Theo Andersson, Business Intelligence Officer / Omvärldsbevakare at DIGG – Swedish Agency for Digital Government
In July 2020, the Swedish Public Employment Service, the Swedish eHealth Agency, the Agency for Digital Government (DIGG) and the Swedish Tax Agency were collectively tasked with showing how an individual’s ability to have insight and control over data that have been stored about them by the public sector – and, in the long term, in the private sector – can be enhanced.
Large quantities of data about individuals are processed by public administration, for which there is support in statutes or agreements. The public sector often not only has the right but also an obligation to process personal data in order to perform its duties.
It is widely believed that it would make things easier for individuals, and introduce efficiency improvements for the public sector, if it were possible for another party to reuse information already possessed by an authority as the basis for making decisions or taking certain measures. It is however unclear exactly how this can be achieved and what prerequisites need to be in place for such user-centricity to be achieved in the design of these services.
The initial external monitoring and analysis of these issues focused on various publications from amongst others, the EU, UN and OECD in order to determine if there exists a consensus regarding whether individuals are or should be, entitled to increased insight into and control over the data stored about them. After confirming that indeed there seemed to be such a consensus, we were interested in how well technological developments and discussions on policy, data management and public agencies instructions agreed with the vision for how this insight and control will be achieved and then given to, and managed, by the individual.
The citizen perspective
Most citizen surveys we reviewed showed that the public sector has an important role to play with regards to legitimising new methods of sharing and using data in the minds of potential users i.e. citizens. Trust in the public sector is an important aspect of how private individuals view being part of a data-sharing ecosystem that also includes private companies (Zarifis, Cheng, & Kroenung, 2019). The degree to which the public sector adds trust in the data-sharing ecosystem is naturally dependent on political realities in various countries. What was common however was the notion that increased control over an individual’s own personal data is generally desirable by the individual. However, few are clear on how this control can be exercised or whether they wish to take upon themselves, the greater personal responsibility for sharing data that becomes necessary if more efficient public services are to be realised.
Examples from a number of different countries (Finland, France, Norway, Denmark, the United States, the United Kingdom and India) were also analysed and they emphasised various and differing aspects of insight and control, such as technical solutions, legal aspects, the involvement of trade and industry, and the value of political governance.
Legal aspects
Technical solutions, financial means and clear political governance are important and vary between different countries, but they are not usually the primary obstacle to the development of a proof of concept or solution. Usually, it is legal interpretations and uncertainties that appear to be the most problematic and that are considered obstacles to developments in this area. The legal basis for sharing data between private and public entities and for an individual’s ability to have increased control over this data-flow is not specified by any national or supranational organisation, although there are suggestions, most of which are centred on the concept of consent. How consent is interpreted varies, however, between different nations (even within the EU). Several future investigations will have to be conducted in order to clarify rules, responsibilities and possibilities for initiating data-sharing.
There are also uncertainties regarding which incentives and prerequisites (in addition to legal certainty) would motivate individuals, trade and industry to actively demand increased insight and control for individual citizens from political policy-makers. It is not obvious, by any means, that the individual’s incentives are aligned with that of private sector representatives in the proposed data-sharing ecosystem.
Digital maturity
In order to keep the government systems working in accordance with the increasing expectations that citizens have for public services, there is a risk that it is assumed that all eligible citizens understand the consequences, costs, benefits and risks of sharing personal data (or not doing so). Without this assumption, the basis upon which more and more collected data is expected to be used for more effective public services based on data that are shared by consent becomes a problem.
In Sweden, it is this exact fear of the individual’s incapacity to make informed decisions about data-sharing that renders consent as an obsolete basis for data-sharing when designing an ecosystem that aims to allow for an individual to initiate or allow for, data-sharing between a lone individual and government authorities or between a public authority and a private company. The risk for perceived or overt pressure to influence the individual’s decision-making is deemed too high.
No matter what the basis for data-sharing will be in the future, this development will have to be accompanied by a public discussion and strategy for handling individuals who opt-out of the systems for reasons ranging between a lack of digital competence or cognitive ability, to simply preferring the established processes of the past.
Opt-in
Since the ecosystem will be based on voluntary participation, at least initially and for the foreseeable future, clear incentives need to be created for all parties in the value chain to use shared data, from the individual to organisations. Individuals need to understand how data can be used and what benefit this can bring for them, such as new value-creating services and reduced lag-time from idea to citizen service delivery. Solutions for providing increased insight and control will otherwise result only in passiveness, inactivity and a reduction of shared data. This places high demands on the design and interfaces that affect the user experience, and the generation of commitment in continued use of the services that suppliers of different areas for insight and control can offer.
The private sector also needs to identify new possibilities and business models based on their customers controlling more of the interaction between them, otherwise they will not take part in initiatives that attempt to explore the opportunities for increased innovation and value creation (Weill, Woerner, Patricia, & Baquero, 2021; Zarifis, Kawalek, & Azadegan, 2021). The public sector has a responsibility to ensure an inclusive environment as regards to the identification and analysis of potential hindrances and/or opportunities that private sector actors may have. Without a joint effort to realise the vision for increased insight and control for the individual who is at once, resident and recipient of public services as well as customer, there will be no progress outside of areas that may be deemed as vital. These areas could be vital for either the public sector’s ability to handle health policies or tackle diseases (e.g. the mandatory sharing of health data) or for certain private companies work with corporate social responsibility projects where certain customer data may be offered back to the individual in order allow for good-will creating incentives.
Testing environments
As mentioned, there is a need for policy that allows for co-creation of a data-sharing ecosystem, and this may require venues (physical and digital) in which public and private entities can jointly produce solutions based on clearly identified needs amongst citizens, (European Commission, 2019). This may involve part of a life event or, for example, a business opportunity that a company wishes to explore. A common understanding is first needed on what is meant by data portability and of how existing structures, business models and policies may be affected by giving individuals insight and control into personal data that is kept by public administration as well as consumer and behavioural data kept by businesses and organisations. The transition is complex, and the need of test environments and expertise in designing digital environments can be considered great. Such testing environments, be they called green houses or regulatory sandboxes, should incorporate legal considerations and expertise, human-centric design, use cases taken from political priorities, technical expertise and user tests.
End
The work carried out during the latter part of 2020 until June 2021 resulted in a governmental report containing a model/conceptualisation of a data-sharing ecosystem centred on the individual (see below), a proof of concept showcasing the ability to populate a digital CV with data from government sources such as address, completed studies, authenticated driving license(s) and so on. The report also contained a visualisation of a scenario for sharing data related to receiving a doctor confirmation of illness and sharing this with relevant authorities.
Figure 1. The individual in the centre with overview, insight and control.
The report identified that there is great value in giving private individuals increased insight and control over their data. It has also become apparent that there are several different ways of technically realising an arrangement that puts the individual in the centre, where they can be given an overview, insight and control. Whilst we can see great potential in increasing user-centricity with regards to the way data is processed, we can also see a need for other prerequisites to move at the same pace and direction. It has become clear that there is a potential conflict between an individual’s entitlement to insight and control on the one hand, and the prerequisites for authorities to realise such insight and control on the other. The report therefore highlighted the following recommendations for further efforts relating to the issue of increased insight and control over personal data:
- An investigation should be made regarding how users of tools and services for increased insight and control want these to be designed. The need of individuals must have a direct effect on how the tools, including the data overview or digital wallet, should be designed and what functionality should be prioritised. An increased understanding of important design aspects for these tools can have a significant impact on the utilisation rate and is important for digital inclusiveness.
- There is a need to clarify responsibilities for user-areas i.e. log-in areas on public websites where data on an individual is displayed. Under the current system, it may be challenging for authorities to comply with controllership as defined in the EU Data Protection Regulation, (European Parliament, 2016), and the many obligations in relation to the individuals whose personal information is processed. The potential conflict is between the ability of authorities to provide services by means of such user areas whilst at the same time, avoiding making details stored therein from becoming official documents. The authority must not have any real power over the information and documents that are processed in the user area in order for it to be considered as such according to the regulations in the Freedom of the Press Act (European Court of Human Rights, 2021). It must therefore be clarified how these two conflicting interests can be united in sustainable solutions.
- Sharing information with other authorities and individuals, even when done on behalf of the individual in question, is not covered by the service provision obligations of authorities. The same applies for a possible exchange of information between authorities and private entities. Today, the way authorities process personal data is regulated by means of sector-specific legislation. The legal status for the digital transmission of information and the possibilities of providing individuals with insight and control can thus be considered uncertain. The report suggests that public authority service obligations come to include disclosing and transmitting information to the individual and other authorities using digital media as this is not specified today and would mean authorities would have greater opportunities to provide for an individual’s insight and control.
In short, the report highlights the necessity for a government commissioned impact analysis with regards to expanding the service obligations, incorporating the special data protection regulations (data registry laws) and the possibility of disclosing data in electronic form.
Key concepts
Insight: Insight is taken to mean that individuals are able to visualise or otherwise understand the type of data kept about them by whatever organisation is holding the information in an easily understandable and unified manner, as well as being able to see for what purposes the information is collected, and on what legal basis it is processed there.
Control: Control refers mainly to possibilities for an individual to be able to digitally access their data and request corrections, deletion or transferral of data to and from the entity that has it.
Recommended Citation:
Andersson T. (2021) ‘Individual Insight and Control Over Personal Data Held by The Public And Private Sector: A Swedish Perspective’, TrustUpdate.com, Available from: https://www.trustupdate.com/case-studies/
Biography:
Theo Andersson studied Business Administration and International Relations at the University of Gothenburg. Having worked with bilateral trade and investment relations as an officer of the Cyprus Chamber of Commerce and Industry for several years, Theo returned to Sweden and started working with questions relating to the digitalisation of public sector services as an officer of the Swedish Public Employment Service. This led to a short stint as a regional digitalisation coordinator at the Region of Halland before accepting a position as trend surveyor/business intelligence analyst at the then recently formed Agency for Digital Government (DIGG).
References
European Commission. (2019). Ethics Guidelines for Trustworthy AI. Retrieved from https://ec.europa.eu/digital
European Court of Human Rights. (2021). Guide on Article 10 of the European Convention on Human Rights, Freedom of Expression. Retrieved from https://echr.coe.int/Documents/Guide_Art_11_ENG.pdf
European Parliament. (2016). EU General Data Protection Regulation GDPR. Official Journal of the European Union. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
Weill, B. P., Woerner, S., Patricia, A., & Baquero, D. (2021). Hello Domains, Goodbye Industries. Retrieved from https://cisr.mit.edu/publication/2021_0101_HelloDomains_WeillWoernerDiaz
Zarifis, A., Kawalek, P., & Azadegan, A. (2021). Evaluating If Trust and Personal Information Privacy Concerns Are Barriers to Using Health Insurance That Explicitly Utilizes AI. Journal of Internet Commerce, 20(1), 66–83. https://doi.org/10.1080/15332861.2020.1832817
Zarifis, Alex, Cheng, X., & Kroenung, J. (2019). Collaborative consumption for low and high trust requiring business models: from fare sharing to supporting the elderly and people with disability. International Journal of Electronic Business, 15(1), 1. https://doi.org/10.1504/ijeb.2019.10020272