/ Home & Energy, Shopping, Technology

What if companies gave me control of my data?

Eye with binary code

In this guest post, consumer affairs minister Jo Swinson explores the benefits of ‘midata’, which could give you more control over the personal data companies hold. What would you do with your data?

Recently I was chatting to the owner of an independent bookshop, who told me animatedly about his Christmas recommendations. In particular which ones I might enjoy most given what other books I had recently read and loved.

How great, I thought, to have that personal, tailored advice, and wouldn’t it be great if I could get that everywhere else?

In this weather it can feel like you’re always turning the heating up – but wouldn’t it be fantastic if you could tell whether the energy bill is rising because you’re actually using more energy rather than the prices going ever upwards? Or whether your mobile phone tariff and provider are the best value for money taking into account your preferences and usage?

Giving you access to your data

There should be a simple way to get your hands on this valuable information. After all, many savvy businesses already use these insights to tailor services to their customers or ultimately, sell more products.

The good news is that the Government has announced that companies in four key sectors could be required to give individuals greater access to the personal data they hold through a scheme called ‘midata’.

Midata will mean companies and organisations are obliged, on request, to provide the data they hold on your transactions in an easy-to-read and reusable electronic format. The four key sectors this will initially apply to are those where we spend a large amount of our hard-earned cash – energy, credit cards, current accounts and mobile phones.

So, what could midata mean for you?

Well, every time I shop or use my Advantage card I share details about myself. Midata will mean I can expect a two-way dialogue with businesses who will have to report back to me on my own spending. So, just like my bookshop, midata could allow companies to develop insightful services that get to know me and my preferences, making shopping a far more convenient process.

Personally, I’d like to use midata to help get better deals more simply. It would be great if I could obtain a list of all the purchases on my credit card this year. And then if an app or website could take that data and tell me where I’m shopping the most, how often, and where I might save some money. Perhaps it could tell me that I should start shopping elsewhere or even change my card provider.

But this isn’t just about price comparison sites; Finland’s leading grocer has worked with a third party to give their customers a breakdown of the nutritional content of their shopping basket.

I’m excited about the possibilities that have opened up through midata, and I’m looking forward to seeing what types of innovative services and applications developers offer. And I want to hear your views too – in a midata future, what would you do with your data?

Which? Conversation provides guest spots to external contributors. This is from Jo Swinson MP. All opinions expressed here are Jo’s own, not necessarily those of Which?.


I don’t want innovative services, thank you. We frequently hear tales of misuse of data as it is.

I am pestered by phone calls and mail from companies, even ones I have ceased to use because of poor service. Unless I turn on private browsing on my web browser I soon see targeted adverts based on my browsing history. I am not obsessed about this, but it all makes me feel uncomfortable. If I fill in any personal details I am careful to choose to opt out of any sharing of me information. I certainly don’t want to waste more time by having to check what information companies hold about me.

I feel that ALL NON-ESSENTIAL use of personal data should be OPT-IN and NEVER OPT-OUT.

Sorry for the capitals but this silly game of collecting and using information must be stopped.

Simon DJ says:
18 December 2012

Innovation is your friend here. Unsolicited marketing of the kind you describe is not only annoying but grossly inefficient. It could all be sorted out between computers, according to rules you set.


I have said that I don’t want innovative services and you are saying that innovation is my friend. One of the biggest problems I have is people will not take NO for an answer. 🙁

No thank you, I don’t need marketing, telephone sales, people on the doorstep, unsolicited mail/email or having information sorted for me. I can conduct efficient Web searches and even look up Yellow Pages. I can use price comparison sites. Humour me and let me carry on in what you undoubtedly regard as my own inefficient way, please.


I am quite capable of analysing my own spending, finding best-value deals, but more importantly I am the best person to know my preferences. So this is pointless as far as I am concerned. I don’t use a Tesco Clubcard because I don’t want a commercial organisation collecting information on what I do. Just because data can be collected and processed does not mean we want it to be used -surely there are more important things for the companies (and the minister) that do this to spend their time on – unless there is a way of making a profit from us, of course – surely not the motive!


@MalcolmR: So you always pay by cash then?

Simon DJ says:
18 December 2012

@MalcolmR: what about a service that uses your transaction data to keep you on the best energy/mobile/current account deal?


David, no


So you are still being profiled then!


David, that is not the point. It seems to me the point is whether we want to encourage further manipulation of data. I, personally, don’t.


By not using a Tesco Clubcard (other data collection cards are available) you are paying inflated prices compared with those who do use loyalty cards. How did we ever get to this crazy situation?

Beware of the innovative services. I think it can only get worse.


wavechange – in fact, we rarely use Tesco these days, but when we do we don’t use the clubcard. So nothing lost!


I wish I could say the same, Malcolm. Unfortunately I would have to drive a fair distance to use anything other than Tesco.

Soon after I reluctantly signed up for the dreaded Clubcard I had a call from Tesco and I made it clear that this was the last time they called me. Thankfully, I have never received another call.


How does midata work? What is the mechanism? How do apps get hold of your data to analyse it and make recommendations? How is your transaction data updated?

Read Ms Swinson’s article and these questions remain unanswered. Which means that you can’t assess midata.

The Department for Business Innovation and Skills (BIS) want us all to have so-called “personal data stores”, PDSs.

A PDS is a computer file which stores standing information about you like your name and birthday, your sex and your address, your driving licence number and you passport number, and so on. And it stores transaction information, particularly bank transactions, telephone usage, gas and electricity consumption, and so on. Your educational qualifications could be stored in your PDS, as could information about your medical health. One way and another, your PDS will paint a very accurate and full picture of you.

Where is this PDS maintained? BIS’s answer seems to be that you will retain a trusted third party like Mydex to maintain it for you. Mydex offer secure computer facilities to host your PDS. If you give Mydex the user IDs, passwords and so on that allow you to log on to your bank accounts and Amazon accounts and HMRC accounts for tax returns, and so on, then they can keep your PDS permanently updated with new transaction data and they can keep your suppliers permanently updated with changes of address, say, or job changes, and so on.

Why should you trust Mydex or any other supplier you’ve never heard of? Are there any secure computer facilities? Is it wise to hand over your logon IDs and passwords to other people even if you know them, let alone a stranger like Mydex? Why would you grant access to all your data to third party apps developers you know even less about than Mydex?

midata — whether Ms Swinson and Which? realises it or not — is luring people into making all the mistakes that we are normally warned against. To protect us against fraud, we are normally advised to keep secret all the data that midata encourages us to reveal. It would be more upright if Ms Swinson had mentioned that in her article.

It should be noted that the chairman of Mydex is also a member of BIS’s midata strategy board.

And that Mydex have recently been appointed one of the UK’s seven “identity providers”.

Identity providers will be used to vouch for us when we want to use public services. Clearly a PDS is a sort of ID card (without the card). What Ms Swinson is doing, wittingly or not, is resurrecting a national ID cards scheme, sotto voce, while talking aloud only about reducing our phone bills.

These matters are discussed on the blog DMossEsq.com where I hope readers and Which? will join me in discussion, whether correcting my understanding of PDSs or, if that understanding is correct, helping to lobby against what looks like a pernicious initiative, midata.

William from Mydex says:
15 December 2012

David – as I’ve said elsewhere I don’t propose to correct your misapprehensions about Mydex via social networks. My offer to speak with you to explore and to respond to what’s biting you remains open. I assume you got my email, and I imagine you still have my phone number.


Reply to William from Mydex, 10:22 p.m., 15 December 2012.

This matter has been covered, http://www.computerweekly.com/blogs/the-data-trust-blog/2012/11/the-significance-of-the-identi.html#comment-182015

The repeated claim is made that “Mydex gives individuals back control over their personal data”, http://mydex.org/

Question #1 of many – how? How does Mydex give back control to us consumers? Is this control in Mydex’s gift? If a consumer stores all his or her data in a PDS with Mydex, that looks more like giving up control. BIS claim that midata will give us control of our data but can never explain how (http://blogs.bis.gov.uk/blog/2011/11/03/giving-consumers-the-midata-touch/). The Cabinet Office make the same point (http://www.cabinetoffice.gov.uk/news/digital-public-services-putting-citizen-charge-not-state) with regard to their Identity Assurance Programme but, similarly, cannot explain how we gain control rather than giving it up.

These public representations made to the public need to be explained in public. That should be a simple matter of explaining the sales pitch. Most companies and policy-makers can manage that. 18 months I’ve been asking about Mydex and 12 months about midata. It must look peculiar to the public that answers are still unforthcoming.

Simon DJ says:
18 December 2012

@DavidM: you raise some great issues which a whole crowd of people and organisations – including consumer and privacy groups – volunteered to help address in an open way through both the ‘midata’ programme over a year ago. Many countries have similar programmes (including the French!) and even the World Economic Forum has a process for “Rethinking Personal Data”, for example. Ironically, however, ‘midata’ represents a painfully slow process of reflecting sunlight into certain industries that still profit from keeping their customers in the dark. The e-commerce world is way ahead in enabling people to use transaction data to improve their purchasing decisions and personal information management services are already commercially available to help make sense of it all. So in some ways ‘midata’ is just a very slow game of catch-up. I should add that it’s not an ID scheme, nor dependent on one, though ID authentication tools will be needed in the course of enabling the transfer of ‘midata’.


“… you raise some great issues which a whole crowd of people and organisations – including consumer and privacy groups – volunteered to help address in an open way through both the ‘midata’ programme over a year ago” — so let’s see a bit more openness.

“Many countries have similar programmes (including the French!) and even the World Economic Forum has a process for “Rethinking Personal Data”, for example” — so what?

“Ironically, however, ‘midata’ represents a painfully slow process of reflecting sunlight into certain industries that still profit from keeping their customers in the dark” — such as? Which industries?

“The e-commerce world is way ahead in enabling people to use transaction data to improve their purchasing decisions [examples, please] and personal information management services are already commercially available to help make sense of it all [so we don’t need midata].”

“So in some ways ‘midata’ is just a very slow game of catch-up” — what?

“I should add that it’s not an ID scheme, nor dependent on one, though ID authentication tools will be needed in the course of enabling the transfer of ‘midata’…” — that’s just flat false, isn’t it. The opposite of the truth. The Mydex PDS which receives your midata transactions is the same PDS which will be used if Whitehall has its way to verify your identity when DWP, for example, ask Mydex with its identity provider hat on whether this applicant for Universal Credit really is Simon Deane-Jones.


One aim is, by collecting a lot of information about you, that companies can target you with goods and services they think you are most likely to want.

Firstly, this may please a lot of people who aren’t able, or who can’t be bothered, to evaluate their own needs. Personally, I am capable of collecting, and prefer to collect, my own information and make my judgements based on that information. I think by doing it myself I learn more about making good judgements. If I leave it to someone else, then I miss out on that education process.

More worryingly though are the thoughts that companies will make recommendations but, of course, based on their own products – which may not be best for you. Should you rely on this? No. And amongst these companies are banks and financial institutions – from their track record would you trust their advice? The words the government use are “services they trust” – “trusted suppliers” -“genuinely helpful”. I wish I believed that there were a lot of philanthropic organisations out there ready to help me.

Perhaps most worryingly is the security of your data. Do you believe it could not be hacked, sold, or otherwise mis-used? I don’t.

What I would be happy with is a piece of software on my own computer that would hold electronic information about me, assisted by companies I deal with providing it in a suitable format, so that I can control it and my own decision making. I use already MS Money which holds all my financial information very adequately, plus spreadsheets for other stuff.

There is good stuff in the Midata proposal without question, but worrying stuff too.

Some selected extracts from Govt publications on Midata. Selectivity is prone to distorting the facts, so I don’t suggest these as other than examples.

“Meanwhile, users like Mary and John have grown used to sharing this aggregated data with services they trust. This has given these service providers the opportunity to offer new financial planning and management services, to gain new insights into customer behaviours and needs, to make genuinely helpful and timely product and service offers – thus helping them improve customer satisfaction and reduce marketing costs.”

“Some clothes shops have asked her for access to this data, offering her some hefty discounts in return for providing it. This is the first time they’ve been able to see a genuine ‘single view’ of customers’ spending across the category as a whole.”

“Over time, the My Purchases database will grow to be the critical database that companies need to access (on a permission only basis of course), if they want to gain insight into their customers’ needs and wants and to offer customers truly relevant, personalised services. Looking to the future, this might obviate the need for expensive loyalty card and other data capturing schemes, while allowing all trusted suppliers to gain access to rich, detailed information about customer behaviours, preferences and priorities.”

“Personalised advice is one of the holy grail of superior service. Until now, in many cases, it’s been prohibitively expensive. But, starting with structured data about the individual’s actual behaviours and usage, it’s becoming possible to build new types of ‘advice engines’ that really do take individuals’ circumstances, needs and priorities into account.”

“Marketing: permissions Access and Control
As customers get used to updating and managing preferences and permissions, they are more likely to opt in rather than out of marketing communications ”

“Marketing: targeting Access and Control, Transfer
Using more accurate, up-to-date data and improved customer insight (plus better permissions management) to target marketing communications more accurately. Increased customer retention and acquisition.”

William from Mydex says:
15 December 2012

There are a range of valid reasons why people might want their personal data back from organisations, and it’ll take a policy like Midata to make that possible.

The threat of compulsion set out above is clearly directed at organisations to provide the data back if the individual so requests. There’s no compulsion for the individual. It’s like making it much easier to do a Data Protection Act subject access request (which very few people do) and doing it with structured data.

For all of us, far too much of our personal data swills around today already. Generally the one person who doesn’t have meaningful access to it in a structured and usable form is the very individual most entitled to it and who could make best, most valuable and appropriate use of it.

To do this safely does require new tools, new rules (contract or law) and education. You do need to understand the concept of a personal data store to make sense of Midata (see eg The Economist this week, or Mydex web site entry about Midata).

So I think BIS has this one right (and MoJ which is simultaneously lobbying against a new EU requirement to give data back has this wrong). Which? can do a helpful job spelling out the protections (legal, technical, consuer education) that will be necessary for consumers to do this safely. And it can get ready to deliver Midata back itself, because as a subscription-based publishing business Which? holds quite a lot of personal data itself.



Data collection is bad enough but the biggest security threat is when the pieces of the jigsaw are assembled. If these data fall into the wrong hands, the individual has a great deal to lose.

You may be able to tell me that Mydex has never had a security breach and I might believe you, but if you were to say that your system is secure I would not believe you any more than I would believe any organisation – commercial or otherwise – that claimed their systems were secure. I well remember when banks denied that phantom withdrawals from cash machines could happen and eventually it was proved that the banks were either poorly informed or maybe telling lies.

The whole system for data protection needs to be overhauled to ensure that no personal data are kept unless necessary and deleted when no longer needed. I do not mind if some people want to provided data voluntarily, but it MUST be an opt-in system.

I have not looked into this as much as David Moss has and I am probably a little less concerned about data collection than Malcolm R. but I do feel uncomfortable that companies like yours exists. Having looked at your website and seen that one way your organisation will charge organisations a fee for certain data sharing services makes me even more uncomfortable.


The idea of a personal data store might be good in an ideal world. The problem is that the world includes organisations and businesses that can and will misuse personal data, and data is not totally secure. Commercial organisations claiming to use your data to help you buy better products or services will not normally give you impartial advice. You will need to be savvy to interpret the advice you are given. But relying on someone else advising you may make you lazy about doing your own investigations. I’d rather keep my own personal data, as said earlier, in a common format that makes it easy for me to interrogate when decisions need to be made. Others may prefer to leave this to someone else.

William from Mydex says:
16 December 2012

wavechange – Completely agree there is too much collection; and that aggregation is the problem; also that there’s no place for complacent claims from anyone about security, and that the banks handling of the “phantom withdrawals” issue was unacceptable.

When you call for a data protection system overhaul this could be EU law (ie new new EU DP regulation); UK law and policy such as Midata an ID assurance; organisations adjusting their normal practices based on what customers find acceptable/unacceptable and what individuals are able to do themselves.

What individuals can do depends to a large extent on what tools and services they have available. There’s a big gap here that Mydex is trying to fill. You’re perfectly entitled not to use it. For our part we’re concerned such services do not exist yet which is why we set it up. I dont think there’s any more reason in principle for you to feel uncomfortable about its existence than if a company started selling Filofaxes with fat padlocks on them. Filofaxes were quite powerful; online PDS are altogether more powerful. So a degree of wariness is understandable, and constructive critical feedback always welcome.

Your point I most agree with is about finding a path towards data minimisation or “just-in-time data”. We do have to fill out some forms in life, or provide some data to get services. Not as much as we’re routinely asked for, but some. One credible path towards not keeping personal data and data deletion is if the individual can instantly produce the essential data needed for a transaction, perhaps where necessary verified by an external party (eg to prove you have a licence, verified address or qualification).

Something like a PDS is a helpful and credible way to solve this problem. But of course it has to be opt-in, just as putting a safe in your home for valuables is opt-in.


Thanks for your reply, William. There are obviously big differences between what individuals are comfortable with in their everyday lives. Many are happy with sharing a fair amount of personal information via Facebook et al. but it’s not for me, thanks. It will take a lot to convince me that the government’s plans for midata are a good idea.

I can appreciate that a PDS could make life easier, just as direct debits have done for me over many years. Many are suspicious of direct debits and standing orders because of the risk of errors. Strangely, it has been the ease with which errors have been corrected that has provided me with reassurance about these systems.

I do not know what the future will bring but I certainly do not want to be an early adopter.

Simon DJ says:
18 December 2012

It would be great to see a service with the following proposition:

Tell me how you use [energy/your phone/etc] and I’ll keep switching you to the service that’s right for you.

That would take all the hassle out of switching, yet allow suppliers to adjust their pricing.


Simon “DJ” Deane-Jones sits on the midata Interoperability Board at BIS, the Department for Business Innovation and Skills.

William Heath sits on the midata Strategy Board, as well as being the founder and chairman of Mydex and a shareholder in Ctrl-Shift whose research work is in turn cited by BIS in support of midata.

Nothing wrong with any of that as long as it is all declared openly so that people don’t assume that there is total independence between these parties.

Simon Deane-Johns says:
18 December 2012

@DavidMoss I do participate in the Interoperability Board of the midata programme, and have been very public about that. I was invited to participate on a voluntary basis and have no client in that process. I am independent of Mydex, Ctrl-Shift, the UK government, the ICO and the dozens of other participants. I used the screen-name “Simon DJ” to comment here in a personal capacity and my views should not be taken as representing those of the Interoperability Board or the Midata programme. My public profile can be found on LinkedIn.


Good – we all know where we stand now.

I am merely an unofficial and non-representative member of the general public who is worried about what has happened with personal data in the past and very worried about what could happen if it is collected and collated. I believe that this is perfectly normal paranoia.


SimonDJ – your comment earler “what about a service that uses your transaction data to keep you on the best energy/mobile/current account deal?”. As I have explained later, firstly I believe I am capable of finding the deals on these and other issues that suit me best – through the internet, Which? and other methods. Doing it myself means I understand what the market is like. Why therefore should I need someone to do it for me? And why should I trust that I am indeed being offered the best deal? Other people may choose to delegate these matters to commercial organisations – I prefer to look after my own interests.
It would be interesting to hear how these “services” that are going to look after me are paid for. Through taxes or commission or???


Will Jo Swinson perhaps respond to the questions posed above?


In addition, David, in view of the Government’s (Civil Service’s) appalling record in dealing with software projects, I wonder why they are spending their resources on this? What benefits will it bring to the country (as opposed to those organisations commercially involved)? I would have thought there were other problems they could address with a higher priority under the present economic circumstances.


BIS = Department for Business Innovation and Skills
GDS = Government Digital Service, part of the Cabinet Office

“I wonder why they are spending their [our] resources on this”.

(a) midata is an example of BIS doing its job, helping the economy to grow and empowering/protecting consumers.

(b) midata allows BIS to expand its empire/extend its influence over consumers and businesses.

(c) midata is BIS’s response to GDS’s demand for help to get its Identity Assurance Programme off the ground thereby taking an important to step towards public services becoming digital by default.

Take your pick.

“What benefits will it bring to the country … ?”

Malcolm, that’s the family size can of worms.

BIS held a midata consultation which included a number of open forums attended by BIS and the public. At 9 August 2012 forum I asked David Miller, the BIS economist, what percentage midata would cause the UK economy to grow by. He said that it is impossible to predict the macroeconomic effect of midata.

In their response to the consultation Which? say that they think the effect would be positive while claiming that the effect of midata would be deregulatory while advocating an extensive new system of accreditation and regulation to be layered on top of all the regulation that already exists and doesn’t work and advocating that all the development, running and regulation costs should nevertheless not be passed on to consumers, whose use of midata should somehow be “free”, while warning that midata must increase the risks of loss of privacy and the risks of fraud in the wild west of the web while assuming that those risks can somehow be nullified despite the fact that the media are full of stories every day of breaches of web security at the highest levels.

“I would have thought there were other problems they could address with a higher priority”

BIS are addressing them. The department is an all year round Father Christmas. Take a look at the selection below of their press releases issued since 1.11.12:

• 1.11.12 More than £1 billion to be invested in UK science and research
• 5.11.12 New powers for courts to improve justice for wronged consumers
• 6.11.12 Government to care homes sector: help us improve enforcement of regulation
• 8.11.12 Fallon to big businesses: Commit to paying suppliers on time, or be named
• 8.11.12 Use of Civil Sanctions Powers Contained in the Regulatory Enforcement and Sanctions Act 2008
• 9.11.12 UK space industry set to rocket with £240 million of investment
• 9.11.12 Government to invest £20 million in synthetic biology
• 13.11.12 Mums and dads will share parental leave
• 14.11.12 Business Secretary’s statement on European Commission’s proposed directive on improving gender balance on Europe’s corporate boards
• 15.11.12 Business Minister hails North East Regional Growth Fund success
• 16.11.12 Business Minister announces £40 million boost for high growth SMEs
• 17.11.12 New power to boost consumers’ access to data
• 20.11.12 £150 million for businesses to build skilled workforce
• 21.11.12 £400 million boost to England’s colleges
• 21.11.12 UK secures £1.2 billion package of space investment
• 22.11.12 Government sets out steps to change culture in UK equity markets
• 23.11.12 Bureaucracy busting boost for street traders
• 23.11.12 Emerging technologies to drive growth identified
• 26.11.12 Multi-million pound boost for UK manufacturing supply chains
• 28.11.12 Green bank opens for business
• 28.11 12 Lord Currie sets out vision for new Competition and Markets Authority
• 30.11.12 Business Secretary urges headhunters to seek out new female talent
• 3.12.12 Boost for UK automotive supply chains
• 4.12.12 Groceries Adjudicator to have new power to fine supermarkets
• 6.12.12 Vince Cable launches schemes for skills and jobs on South Coast
• 6.12.12 New £550m capital investment programme will transform FE colleges

How good are BIS at “picking winners”?


I don’t want companies storing personal data at all. My local restaurant does not need my date of birth to deliver a curry. My energy company does not need 3 phone numbers to ignore my emails. My bank does not need 5 forms of ID when they have been managing my account for 20 years. It’s about time some effective regulations were introduced (and them enforced) to allow people to take control of their privacy. The truth is that no company can guarantee data security. The solution is not to store the data in the first place. If personal data capture is essential (e.g. for insurance) then it can be requested but should be permanently erased immediately it is no longer needed.

It won’t happen, of course, since personal data is a valuable commodity which companies want to sell to others, so they will be lobbying like mad to keep things exactly like they are.


Thanks to everyone for their comments so far. I think it’s great that people are engaging with this important topic, but I want to respond to a number of points that have arisen. Firstly, I see that there’s been quite a discussion between Mydex and David Moss and others, and on that I’d just like to say that midata is an open programme with a Strategy Board membership approved by the independent Chair, Professor Nigel Shadbolt, which is designed to reflect a range of views.

On supplying people with your data – no one, apart from you and the business you requested the data from, needs to have access to that data. It will be up to you, if and when you decide to share that data with an app or service provider. And indeed if you don’t wish to, you don’t need to request your data from any business in the first place. It is an option that some will want to take up and others won’t, but if people DO want help getting the best deals, then midata should help make that easier.

A personal data store (PDS) would be one option for those who want their data in this way, but it is not the only option. The midata programme is looking at what safeguards are needed for anyone wishing to share data with third parties, whether they are PDSs, switching sites or app developers. Sharing data with trusted suppliers should not lead to spam – this is not about business advertisement; it’s about generating tailored services that the consumer has asked for themselves. The Department for Business (BIS) will work with businesses and stakeholders to ensure that all privacy concerns are addressed.

BIS is responding to the changing market for open data, which is shaping the way businesses compete, to make sure the UK is at the forefront of digital services. We think that this is the right way to go for both economic and consumer empowerment reasons, and have appointed Professor Shadbolt to drive the work.

There have been some detailed questions about how midata works, and I’m glad people interested in finding out more. The midata team are happy to talk through any specific questions you have. You can contact them at midata@bis.gsi.gov.uk


Dear Ms Swinson

Thank you very much for responding in public.

midata is a mass of contradictions:

(a) First BIS carry out a public consultation. Then, after the consultation, the public are advised to email BIS to find out how midata could work.

(b) midata is all about the personal data of consumers and you say that BIS “will work with businesses and stakeholders to ensure that all privacy concerns are addressed”. Then, next sentence, you say that “BIS is responding to the changing market for open data, which is shaping the way businesses compete”. Private? Open? Which is it?

(c) midata is not all about switching suppliers, we keep being told, it is also about expert applications making lifestyle choices for us. But no-one can give any examples of these applications, see for example the Which? response to the midata consultation. BIS seem to want statutory powers to deliver an unknown benefit.

(d) BIS describe midata as having a deregulatory effect but the Which? response to the consultation advocates a mass of new accreditation and regulation to be layered onto all the existing bureaucracy with no reason given why the new dispensation would work any better than the old one.

(e) The word “empower” is being misused, or even abused. Having an app make purchasing decisions for you doesn’t empower you, it makes you a helpless bystander in your own life.

(f) The word “control” is being misused, or even abused. Giving all your data to a third party doesn’t put you in control of it, it means you have given up control.

(g) BIS joined with GCHQ, the FCO and the Cabinet Office in warning British industry that they need to up their game when it comes to cybersecurity. In GCHQ’s expert opinion, British industry is failing to offer secure web facilities. And yet there is the same BIS luring consumers into storing all their personal data on the web.

(h) BIS promise that midata would boost the UK economy but BIS’s own economist says that there’s no way to predict what the macroeconomic effect of BIS would be.

Given that BIS are neither malevolent nor stupid, how did the Department get into this embarrassing mess?

We outsiders can only guess, but one possibility is that the Cabinet Office leaned on BIS to help sell the idea of PDSs. The Cabinet Office, or more precisely the Government Digital Service (GDS), need the public to adopt PDSs so that public services can become digital-by-default. Perhaps BIS were doing GDS a favour when they started promoting the otherwise nonsensical midata?

No good turn goes without punishment – BIS have ended up looking either malevolent or stupid. Ed Davey countenanced the Department’s midata mistake, then Norman Lamb and now you.

Or maybe not. Will you, statesmanlike, help to rescue the Department’s reputation by quietly scuttling midata one night and saving all the miserable souls (your excellent officials) currently forced to sail in her?

If you don’t,, BIS faces the same shame as DWP. They need identity assurance (PDSs) to make Universal Credit (UC) work. But they let GDS wrest control of identity assurance from them. GDS aren’t delivering. There’s no sign of a workable identity assurance service coming from them. But DWP have promised to have identity assurance for 21 million UC claimants fully operational by Spring 2013 – i.e. in a couple of months’ time. The chances of that happening? Nil. No-one would want to be in DWP’s shoes this March/April. Including BIS.



To me this all seems to be a very foggy subject. Who are these “trusted providers”? How can you be confident that data – that is sensitive for individuals – will be secure? Even(?) the government seems to have trouble in this area. And what can we be advised that we can not already do for ourselves? I wish I was clearer about what all this is supposed to do.
Am I alone in this?
Finally, how much is this exercise costing and who is profiting from it?


It would be useful to now here Which’s views on this, given the many contributions. Are you planning to do a report or to contribute through this conversation?


Hello Malcolm, we’re very keen to hear what people think about midata so we’re definately taking an interest in the comments. We have commented on midata before: http://www.which.co.uk/news/2012/11/consumers-can-demand-data-on-spending-habits-302360/

Here’s what Which? executive director Richard Lloyd said: ‘The ‘midata’ programme can help put consumers in the driving seat of the information revolution while boosting competition and supporting growth among companies that provide the best products and services.

‘We’re pleased to see the government putting in place measures to give people the right to data that companies hold on them.

‘Giving consumers more power with their personal data will help them make better use of their money, and that’s not only good for customer-friendly businesses, but good for growth in the economy.’


Patrick, thanks. I’ve looked at the Which comment which is brief and rather vague – whilst I agree that having suppliers give you data on your purchases so you can make considered buying decisions is good, there seems to be very much more involved than that.
As examples it suggests that trusted companies (initially for energy, mobile phones, credit cards, current accounts) take your data and help you with better deals; many are not in favour of personal data being held en masse, nor do they trust companies to provide impartial advice. We should also encourage people to make these decisions themselves, not delegate to 3rd parties of unknown pedigree.
PDS files seem to arouse controversy, particularly because of security; a large amount of personal data is stored in one place by a third party is very vulnerable to misuse.
It seems unclear whether we understand the extent or ramifications of what is proposed – including your guest poster. I’m certainly not impressed with the contributions from those involved.
I may be on my own here, but I would welcome a critical commentary on the points raised by the contributers to the conversation.

Mark says:
4 January 2013

You’re not on your own here. I agree with what you are saying. I don’t want my personal data in the hands of yet another company (and their subcontractors). Personal data is valuable and it is so easy to misuse either deliberately or accidentally. If the authorities want to give more power to consumers then it must involve the consumers controlling their own data and not handing it over to others. Another option would be to force companies to present the information they already hold on us in a clear way and then there would be no “need” for proposals like “midata” at all.


I was going to second your motion, Malcolm. Too late. Mark’s already got there. So I’ll third it.

midata is a practical problem. You can’t assess it without knowing how it works. Perhaps Which? approached it a bit too theoretically when they compiled their response to the BIS consultation, http://www.which.co.uk/documents/pdf/which_response_bis_consumer_access_to_data_sep12-299211.pdf

Their response to Q3, for example, notes that the privacy issues are very serious. How can the security problems behind those issues be solved? Which? take three pages to answer that at Q9. Have all the safety measures prescribed there been achieved? In practice, no. The theoretical answer that Which? give to Q1 – yes, Which? do agree with the principles of midata – is therefore at least mitigated, if not completely undermined.

Q6 asks what new services could be offered by midata, presumably services which consumers would find useful and which would empower them. Which? has no comment to make. Not much point, surely, advocating midata if the benefits can’t be named.

In what form should data be given by suppliers to consumers (Q12)? That’s an important practical matter but Which? aren’t sure of the answer. So can they be sure of the (unnameable) benefits being achieved in practice?

Which? have no comment to make about the costs likely to be incurred by midata (Q14) except to say that the suppliers shouldn’t charge consumers (Q15). How does that work? Which sugar daddy, in practice, is going to pay the (unknown) costs, if not the consumer?

QQ17-21 elicit two pages of responses from Which?, prescribing accreditation and regulation, all in addition to the regulation we already have, all of which would cost money (no comment) and all in pursuit of the benefits of midata (no comment).

Which just leaves Q22, in answer to which Which? succinctly restate the risks of midata, which are well known, unlike the benefits, which we still don’t.

Completely up to them, of course, but Which? may care to take the opportunity to revisit their response to the midata consultation.


David Moss, thanks for this link. Had I missed it earlier? If not, why did Which not draw our attention to it Patrick? It weould have been helpful to the conversation.

I find the responses by Which to the consultation to be ambivalent. On the one hand they seem to support midata, but on they other they continually express grave reservations about security.
I would be quite happy to see companies I deal with provide me with information on my purchasing in a standard format, on which I could base purchasing decisions and that I could use directly rather than filling forms. Which seems in favour of this. I would not be happy though to see my data handed over to a third party (who are these people anyway) to make decisions for me; the concept of automatic switching for example just seems to take away our responsibility for making our own decisions. Some may be quite happy to delegate theirs.

The key seems to be the total lack of confidence in security of data, that Which seems to be very concerned about. And once your data has been given to a third party, it’s done – how can you have confidence it will be used correctly, and totally deleted if you change your mind?
“Majority worried about security of data” (I’m in that majority).
“Reporting data breaches” (it’s too late then).
“Current data protection not fit for purpose”.
“Requires a strong regulator”. (what evidence this is remotely likely – Financial Services Authority, Quality Care Commission, for example – in key areas that affect you directly, and yet have failed badly).

I might be a cynic, but this just doesn’t seem a practical proposal currently.


Hi all,

Apologies for joining so late to the conversation – I have read everybody’s comments with interest. I was the main contributor to our consultation response, and also sit on the Strategy Board and Interoperability Board – and two work streams – the Data Protection and Enforcement Work Stream and the Onward Release to Third Parties Data Work Stream – at BIS. The Interoperability Board and these two work streams are tasked with finding answers to many of the concerns you have all raised – and as a lawyer who works in digital and data protection I have worked closely with BIS from the beginning to ensure these issues are addressed.

I think what’s important to bear in mind – and what our consumer research has highlighted to date – is that there is no one consumer view – how people feel about these technologies and attitudes to privacy vary widely. Midata is not compulsory – and some consumers will be early enthusiastic adopters and others may never engage – and that’s the same for many services out there such as loyalty cards or social networking sites which have clear benefits which many enjoy. I do believe that midata will have the potential to provide many consumers with information and intelligence which they either currently don’t have about themselves or they don’t have the time to find it out, and what’s important is that we continue to engage with BIS to ensure the necessary protections are in place.


Georgina, it’s an interesting response and I think some aspects of midata are, in principle, useful. However you have not addressed the issue of data protection that concerns many of the commentators – current perception is that it is unlikely to be acceptable.

Simon Deane-Johns says:
13 January 2013

@ Malcolm R Data protection is a very significant focus of the midata programme. Increasing numbers of significant retailers are making transaction data available to customers in machine readable format, though they are still comparatively few in number. So this programme provides an early opportunity for the private sector (including consumer groups and independent) to work with the UK public sector to both support and encourage that trend and help ensure the various operational risks are proportionately addressed. Why don’t you want everyone to work together in this way? Would you prefer the adversarial style of public intervention long after problems arise, as in the banking sector?


Dear Ms Nelson

Thank you very much for your comment.

The Cabinet Office want all public services to become digital by default. Individuals and companies will need electronic IDs to transact with the government. Currently we use the Government Gateway (http://www.gateway.gov.uk/). In future the idea seems to be that we would use a new “trust framework” in which we are identified by our PDSs. There is nothing optional here. Companies have to submit VAT returns. Millions of individuals have to submit self-assessment tax returns. 21 million Universal Credit claimants will be “nudged” towards registering on-line. There is no comparison with loyalty cards.

BIS are not alone in wishing to “ensure the security issues are addressed” and that “the necessary protections are in place”. The whole world is trying to achieve that on the web, so far without general success (http://dematerialisedid.com/BCSL/Clouds.html). Until security is achieved, it is irresponsible to lure people into danger.

midata does none of the things it says on the tin. It will not cause suppliers to release transaction data – in the main, they already do (bank statements, phone bills, gas bills, …). It will not put consumers in control of their data – that control is not in BIS’s gift. It will not “empower” consumers – if anything, it is suppliers who will be empowered, and fraudsters. We already have any number of switching applications (more appropriate electricity tariffs, deposit accounts, mobile phone packages, …).

What does that leave by way of a hook to hang midata on? “Providing consumers with information and intelligence which they currently don’t have about themselves”. What does that mean? Kirstin Green, Deputy Director at BIS, consumer empowerment, said she wanted an “app-a-thon” to see what kind of applications could be developed using PDSs. Mydex have now conducted a “hackathon” and here is their CEO reviewing the results, http://www.youtube.com/watch?v=l7GbiG6-AIc&feature=youtube_gdata_player In summary, PDSs will help compulsive narcissists who have trouble raising credit. There is nothing substantial enough there to warrant BIS taking statutory powers.

Simon Deane-Johns says:
13 January 2013

@ David Moss Numerous private and public sector trends appear to be travelling in a similar direction, including the few you mention, but that doesn’t mean they are directly linked or will be coherent in helping to ensure that common operational risks are addressed. If anything you’re giving government departments too much credit for being joined up, whereas they need to be put under pressure to work better and more efficiently together (ideally to spend less in the process of achieving more).

It’s true that the voluntary midata programme might not necessarily “cause” additional suppliers to release transaction data to their customers in machine readable format – that trend began and will continue independently. But resolving some of the issues should help guide their approach and reduce project time/cost. This would bring forward the benefit consumers, as well as ensure that the public sector is proactively supportive, rather than unhelpfully reactive, in helping to control common operational risks.

I certainly don’t agree that we have effective switching applications for energy, current accounts or mobile phone packages, or that there is even enough genuine choice for consumers or micro-enterprises. In fact, there is extensive evidence to the contrary. A dazzling array of packages and pricing designed to deliver fantastic profits for the suppliers at customers’ expense is hardly genuine choice. But I’m sure that the big energy providers, banks and telcos will be as delighted by your perception on this front, as they will be with your assertion that only suppliers and fraudsters could be empowered by making transaction data available to customers.



On this occasion, you underestimate Whitehall. You may not have realised the connection between BIS’s midata and GDS’s Identity Assurance Programme but Whitehall do. You can’t run midata without identity assurance. The same goes for DWP’s Universal Credit. These aren’t independent initiatives which some fruitcake called Moss is battily linking. They’re the same initiative.

We already have regulators in the financial, energy and telecommunications markets, not to mention retail. If they can’t oversee these markets, if they can’t ensure that tariffs are comprehensible and that consumers can see the data they need to see, if they can’t be “proactively supportive”, why do you imagine that midata will be able to?

The big suppliers already release transaction data in the form of bank statements, electricity bills, etc … You know that. What I’m saying is that storing that data for tens of millions of people on servers in the cloud which could be anywhere in the world, in or out of the UK’s jurisdiction, under the more or less distant control of Mydex or whoever, relying on security tools and procedures which are demonstrated every day to be liable to breakdown would not be wise even if someone could say what is the benefit of midata but, as it is, no-one can and it is therefore incomprehensibly and wantonly irresponsible for anyone to suggest that midata is a good idea.

As for large suppliers, let’s let our hair down for a moment and do a bit of speculation.

62 million or so people in the UK. Over 33 million of them are monthly users of Facebook. A Facebook account is pretty well a PDS. Even more of them use the web. Google will have the browsing history of most of them and GMail/Youtube/Google+ accounts for many – again, that amounts to PDSs for millions of us. That’s where identity assurance is heading if GDS have their way and so that’s where midata is heading, too – forget little young Mydex.

midata is headed straight into the arms of big, quasi-monopolistic suppliers. Amazon (cloud computing), PayPal (payments), Google and Facebook for PDSs. They will all four of them be “delighted with your perception on this front”, as you put it. The rest of us won’t. Or rather wouldn’t. This is just speculation after all.


Simon Deane-Johns
1. You appear not to appreciate the feelings many correspondents have about lack of faith in data protection. It is expected you are focussed on this, but nothing in the past suggests that data protection can be fully assured. Show evidence that this time it will be guaranteed please. Gathering substantial data for individuals in one place that may be susceptible to misuse is extremely dangerous. I would, however, be happy – as I have said before – to collect this data from organisations in a common format and save it in a place that was directly within my control.
2. Your comment about an adversarial approach is quite inappropriate. You appear to insist that unless we (I) support this programme that we are (I am) some kind of Luddite. I have expressed legitimate concerns about aspects of this topic that are supported by some others and that I believe need answering in a constructive way, not in an emotional way. The more you try to ram the so-called benefits down our throats without addressing the objections factually, the more suspicious we might become about the robustness of this project. I may be the only correspondent with these concerns?


It is disappointing how few comments have been made but if the risks were explained I think there would be overwhelming support for our concerns.

‘Luddite’ originally referred to those who went round smashing modern machinery. Let’s hope it does not come to that, but I have seen nothing to convince me that personal data will be held and used responsibly. Every time my phone number rings and the number is withheld, or I get a call from one of these confounded market research companies I think it’s time to put a stop to data use/misuse.


Wow wavechange, something we agree on. It is OUR data not theirs and so it is up to each individual to secure their own.

It would be really useful if individual companies doing cold calling had to provide a unique reference number and name when they contact anyone. That would then allow the recipient to make an application to remove such data from the source and contactor – but that would require some authority to impose such capability!

Also in an earlier post you indicated that you do not like people who will not take NO for an answer (what about NO I don’t want to be forced to use Metric!)



I look forward to finding more we can agree on. 🙂

Spam is another example of misuse of information. I have to put email addresses on my website in the form of images to prevent them being harvested and used to deliver spam. Maybe some people do want the benefits of midata, but let them opt in and let the rest of us get on with our lives.


Hi all,

I just wanted to re-iterate that many of your data protection concerns are valid – and they are recognised by BIS – that is why the various work streams have been set up and are attended by experts in the area (including the Information Commissioner’s Office). Back at the beginning of the midata programe I wrote a report – Consumer Protections Needed in a midata World – which had contributions from top data protection lawyers, academics, civil rights activists and technology experts. This report formed the foundation for many of the work streams at BIS looking in detail at what could be the possible solutions for consumer protection – and it is reflected in our consultation response. Our position has always been that our support for the midata programme is contingent upon addressing these issues.

You are free to of course disagree with our recommendations David Moss, and free to conclude because the rest of the world hasn’t found an answer, there is no point in trying. However, I think while we have the Government engaged and eager to work towards solutions to protect consumers – whether it be by legislation, certification or other means – this should not be something to be so easily dismissed. Midata is happening – whether under a Government name and initiative or not – the ecosystem of personal data transfer is going to get increasingly complex (see the provision for data portability in the proposed European Data Protection Regulation) and the consumer issues flagged by the midata program will arise soon enough with or without HMG’s involvement. Surely it is better to work together now, with Government backing, to ensure that there is a framework of protection in place for when these practices begin to get far more commonplace.


Of course we accept that all are working on data security. There have been so many examples in the past of leaky data, from bodies including HMG that no doubt were equally concerned to provide security, that there is little confidence that this time it will be totally foolproof. If institutions such as USA defence can be hacked into then we will take a lot of convincing that this time it will be different.

Lawyers involvement suggest penalties for infringement – too late then. Civil rights activists implies the wish to protect, not the means.

I would happily hold the useful data under my own control. At present I know there is sensitive data of mine in data bases; I know some of that has been mislaid by oner or more institutions. However, as I understand it, the proposal is to collect my data into one place? That worries me immensely if that is the case.

There have still not been, as far as I can see, satisfactory answers to why we (many of us) need third party advice for energy, telecoms, banking and credit cards. Firstly. like many, I am more than capable of sorting these providers out for myself. Secondly – who are these totally independent third parties who will survey the whole market impartially and provide others with their best solutions? And to automatically switch for you? They don’t necessarily know when your circumstances change in a way that would affect your choice.

I think there needs to be much more clarity about exactly what and how and when midata will provide benefits for the sole benefit of consumers and when it will benefit profit-making. organisations.