/ Home & Energy, Shopping, Technology

What if companies gave me control of my data?

Eye with binary code

In this guest post, consumer affairs minister Jo Swinson explores the benefits of ‘midata’, which could give you more control over the personal data companies hold. What would you do with your data?

Recently I was chatting to the owner of an independent bookshop, who told me animatedly about his Christmas recommendations. In particular which ones I might enjoy most given what other books I had recently read and loved.

How great, I thought, to have that personal, tailored advice, and wouldn’t it be great if I could get that everywhere else?

In this weather it can feel like you’re always turning the heating up – but wouldn’t it be fantastic if you could tell whether the energy bill is rising because you’re actually using more energy rather than the prices going ever upwards? Or whether your mobile phone tariff and provider are the best value for money taking into account your preferences and usage?

Giving you access to your data

There should be a simple way to get your hands on this valuable information. After all, many savvy businesses already use these insights to tailor services to their customers or ultimately, sell more products.

The good news is that the Government has announced that companies in four key sectors could be required to give individuals greater access to the personal data they hold through a scheme called ‘midata’.

Midata will mean companies and organisations are obliged, on request, to provide the data they hold on your transactions in an easy-to-read and reusable electronic format. The four key sectors this will initially apply to are those where we spend a large amount of our hard-earned cash – energy, credit cards, current accounts and mobile phones.

So, what could midata mean for you?

Well, every time I shop or use my Advantage card I share details about myself. Midata will mean I can expect a two-way dialogue with businesses who will have to report back to me on my own spending. So, just like my bookshop, midata could allow companies to develop insightful services that get to know me and my preferences, making shopping a far more convenient process.

Personally, I’d like to use midata to help get better deals more simply. It would be great if I could obtain a list of all the purchases on my credit card this year. And then if an app or website could take that data and tell me where I’m shopping the most, how often, and where I might save some money. Perhaps it could tell me that I should start shopping elsewhere or even change my card provider.

But this isn’t just about price comparison sites; Finland’s leading grocer has worked with a third party to give their customers a breakdown of the nutritional content of their shopping basket.

I’m excited about the possibilities that have opened up through midata, and I’m looking forward to seeing what types of innovative services and applications developers offer. And I want to hear your views too – in a midata future, what would you do with your data?

Which? Conversation provides guest spots to external contributors. This is from Jo Swinson MP. All opinions expressed here are Jo’s own, not necessarily those of Which?.

Comments

I don’t want innovative services, thank you. We frequently hear tales of misuse of data as it is.

I am pestered by phone calls and mail from companies, even ones I have ceased to use because of poor service. Unless I turn on private browsing on my web browser I soon see targeted adverts based on my browsing history. I am not obsessed about this, but it all makes me feel uncomfortable. If I fill in any personal details I am careful to choose to opt out of any sharing of me information. I certainly don’t want to waste more time by having to check what information companies hold about me.

I feel that ALL NON-ESSENTIAL use of personal data should be OPT-IN and NEVER OPT-OUT.

Sorry for the capitals but this silly game of collecting and using information must be stopped.

Simon DJ says:
18 December 2012

Innovation is your friend here. Unsolicited marketing of the kind you describe is not only annoying but grossly inefficient. It could all be sorted out between computers, according to rules you set.

I have said that I don’t want innovative services and you are saying that innovation is my friend. One of the biggest problems I have is people will not take NO for an answer. 🙁

No thank you, I don’t need marketing, telephone sales, people on the doorstep, unsolicited mail/email or having information sorted for me. I can conduct efficient Web searches and even look up Yellow Pages. I can use price comparison sites. Humour me and let me carry on in what you undoubtedly regard as my own inefficient way, please.

I am quite capable of analysing my own spending, finding best-value deals, but more importantly I am the best person to know my preferences. So this is pointless as far as I am concerned. I don’t use a Tesco Clubcard because I don’t want a commercial organisation collecting information on what I do. Just because data can be collected and processed does not mean we want it to be used -surely there are more important things for the companies (and the minister) that do this to spend their time on – unless there is a way of making a profit from us, of course – surely not the motive!

@MalcolmR: So you always pay by cash then?

Simon DJ says:
18 December 2012

@MalcolmR: what about a service that uses your transaction data to keep you on the best energy/mobile/current account deal?

David, no

So you are still being profiled then!

David, that is not the point. It seems to me the point is whether we want to encourage further manipulation of data. I, personally, don’t.

By not using a Tesco Clubcard (other data collection cards are available) you are paying inflated prices compared with those who do use loyalty cards. How did we ever get to this crazy situation?

Beware of the innovative services. I think it can only get worse.

wavechange – in fact, we rarely use Tesco these days, but when we do we don’t use the clubcard. So nothing lost!

I wish I could say the same, Malcolm. Unfortunately I would have to drive a fair distance to use anything other than Tesco.

Soon after I reluctantly signed up for the dreaded Clubcard I had a call from Tesco and I made it clear that this was the last time they called me. Thankfully, I have never received another call.

How does midata work? What is the mechanism? How do apps get hold of your data to analyse it and make recommendations? How is your transaction data updated?

Read Ms Swinson’s article and these questions remain unanswered. Which means that you can’t assess midata.

The Department for Business Innovation and Skills (BIS) want us all to have so-called “personal data stores”, PDSs.

A PDS is a computer file which stores standing information about you like your name and birthday, your sex and your address, your driving licence number and you passport number, and so on. And it stores transaction information, particularly bank transactions, telephone usage, gas and electricity consumption, and so on. Your educational qualifications could be stored in your PDS, as could information about your medical health. One way and another, your PDS will paint a very accurate and full picture of you.

Where is this PDS maintained? BIS’s answer seems to be that you will retain a trusted third party like Mydex to maintain it for you. Mydex offer secure computer facilities to host your PDS. If you give Mydex the user IDs, passwords and so on that allow you to log on to your bank accounts and Amazon accounts and HMRC accounts for tax returns, and so on, then they can keep your PDS permanently updated with new transaction data and they can keep your suppliers permanently updated with changes of address, say, or job changes, and so on.

Why should you trust Mydex or any other supplier you’ve never heard of? Are there any secure computer facilities? Is it wise to hand over your logon IDs and passwords to other people even if you know them, let alone a stranger like Mydex? Why would you grant access to all your data to third party apps developers you know even less about than Mydex?

midata — whether Ms Swinson and Which? realises it or not — is luring people into making all the mistakes that we are normally warned against. To protect us against fraud, we are normally advised to keep secret all the data that midata encourages us to reveal. It would be more upright if Ms Swinson had mentioned that in her article.

It should be noted that the chairman of Mydex is also a member of BIS’s midata strategy board.

And that Mydex have recently been appointed one of the UK’s seven “identity providers”.

Identity providers will be used to vouch for us when we want to use public services. Clearly a PDS is a sort of ID card (without the card). What Ms Swinson is doing, wittingly or not, is resurrecting a national ID cards scheme, sotto voce, while talking aloud only about reducing our phone bills.

These matters are discussed on the blog DMossEsq.com where I hope readers and Which? will join me in discussion, whether correcting my understanding of PDSs or, if that understanding is correct, helping to lobby against what looks like a pernicious initiative, midata.

William from Mydex says:
15 December 2012

David – as I’ve said elsewhere I don’t propose to correct your misapprehensions about Mydex via social networks. My offer to speak with you to explore and to respond to what’s biting you remains open. I assume you got my email, and I imagine you still have my phone number.

Reply to William from Mydex, 10:22 p.m., 15 December 2012.

This matter has been covered, http://www.computerweekly.com/blogs/the-data-trust-blog/2012/11/the-significance-of-the-identi.html#comment-182015

The repeated claim is made that “Mydex gives individuals back control over their personal data”, http://mydex.org/

Question #1 of many – how? How does Mydex give back control to us consumers? Is this control in Mydex’s gift? If a consumer stores all his or her data in a PDS with Mydex, that looks more like giving up control. BIS claim that midata will give us control of our data but can never explain how (http://blogs.bis.gov.uk/blog/2011/11/03/giving-consumers-the-midata-touch/). The Cabinet Office make the same point (http://www.cabinetoffice.gov.uk/news/digital-public-services-putting-citizen-charge-not-state) with regard to their Identity Assurance Programme but, similarly, cannot explain how we gain control rather than giving it up.

These public representations made to the public need to be explained in public. That should be a simple matter of explaining the sales pitch. Most companies and policy-makers can manage that. 18 months I’ve been asking about Mydex and 12 months about midata. It must look peculiar to the public that answers are still unforthcoming.

Simon DJ says:
18 December 2012

@DavidM: you raise some great issues which a whole crowd of people and organisations – including consumer and privacy groups – volunteered to help address in an open way through both the ‘midata’ programme over a year ago. Many countries have similar programmes (including the French!) and even the World Economic Forum has a process for “Rethinking Personal Data”, for example. Ironically, however, ‘midata’ represents a painfully slow process of reflecting sunlight into certain industries that still profit from keeping their customers in the dark. The e-commerce world is way ahead in enabling people to use transaction data to improve their purchasing decisions and personal information management services are already commercially available to help make sense of it all. So in some ways ‘midata’ is just a very slow game of catch-up. I should add that it’s not an ID scheme, nor dependent on one, though ID authentication tools will be needed in the course of enabling the transfer of ‘midata’.

“… you raise some great issues which a whole crowd of people and organisations – including consumer and privacy groups – volunteered to help address in an open way through both the ‘midata’ programme over a year ago” — so let’s see a bit more openness.

“Many countries have similar programmes (including the French!) and even the World Economic Forum has a process for “Rethinking Personal Data”, for example” — so what?

“Ironically, however, ‘midata’ represents a painfully slow process of reflecting sunlight into certain industries that still profit from keeping their customers in the dark” — such as? Which industries?

“The e-commerce world is way ahead in enabling people to use transaction data to improve their purchasing decisions [examples, please] and personal information management services are already commercially available to help make sense of it all [so we don’t need midata].”

“So in some ways ‘midata’ is just a very slow game of catch-up” — what?

“I should add that it’s not an ID scheme, nor dependent on one, though ID authentication tools will be needed in the course of enabling the transfer of ‘midata’…” — that’s just flat false, isn’t it. The opposite of the truth. The Mydex PDS which receives your midata transactions is the same PDS which will be used if Whitehall has its way to verify your identity when DWP, for example, ask Mydex with its identity provider hat on whether this applicant for Universal Credit really is Simon Deane-Jones.

One aim is, by collecting a lot of information about you, that companies can target you with goods and services they think you are most likely to want.

Firstly, this may please a lot of people who aren’t able, or who can’t be bothered, to evaluate their own needs. Personally, I am capable of collecting, and prefer to collect, my own information and make my judgements based on that information. I think by doing it myself I learn more about making good judgements. If I leave it to someone else, then I miss out on that education process.

More worryingly though are the thoughts that companies will make recommendations but, of course, based on their own products – which may not be best for you. Should you rely on this? No. And amongst these companies are banks and financial institutions – from their track record would you trust their advice? The words the government use are “services they trust” – “trusted suppliers” -“genuinely helpful”. I wish I believed that there were a lot of philanthropic organisations out there ready to help me.

Perhaps most worryingly is the security of your data. Do you believe it could not be hacked, sold, or otherwise mis-used? I don’t.

What I would be happy with is a piece of software on my own computer that would hold electronic information about me, assisted by companies I deal with providing it in a suitable format, so that I can control it and my own decision making. I use already MS Money which holds all my financial information very adequately, plus spreadsheets for other stuff.

There is good stuff in the Midata proposal without question, but worrying stuff too.

Some selected extracts from Govt publications on Midata. Selectivity is prone to distorting the facts, so I don’t suggest these as other than examples.

Extracts:
“Meanwhile, users like Mary and John have grown used to sharing this aggregated data with services they trust. This has given these service providers the opportunity to offer new financial planning and management services, to gain new insights into customer behaviours and needs, to make genuinely helpful and timely product and service offers – thus helping them improve customer satisfaction and reduce marketing costs.”

“Some clothes shops have asked her for access to this data, offering her some hefty discounts in return for providing it. This is the first time they’ve been able to see a genuine ‘single view’ of customers’ spending across the category as a whole.”

“Over time, the My Purchases database will grow to be the critical database that companies need to access (on a permission only basis of course), if they want to gain insight into their customers’ needs and wants and to offer customers truly relevant, personalised services. Looking to the future, this might obviate the need for expensive loyalty card and other data capturing schemes, while allowing all trusted suppliers to gain access to rich, detailed information about customer behaviours, preferences and priorities.”

“Personalised advice is one of the holy grail of superior service. Until now, in many cases, it’s been prohibitively expensive. But, starting with structured data about the individual’s actual behaviours and usage, it’s becoming possible to build new types of ‘advice engines’ that really do take individuals’ circumstances, needs and priorities into account.”

“Marketing: permissions Access and Control
As customers get used to updating and managing preferences and permissions, they are more likely to opt in rather than out of marketing communications ”

“Marketing: targeting Access and Control, Transfer
Using more accurate, up-to-date data and improved customer insight (plus better permissions management) to target marketing communications more accurately. Increased customer retention and acquisition.”

William from Mydex says:
15 December 2012

There are a range of valid reasons why people might want their personal data back from organisations, and it’ll take a policy like Midata to make that possible.

The threat of compulsion set out above is clearly directed at organisations to provide the data back if the individual so requests. There’s no compulsion for the individual. It’s like making it much easier to do a Data Protection Act subject access request (which very few people do) and doing it with structured data.

For all of us, far too much of our personal data swills around today already. Generally the one person who doesn’t have meaningful access to it in a structured and usable form is the very individual most entitled to it and who could make best, most valuable and appropriate use of it.

To do this safely does require new tools, new rules (contract or law) and education. You do need to understand the concept of a personal data store to make sense of Midata (see eg The Economist this week, or Mydex web site entry about Midata).

So I think BIS has this one right (and MoJ which is simultaneously lobbying against a new EU requirement to give data back has this wrong). Which? can do a helpful job spelling out the protections (legal, technical, consuer education) that will be necessary for consumers to do this safely. And it can get ready to deliver Midata back itself, because as a subscription-based publishing business Which? holds quite a lot of personal data itself.

William

Data collection is bad enough but the biggest security threat is when the pieces of the jigsaw are assembled. If these data fall into the wrong hands, the individual has a great deal to lose.

You may be able to tell me that Mydex has never had a security breach and I might believe you, but if you were to say that your system is secure I would not believe you any more than I would believe any organisation – commercial or otherwise – that claimed their systems were secure. I well remember when banks denied that phantom withdrawals from cash machines could happen and eventually it was proved that the banks were either poorly informed or maybe telling lies.

The whole system for data protection needs to be overhauled to ensure that no personal data are kept unless necessary and deleted when no longer needed. I do not mind if some people want to provided data voluntarily, but it MUST be an opt-in system.

I have not looked into this as much as David Moss has and I am probably a little less concerned about data collection than Malcolm R. but I do feel uncomfortable that companies like yours exists. Having looked at your website and seen that one way your organisation will charge organisations a fee for certain data sharing services makes me even more uncomfortable.

The idea of a personal data store might be good in an ideal world. The problem is that the world includes organisations and businesses that can and will misuse personal data, and data is not totally secure. Commercial organisations claiming to use your data to help you buy better products or services will not normally give you impartial advice. You will need to be savvy to interpret the advice you are given. But relying on someone else advising you may make you lazy about doing your own investigations. I’d rather keep my own personal data, as said earlier, in a common format that makes it easy for me to interrogate when decisions need to be made. Others may prefer to leave this to someone else.

William from Mydex says:
16 December 2012

wavechange – Completely agree there is too much collection; and that aggregation is the problem; also that there’s no place for complacent claims from anyone about security, and that the banks handling of the “phantom withdrawals” issue was unacceptable.

When you call for a data protection system overhaul this could be EU law (ie new new EU DP regulation); UK law and policy such as Midata an ID assurance; organisations adjusting their normal practices based on what customers find acceptable/unacceptable and what individuals are able to do themselves.

What individuals can do depends to a large extent on what tools and services they have available. There’s a big gap here that Mydex is trying to fill. You’re perfectly entitled not to use it. For our part we’re concerned such services do not exist yet which is why we set it up. I dont think there’s any more reason in principle for you to feel uncomfortable about its existence than if a company started selling Filofaxes with fat padlocks on them. Filofaxes were quite powerful; online PDS are altogether more powerful. So a degree of wariness is understandable, and constructive critical feedback always welcome.

Your point I most agree with is about finding a path towards data minimisation or “just-in-time data”. We do have to fill out some forms in life, or provide some data to get services. Not as much as we’re routinely asked for, but some. One credible path towards not keeping personal data and data deletion is if the individual can instantly produce the essential data needed for a transaction, perhaps where necessary verified by an external party (eg to prove you have a licence, verified address or qualification).

Something like a PDS is a helpful and credible way to solve this problem. But of course it has to be opt-in, just as putting a safe in your home for valuables is opt-in.

Thanks for your reply, William. There are obviously big differences between what individuals are comfortable with in their everyday lives. Many are happy with sharing a fair amount of personal information via Facebook et al. but it’s not for me, thanks. It will take a lot to convince me that the government’s plans for midata are a good idea.

I can appreciate that a PDS could make life easier, just as direct debits have done for me over many years. Many are suspicious of direct debits and standing orders because of the risk of errors. Strangely, it has been the ease with which errors have been corrected that has provided me with reassurance about these systems.

I do not know what the future will bring but I certainly do not want to be an early adopter.

Simon DJ says:
18 December 2012

It would be great to see a service with the following proposition:

Tell me how you use [energy/your phone/etc] and I’ll keep switching you to the service that’s right for you.

That would take all the hassle out of switching, yet allow suppliers to adjust their pricing.

Simon “DJ” Deane-Jones sits on the midata Interoperability Board at BIS, the Department for Business Innovation and Skills.

William Heath sits on the midata Strategy Board, as well as being the founder and chairman of Mydex and a shareholder in Ctrl-Shift whose research work is in turn cited by BIS in support of midata.

Nothing wrong with any of that as long as it is all declared openly so that people don’t assume that there is total independence between these parties.

Simon Deane-Johns says:
18 December 2012

@DavidMoss I do participate in the Interoperability Board of the midata programme, and have been very public about that. I was invited to participate on a voluntary basis and have no client in that process. I am independent of Mydex, Ctrl-Shift, the UK government, the ICO and the dozens of other participants. I used the screen-name “Simon DJ” to comment here in a personal capacity and my views should not be taken as representing those of the Interoperability Board or the Midata programme. My public profile can be found on LinkedIn.

Good – we all know where we stand now.

I am merely an unofficial and non-representative member of the general public who is worried about what has happened with personal data in the past and very worried about what could happen if it is collected and collated. I believe that this is perfectly normal paranoia.

SimonDJ – your comment earler “what about a service that uses your transaction data to keep you on the best energy/mobile/current account deal?”. As I have explained later, firstly I believe I am capable of finding the deals on these and other issues that suit me best – through the internet, Which? and other methods. Doing it myself means I understand what the market is like. Why therefore should I need someone to do it for me? And why should I trust that I am indeed being offered the best deal? Other people may choose to delegate these matters to commercial organisations – I prefer to look after my own interests.
It would be interesting to hear how these “services” that are going to look after me are paid for. Through taxes or commission or???

Will Jo Swinson perhaps respond to the questions posed above?

In addition, David, in view of the Government’s (Civil Service’s) appalling record in dealing with software projects, I wonder why they are spending their resources on this? What benefits will it bring to the country (as opposed to those organisations commercially involved)? I would have thought there were other problems they could address with a higher priority under the present economic circumstances.

BIS = Department for Business Innovation and Skills
GDS = Government Digital Service, part of the Cabinet Office

“I wonder why they are spending their [our] resources on this”.

(a) midata is an example of BIS doing its job, helping the economy to grow and empowering/protecting consumers.

(b) midata allows BIS to expand its empire/extend its influence over consumers and businesses.

(c) midata is BIS’s response to GDS’s demand for help to get its Identity Assurance Programme off the ground thereby taking an important to step towards public services becoming digital by default.

Take your pick.

“What benefits will it bring to the country … ?”

Malcolm, that’s the family size can of worms.

BIS held a midata consultation which included a number of open forums attended by BIS and the public. At 9 August 2012 forum I asked David Miller, the BIS economist, what percentage midata would cause the UK economy to grow by. He said that it is impossible to predict the macroeconomic effect of midata.

In their response to the consultation Which? say that they think the effect would be positive while claiming that the effect of midata would be deregulatory while advocating an extensive new system of accreditation and regulation to be layered on top of all the regulation that already exists and doesn’t work and advocating that all the development, running and regulation costs should nevertheless not be passed on to consumers, whose use of midata should somehow be “free”, while warning that midata must increase the risks of loss of privacy and the risks of fraud in the wild west of the web while assuming that those risks can somehow be nullified despite the fact that the media are full of stories every day of breaches of web security at the highest levels.

“I would have thought there were other problems they could address with a higher priority”

BIS are addressing them. The department is an all year round Father Christmas. Take a look at the selection below of their press releases issued since 1.11.12:

• 1.11.12 More than £1 billion to be invested in UK science and research
• 5.11.12 New powers for courts to improve justice for wronged consumers
• 6.11.12 Government to care homes sector: help us improve enforcement of regulation
• 8.11.12 Fallon to big businesses: Commit to paying suppliers on time, or be named
• 8.11.12 Use of Civil Sanctions Powers Contained in the Regulatory Enforcement and Sanctions Act 2008
• 9.11.12 UK space industry set to rocket with £240 million of investment
• 9.11.12 Government to invest £20 million in synthetic biology
• 13.11.12 Mums and dads will share parental leave
• 14.11.12 Business Secretary’s statement on European Commission’s proposed directive on improving gender balance on Europe’s corporate boards
• 15.11.12 Business Minister hails North East Regional Growth Fund success
• 16.11.12 Business Minister announces £40 million boost for high growth SMEs
• 17.11.12 New power to boost consumers’ access to data
• 20.11.12 £150 million for businesses to build skilled workforce
• 21.11.12 £400 million boost to England’s colleges
• 21.11.12 UK secures £1.2 billion package of space investment
• 22.11.12 Government sets out steps to change culture in UK equity markets
• 23.11.12 Bureaucracy busting boost for street traders
• 23.11.12 Emerging technologies to drive growth identified
• 26.11.12 Multi-million pound boost for UK manufacturing supply chains
• 28.11.12 Green bank opens for business
• 28.11 12 Lord Currie sets out vision for new Competition and Markets Authority
• 30.11.12 Business Secretary urges headhunters to seek out new female talent
• 3.12.12 Boost for UK automotive supply chains
• 4.12.12 Groceries Adjudicator to have new power to fine supermarkets
• 6.12.12 Vince Cable launches schemes for skills and jobs on South Coast
• 6.12.12 New £550m capital investment programme will transform FE colleges

How good are BIS at “picking winners”?

I don’t want companies storing personal data at all. My local restaurant does not need my date of birth to deliver a curry. My energy company does not need 3 phone numbers to ignore my emails. My bank does not need 5 forms of ID when they have been managing my account for 20 years. It’s about time some effective regulations were introduced (and them enforced) to allow people to take control of their privacy. The truth is that no company can guarantee data security. The solution is not to store the data in the first place. If personal data capture is essential (e.g. for insurance) then it can be requested but should be permanently erased immediately it is no longer needed.

It won’t happen, of course, since personal data is a valuable commodity which companies want to sell to others, so they will be lobbying like mad to keep things exactly like they are.

To me this all seems to be a very foggy subject. Who are these “trusted providers”? How can you be confident that data – that is sensitive for individuals – will be secure? Even(?) the government seems to have trouble in this area. And what can we be advised that we can not already do for ourselves? I wish I was clearer about what all this is supposed to do.
Am I alone in this?
Finally, how much is this exercise costing and who is profiting from it?

It would be useful to now here Which’s views on this, given the many contributions. Are you planning to do a report or to contribute through this conversation?

Hello Malcolm, we’re very keen to hear what people think about midata so we’re definately taking an interest in the comments. We have commented on midata before: http://www.which.co.uk/news/2012/11/consumers-can-demand-data-on-spending-habits-302360/

Here’s what Which? executive director Richard Lloyd said: ‘The ‘midata’ programme can help put consumers in the driving seat of the information revolution while boosting competition and supporting growth among companies that provide the best products and services.

‘We’re pleased to see the government putting in place measures to give people the right to data that companies hold on them.

‘Giving consumers more power with their personal data will help them make better use of their money, and that’s not only good for customer-friendly businesses, but good for growth in the economy.’