Winchester Vacancies

Yes, no or maybe?

Internet iStock 000003759439XSmall 146x219Peter Hill considers the legal issues behind the growing use of online digital services in local government.

According to a 2016 survey of online usage by Acquia, a cloud platform provider, 63% of the British public had visited a local council website within the past year. However, only 21% had ordered or booked something online via their local council, and only 10% had shared something from their local council online. This contrasts sharply with what is happening in the private sector, where 86% have bought goods or services online during the same period, and 69% have recommended or shared online (by Facebook likes, for example). So are councils making the most of the opportunity for digital engagement?

A step along this road is the adoption of the Local Government Digital Standard (LGDS) which puts users at the heart of service design, sets out a framework for assessing compliance with LGDS and encourages councils to share best practice. It should come as no surprise that this adopts the principles of central government’s Digital by Default Standard (DbDS). Of more interest is that it refines and adapts these demonstrating a commitment to service improvement and encouragement of maximum usage of the digital service with assisted digital support where required – the reference to assisted digital support does not appear in the DbDS.

Right-thinking information officers will be well aware of the problem of digital exclusion, both through lack of access to hardware and citizens’ lack of digital skills. Although the exact extent of these and how fast the pattern of exclusion is changing are matters for debate, it is an area where thinking in Europe is getting ahead of the UK. The recent Digital Skills Crisis report by the House of Commons Science & Technology Committee acknowledges that some 5.8m UK citizens have never used the internet, and 12.8m adults lack basic digital skills, as well as criticising the Government’s tardiness in publishing a national Digital Strategy. Earlier in the year, amongst the recommendations made by Nesta in its report Connected Councils – a Digital Vision of Local Government in 2025 is that councils should invest in making digital services accessible to all. In Nesta’s view, this will require continued provision of human (staff or volunteer) support to those who need it, and appropriate triage of individuals with different digital needs, as well as continuing to make available access to free Wi-Fi in public spaces such as libraries and jobcentres.

Following the vote for Brexit in the referendum, it is not yet clear what attention will need to be paid to new legal requirements for the provision of digital support emanating from the proposed European Directive on Web Accessibility for Public Sector Websites. This is aimed at internet users who are blind, partially-sighted, deaf, hard of hearing or otherwise physically disabled, the underlying principle being equal treatment of all citizens both offline and online. Subject to navigating the final stage of EU parliamentary approval, the Directive is expected to be in force in approximately two years with direct effect in EU Member States, and will require the provision on public sector websites (including mobile apps) of, for example, text as an alternative to images and that they be browsable without a mouse.            

With greater impact for frontline services, the Nesta report also urges councils to look at pathways between different services and different communication media to ensure these are seamless and the language used is free of jargon.

In short, services need to be more joined up and the system for navigating multiple services made more user friendly. Only if this is done, will Nesta’s vision for 2025 of much greater citizen engagement be achieved. Realisation of the vision will mean much greater sharing of data.

While it is clear that the full potential of going digital cannot be achieved without more data sharing, this will bring new issues around cybersecurity, privacy and personal consent which councils will need to tackle to retain the confidence of the public. Data sharing between public bodies for the purpose of improving public services (e.g. joining up services for the welfare of specific individuals, and allowing public body access to the registers of births, deaths and marriages for identity verification), prevention of fraud, reduction of debt, and for research and statistics is currently under consultation through Better Use of Data in Government, a consultation paper for which the Cabinet Office has yet to announce its response to submissions made.

The rapidly growing incidence of cybercrime has raised concern about cybersecurity in both the private and public sectors to a level near hysteria. The results of a recent survey of UK Chief Information Officers by Egress Software Technologies, a US company, showed that no fewer than 87% of those surveyed were worried that their current information security policies and procedures might be putting their organisation at risk, as well as being inadequate to deal with the new requirements under the recently approved EU General Data Protection Regulation (GDPR). As the law stands at present, this will have direct effect in the UK from May 2018, a date shortly before expiry of the two-year disengagement period envisaged by Article 50 of the Treaty of the European Union. Brexit may well have been achieved by other means by then. There is a general expectation that Brexit will result in the disapplication of EU legislation, but it will be for the UK Parliament to decide how to effect this, either by a blanket disapplication or specifically, piecemeal. So, is the GDPR just some EU red tape we would be better off without?

If preserved by Parliament, the GDPR will amend and supplement the Data Protection Act 1998, creating important new rights for individuals. These are for more individual control over and easier access to an individual’s personal data (so as to receive clear information about how it is being processed, no matter where it may be sent, processed or stored), a right to data portability, intended to facilitate transfer by an individual of their personal information from one organisation to another (e.g. between two social networks), and formalising the “right to be forgotten” (in official parlance the right of erasure) already enjoyed. This will enable individuals to request, for example, search engines to remove links leading to personal information about them, but only insofar as this is consistent with freedom of expression and the continuing availability of historical and scientific research – not air-brushing out of history.

More challenging for council and other CIOs, the GDPR will impose a new duty on data controllers and data processors to notify the supervising authority (in the UK the Information Commissioner’s Office) within 72 hours of the occurrence of breaches of data protection. Failure to notify would be punishable by significantly increased fines – up to a maximum of €20m or 4% of worldwide annual turnover, whichever is the higher. This is in effect a new right for the individual to know when they have had personal information hacked. Failures of data security will therefore become much more publically visible, to the embarrassment to chief executives. In consequence, we should expect data security to move up the priority list for board meeting agendas.

The Data Protection Act 1998 pre-dates many online services now regarded as part of everyday life, such as social networking sites, cloud computing and smart cards, all of which have a huge appetite for personal data. The GPDR addresses this and will encourage the use of “big data” analytics with suitable safeguards such as anonymization or pseudonymisation, while leaving EU member states to decide a few refinements, such as the age of consent to processing of personal data (which the GDPR permits to be lowered from age 16 years to not less than age 13 years). Whether or not the UK decides to keep the GDPR, UK online businesses trading with Europe will need to comply, as any processing of EU citizens’ personal information outside the EU or EEA will be caught by its requirements – potentially any website accessible from the EU/EEA if the website collects IP addresses in an access log or tracks visitors with cookies, for example.

This illustrates the Brexit conundrum neatly. Access to the worldwide web is made available on a country-by-country basis, but trade is hindered, not enhanced, by multiple regulatory regimes. As a member of the EU, the UK was working towards a (mostly harmonised) uniform set of data protection legal requirements for the whole of Europe. Out of the EU, the UK will be free to choose its own legal requirements and may favour a lighter touch regulatory regime. But where once the UK lead in data protection, if the GDPR is ignored the UK will risk falling below what is likely to become the foremost international data protection standard.

The UK digital economy is showing healthy signs of rapid expansion, and the continuing shift to digital may explain much of the discrepancy between falling unemployment and the apparent lack of increase in productivity. Much of the innovation is being driven by SMEs.

While London’s tech cluster is dominant in size, regional tech clusters are making a very significant contribution. If Local Enterprise Partnerships are to be successful in boosting regional economies, it is vital that they harness the above-average growth in digital and exploit this to their advantage. Recommendations from both Nesta as part of their vision for 2025 and the think tank Policy Exchange in a report entitled Smart Devolution have called for central government to impose conditions in each devolution deal which would require establishment of a regional office of data analytics. Functions of this would include use of open standards and development of regional datasets, development of local data markets and the spread of data skills throughout the local public sector. It remains to be seen whether combined authorities will be able to align the forces of business, education and the wider public sector to seize this opportunity. If they can, it will demonstrate that local government is capable of true leadership. Scaling up their local digital SMEs will call for sweeping a much broader horizon than the regional boundary.

Peter Hill is a Senior Associate in the Public Services Group of Geldards LLP. He can be contacted on 020 7921 3987 or This email address is being protected from spambots. You need JavaScript enabled to view it.