Jeni Tennison

Our CEO Jeni Tennison delivered the annual lecture at this year's Information Law and Policy Annual Lecture and Conference 2019 – Digital Rights in Brexit: Changes and Challenges.

In her talk – Helpful Robots or Pink-Eyed Terminators: Post-Brexit UK as a Global Leader in Responsible Technology – Jeni discussed data in a post-Brexit Britain, including the importance of data as infrastructure and of independent data stewards. She also discussed the different extremes of data models, and the opportunity of bringing together ethical and responsible technology, access to data, and strong independent institutions in a post-Brexit world.

Read Jeni's full remarks here:

Just a quick show of hands: how many of you understand the reference to "helpful robots or pink-eyed terminators" in the title for this lecture?

It may surprise you to learn it comes from a speech made by the UK's Prime Minister, Boris Johnson, to the United Nations General Assembly in September. In a passage dedicated to the potential technological dystopias we might sleepwalk into, he said:

"As new technologies seem to race towards us from the far horizon, we strain our eyes as they come, to make out whether they are for good or bad – friends or foes? AI – what will it mean? Helpful robots washing and caring for an ageing population? Or pink-eyed terminators sent back from the future to cull the human race?"

While I think we can agree at least that time-travel is unlikely, we do face real choices now that will change the future we end up in. In particular, and what I will focus on today, around what we do about data in post-Brexit Britain.

Data is now infrastructure for our societies and economies. And to be clear, I'm not talking about the physical infrastructure that supports the collection of data, like sensors and satellites. I'm not talking about the infrastructure that transmits data like broadband fibre, WiFi hotspots, low power wide area networks or 5G. And I'm not talking about data centres and super computers that process data.

The data infrastructure I'm talking about is a virtual infrastructure of datasets. Datasets we've collected and maintained for years like the census, maps and registers of land and companies. Streaming data about air quality, the heights of rivers and where the next bus is. And data we generate constantly as we fill in forms online, share our phones' locations, or hit that 'Like' button on Facebook.

All this data is interlinked, capable of being connected, aggregated and combined to deliver new insights, create new products and services, and to help us all make better and faster decisions.

And around this data, both enhancing and constraining how it is used, we have technical standards for interoperability, we have stewarding organisations that collect and maintain it, laws and policies that govern it, and of course people and communities who are affected by it.

Most infrastructure is pretty boring. Or at least it's not something that people generally think or talk about. You don't get many front page headlines about the way our sewage systems operate. But you do get frequent front page headlines about our data infrastructure. About how Google may be getting access to personal health records in the US. About how the UK's Department for Education collected data about children's nationalities that were used by Home Office immigration enforcement. About the use of data for micro-targeting of political advertisements.

Data infrastructure isn't boring because it's not yet mature. We, collectively, are still designing what it looks like and how it works. What is allowed and what isn't. How the rights of different people and organisations are balanced. Who has what powers. It's not settled yet.  Which means our choices still matter. As the Prime Minister put it in a slightly less colourful part of his speech to the UN:

"At stake is whether we bequeath an Orwellian world, designed for censorship, repression and control, or a world of emancipation, debate and learning, where technology threatens famine and disease, but not our freedoms."

We have choices to make about investment, about what areas of research and development we fund. Choices about where we spend our time, which issues we explore or causes we fight for. And choices about our regulations and the legal environment that can both constrain and enable what we choose to do.

These are choices that are being faced now at every level. From the United Nations work on data to support the Sustainable Development Goals, through the European Commission's attempts to improve digital competition, or cities informing their transport planning by accessing data about scooters, down to each of us choosing whether to accept or reject cookies.

And so I come to our choices as a nation, and particularly those we face post-Brexit, around data.

There are some crude caricatures of how societies in different parts of the world deal with data. I don't claim any great geopolitical insights here — I believe reality is much more complex and nuanced than these caricatures — but I will use them to illustrate some extremes or local minima within the design space of possible ways the UK could go.

One extreme, often attributed to the US, is a market-driven model driven by innovation and investment, individual choice and commercial profits. At this extreme, controls over what data might be collected, and how it's used or shared, are driven by shareholder value, ability to attract investment, or retain users.

This model is underpinned by the notion that if they really care, consumers can exercise choice through the controls they use within privacy settings, or by migrating to alternative services. That an exchange of data for free services, or for micro-payments, is a fair value exchange.

Within this market-driven model - sometimes called a surveillance capitalism model - when data is used to benefit wider society, this is a philanthropic gesture, a donation of data for good.

Another extreme, the authoritarian model, is frequently ascribed to China. This is an extreme of centralised state control of data, where data is not used just to sell to people more effectively but to, and I say this somewhat euphemistically, promote a harmonious society.

At this extreme, the purpose of data is the collective good of the nation, according to the definition of those who govern it. And to that end, state surveillance increasingly extends throughout the online space and the real world, through cameras and sensors. The consequences of detected misbehaviour range from bad social credit scores meaning you receive poorer quality services, or no services at all, through to imprisonment or worse.

The model Europe has adopted is often described as sitting between these. We see company behaviour regulated and controlled, with minimum standards such as GDPR to protect individual's rights, but also database rights to protect the intellectual property of organisations who make the effort to collect and maintain data.

In Europe, we see the state having some powers to collect and use data, for surveillance, for administration, and for public good, but these powers being constrained by law, for example by requiring judicial approval or requiring certain datasets to be free and open data.

As we head into Brexit, the model we inherit and default to is this European model. As we'll no doubt be discussing today, our laws on database rights, GDPR, and the reuse of public sector information through open data, stem from Europe. Brexit gives us an opportunity to diverge. To what degree will we do so? What model will the UK adopt?

There are three debates I hear.

  • First, data adequacy and GDPR. There are some who argue that GDPR is too complex, and a burden on businesses, particularly small businesses. Brexit could be taken as an opportunity to simplify or limit its impact. Similarly, some argue that attaining data adequacy would mean losing our ability to surveille and thus impact our national security. Others view data adequacy as essential so that digital businesses based in the UK can access the European market, and GDPR as the minimum level of privacy protection expected by the UK’s citizens.
  • Second, access to datasets held at a European level, in particular but not solely for national security purposes. There are some who argue that it would be simplest to continue to collaborate around the shared data infrastructure the European Union has built. Others who believe we could develop something better ourselves, or in collaboration with countries outside the EU.
  • Finally, protectionism and the role of data in trade deals. Our relatively centralised systems for health and welfare mean we have extensive, representative, historical data about people and their lives, which could be immensely valuable. Should international technology and pharma companies be able to use our national data assets? Should they be a bargaining chip in the trade deals we enter into?

These are all important debates, and I hope we will hear more about them today.

However, in my heart of hearts I do not think that adopting a variant of the US or Chinese models, or playing around the edges of our existing European models, will move us substantially forward. I would like the UK to be more visionary.

Brexit provides us with the opportunity to set a different path that makes the most of our existing expertise, experience and position in the world. We can adopt a model for how we deal with data where we can lead rather than follow. I believe we can build on three things: our expertise in ethical and responsible technology, leadership in increasing access to data, and experience building data institutions.

In his UN speech, Boris Johnson characterised the UK as "a global leader in ethical and responsible technology". If we count this leadership in terms of reports, organisations and conferences, this is certainly the case. We have:

  • the Centre for Data Ethics and Innovation and the Ada Lovelace Institute, both announced two years ago
  • activities on data governance at learned societies such as the British Academy, Royal Society and Royal Academy of Engineering
  • conferences such as TechUK's annual data ethics conference coming up in early December
  • academics working on data ethics at the Oxford Internet Institute, indeed a whole new Institute for Ethics in AI at the University of Oxford, work at the Universities of Edinburgh and Cambridge and within Turing Institute
  • think tanks like Doteveryone advocating for responsible technology
  • and even venture capital being invested in responsible technologies through accelerators like Bethnal Green Ventures

I like to think that the ODI was ahead of this rush. Certainly, when we developed the first version of our Data Ethics Canvas in 2016, we couldn't find much by way of existing practical guidance on the topic. Now data ethics, or at least recognition of the importance of data ethics, is everywhere.

Another, related, area where I think the UK can justifiably claim leadership, and leadership it could build on, is responsible access to data. Data is often compared to oil, but it is much more than that. Data is power. Changing who has access to it can change the balance of power. We in the UK have shown that we are prepared to invest and regulate to make this happen.

Around 2009–2010, in the final days of the Brown government and the early days of Cameron's coalition government, the UK led a global movement to open government data. This was done in part to increase public sector accountability – Francis Maude imagined armchair auditors scrutinising government’s operations – but also in part to limit the power of the state’s data monopolies, like Ordnance Survey, memorably once described by Anna Powell-Smith as “the great vampire squid wrapped around the face of UK public-interest technology”. This model of open government data has been copied worldwide, evidenced by the sheer number of variants of the UK's Open Government Licence.

We have also been leaders in open banking – an initiative to provide standardised access to bank transaction data and payments by both individuals and businesses – a form of interoperable data portability that extends to organisations as well as people.

Following recommendations by the ODI and Fingleton Associates, open banking was introduced by the Competition and Markets Authority, primarily to increase competition in the banking sector. It hasn’t been perfect, but it has been inspiration for similar open banking efforts from Australia to Mexico. And following the UK government’s Smart Data Review, we could see the UK extending this approach to other utilities like energy or telecoms.

The UK’s Office for National Statistics has led worldwide practice on access to data in a couple of areas. First, securing the right, through the Digital Economy Act 2017 to access administrative data from both public and large private sector organisations in order to create statistics. Second, in developing their Secure Research Service that provides accredited and approved researchers access to de-identified data so they can carry out research. The ONS demonstrates the UK’s leadership in both accessing data and providing access to data for public good.

This brings me on to the final area where I believe the UK is strong, and that's the role of its independent data stewards. The Domesday Book of 1086 was one of the first nation-scale information management exercises. We have built up huge experience in how to run and fund organisations that collect, analyse and share data for public good. Institutions like the Office for National Statistics, the National Archives, and yes, the Ordnance Survey, for all its vampire-squid-ness, are respected worldwide.

And where public and private organisations have failed to adapt to changing demands and build the data infrastructure we need, such as providing ready access to MPs’ voting histories or candidates for election, civic tech organisations like MySociety and Democracy Club have led the way.

OpenStreetMap, born in the UK, is an international initiative to crowdsource maps that has democratised mapping data and revolutionised disaster response. The Zooniverse citizen science platform was built in Oxford.

Ethical and responsible technology. Access to data. Strong independent institutions. Bring these together and I believe there is another model a post-Brexit UK could consider. Not the market-driven, individualist approach we ascribe to the US. Not the state-driven, authoritarian approach we ascribe to China. Not even the regulatory approach of the European Union. But an approach whose central tenet is increasing responsible access to data maintained by trustworthy, independent data institutions.

You see, the European model only moderates the powers held by the private and public sectors, as they collect data about us and the world, and use it for their own ends. And the ends those private and public organisations have are necessarily and understandably narrow: providing us with the products and services they either sell or have a duty to provide.

I talked earlier about how data needs to be interlinked, aggregated and combined to unlock its value. It’s because of this essential, networked, quality of data that access to data, and in particular across organisational and sector boundaries, is so important.

Time after time, whether talking to startups about their grand plans or researchers about the things they want to investigate, I hear about their woes getting access to data. Increasing access was highlighted in Hall & Pesenti’s AI Review as a way of unlocking AI innovation. Increasing access was described in the Furman Review as a way of increasing digital competition.

And of course that access cannot be unconstrained. But in many cases, organisations that benefit from being able to use the data they collect and maintain are poor judges for who data should be shared with, and for what purpose. They miss potential harms and benefits. Whether they are companies or governments, they cannot be independent in making those decisions.

This is why we, at ODI, are researching, piloting and supporting data trusts and similar data institutions that provide independent data stewardship. Many of these organisations already exist. Some are already named in legislation. They are the keepers of registers, and the compilers and publishers of information. They include old favourites like the Land Registry, but also the more specialist and obscure such as the designated data body for the Office for Students, currently the Higher Education Statistics Agency.

In other cases, we think the roles of existing independent, trustworthy bodies could be expanded to include data stewardship responsibilities. What might be the role in our data ecosystem of the BBC for example, or the National Trust?

And in other cases, bodies may need to be created — the Health Data Research Hubs being established by Health Data Research UK are  institutions being created to steward data for particular purposes: to improve the lives of patients with cancer or eye disease, for example.

A post-Brexit UK could adopt a different architecture for the governance of its data infrastructure. We could have a different settlement as we balance the rights, responsibilities and power of people, communities, businesses and government.

We could move in the direction of separating those with the responsibility to collect and share data from the organisations who want to use it. We could build on the UK’s leadership in ethical and responsible technology, in access to data, and in institution building.

So I hope that we can spend some time today, and in the months to come, thinking, talking and trying out these different models. Brexit gives us a real opportunity to experiment and learn here in the UK, to choose our approach to data and technology and shape our future. And we all have a chance to take that opportunity and build a data future that works for everyone.

Thank you.