Both public and private sector staff within the venture are shareholders in NHS SBS.
Does this kind of arrangement change the way that a public servant might perceive the data? For example, is there a risk they might see the data as a tradable commodity as opposed to a citizen’s personal information?
Quocirca analyst Bob Tarzey believes service providers such as Steria are alert to the risks.
“Any good service provider should be managing that data by giving their staff access to the information they need to manage systems, but not to personal data,” he said.
Gartner’s Kost agrees, pointing out that the legal ramifications for companies are dire if they begin to see data as a tradable commodity.
“It is possible that private companies could save data from the repositories of a public body such as the NHS, but getting access to large volumes of data is going to be hard to do and if an employee violates legal provision then that company is in deep legal trouble,” said Kost.
This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy