/ Home & Energy, Shopping, Technology

What if companies gave me control of my data?

Eye with binary code

In this guest post, consumer affairs minister Jo Swinson explores the benefits of ‘midata’, which could give you more control over the personal data companies hold. What would you do with your data?

Recently I was chatting to the owner of an independent bookshop, who told me animatedly about his Christmas recommendations. In particular which ones I might enjoy most given what other books I had recently read and loved.

How great, I thought, to have that personal, tailored advice, and wouldn’t it be great if I could get that everywhere else?

In this weather it can feel like you’re always turning the heating up – but wouldn’t it be fantastic if you could tell whether the energy bill is rising because you’re actually using more energy rather than the prices going ever upwards? Or whether your mobile phone tariff and provider are the best value for money taking into account your preferences and usage?

Giving you access to your data

There should be a simple way to get your hands on this valuable information. After all, many savvy businesses already use these insights to tailor services to their customers or ultimately, sell more products.

The good news is that the Government has announced that companies in four key sectors could be required to give individuals greater access to the personal data they hold through a scheme called ‘midata’.

Midata will mean companies and organisations are obliged, on request, to provide the data they hold on your transactions in an easy-to-read and reusable electronic format. The four key sectors this will initially apply to are those where we spend a large amount of our hard-earned cash – energy, credit cards, current accounts and mobile phones.

So, what could midata mean for you?

Well, every time I shop or use my Advantage card I share details about myself. Midata will mean I can expect a two-way dialogue with businesses who will have to report back to me on my own spending. So, just like my bookshop, midata could allow companies to develop insightful services that get to know me and my preferences, making shopping a far more convenient process.

Personally, I’d like to use midata to help get better deals more simply. It would be great if I could obtain a list of all the purchases on my credit card this year. And then if an app or website could take that data and tell me where I’m shopping the most, how often, and where I might save some money. Perhaps it could tell me that I should start shopping elsewhere or even change my card provider.

But this isn’t just about price comparison sites; Finland’s leading grocer has worked with a third party to give their customers a breakdown of the nutritional content of their shopping basket.

I’m excited about the possibilities that have opened up through midata, and I’m looking forward to seeing what types of innovative services and applications developers offer. And I want to hear your views too – in a midata future, what would you do with your data?

Which? Conversation provides guest spots to external contributors. This is from Jo Swinson MP. All opinions expressed here are Jo’s own, not necessarily those of Which?.

Comments
Member

Patrick, thanks. I’ve looked at the Which comment which is brief and rather vague – whilst I agree that having suppliers give you data on your purchases so you can make considered buying decisions is good, there seems to be very much more involved than that.
As examples it suggests that trusted companies (initially for energy, mobile phones, credit cards, current accounts) take your data and help you with better deals; many are not in favour of personal data being held en masse, nor do they trust companies to provide impartial advice. We should also encourage people to make these decisions themselves, not delegate to 3rd parties of unknown pedigree.
PDS files seem to arouse controversy, particularly because of security; a large amount of personal data is stored in one place by a third party is very vulnerable to misuse.
It seems unclear whether we understand the extent or ramifications of what is proposed – including your guest poster. I’m certainly not impressed with the contributions from those involved.
I may be on my own here, but I would welcome a critical commentary on the points raised by the contributers to the conversation.

Member
Mark says:
4 January 2013

You’re not on your own here. I agree with what you are saying. I don’t want my personal data in the hands of yet another company (and their subcontractors). Personal data is valuable and it is so easy to misuse either deliberately or accidentally. If the authorities want to give more power to consumers then it must involve the consumers controlling their own data and not handing it over to others. Another option would be to force companies to present the information they already hold on us in a clear way and then there would be no “need” for proposals like “midata” at all.

Member

I was going to second your motion, Malcolm. Too late. Mark’s already got there. So I’ll third it.

midata is a practical problem. You can’t assess it without knowing how it works. Perhaps Which? approached it a bit too theoretically when they compiled their response to the BIS consultation, http://www.which.co.uk/documents/pdf/which_response_bis_consumer_access_to_data_sep12-299211.pdf

Their response to Q3, for example, notes that the privacy issues are very serious. How can the security problems behind those issues be solved? Which? take three pages to answer that at Q9. Have all the safety measures prescribed there been achieved? In practice, no. The theoretical answer that Which? give to Q1 – yes, Which? do agree with the principles of midata – is therefore at least mitigated, if not completely undermined.

Q6 asks what new services could be offered by midata, presumably services which consumers would find useful and which would empower them. Which? has no comment to make. Not much point, surely, advocating midata if the benefits can’t be named.

In what form should data be given by suppliers to consumers (Q12)? That’s an important practical matter but Which? aren’t sure of the answer. So can they be sure of the (unnameable) benefits being achieved in practice?

Which? have no comment to make about the costs likely to be incurred by midata (Q14) except to say that the suppliers shouldn’t charge consumers (Q15). How does that work? Which sugar daddy, in practice, is going to pay the (unknown) costs, if not the consumer?

QQ17-21 elicit two pages of responses from Which?, prescribing accreditation and regulation, all in addition to the regulation we already have, all of which would cost money (no comment) and all in pursuit of the benefits of midata (no comment).

Which just leaves Q22, in answer to which Which? succinctly restate the risks of midata, which are well known, unlike the benefits, which we still don’t.

Completely up to them, of course, but Which? may care to take the opportunity to revisit their response to the midata consultation.

Member

David Moss, thanks for this link. Had I missed it earlier? If not, why did Which not draw our attention to it Patrick? It weould have been helpful to the conversation.

I find the responses by Which to the consultation to be ambivalent. On the one hand they seem to support midata, but on they other they continually express grave reservations about security.
I would be quite happy to see companies I deal with provide me with information on my purchasing in a standard format, on which I could base purchasing decisions and that I could use directly rather than filling forms. Which seems in favour of this. I would not be happy though to see my data handed over to a third party (who are these people anyway) to make decisions for me; the concept of automatic switching for example just seems to take away our responsibility for making our own decisions. Some may be quite happy to delegate theirs.

The key seems to be the total lack of confidence in security of data, that Which seems to be very concerned about. And once your data has been given to a third party, it’s done – how can you have confidence it will be used correctly, and totally deleted if you change your mind?
“Majority worried about security of data” (I’m in that majority).
“Reporting data breaches” (it’s too late then).
“Current data protection not fit for purpose”.
“Requires a strong regulator”. (what evidence this is remotely likely – Financial Services Authority, Quality Care Commission, for example – in key areas that affect you directly, and yet have failed badly).

I might be a cynic, but this just doesn’t seem a practical proposal currently.

Member

Hi all,

Apologies for joining so late to the conversation – I have read everybody’s comments with interest. I was the main contributor to our consultation response, and also sit on the Strategy Board and Interoperability Board – and two work streams – the Data Protection and Enforcement Work Stream and the Onward Release to Third Parties Data Work Stream – at BIS. The Interoperability Board and these two work streams are tasked with finding answers to many of the concerns you have all raised – and as a lawyer who works in digital and data protection I have worked closely with BIS from the beginning to ensure these issues are addressed.

I think what’s important to bear in mind – and what our consumer research has highlighted to date – is that there is no one consumer view – how people feel about these technologies and attitudes to privacy vary widely. Midata is not compulsory – and some consumers will be early enthusiastic adopters and others may never engage – and that’s the same for many services out there such as loyalty cards or social networking sites which have clear benefits which many enjoy. I do believe that midata will have the potential to provide many consumers with information and intelligence which they either currently don’t have about themselves or they don’t have the time to find it out, and what’s important is that we continue to engage with BIS to ensure the necessary protections are in place.

Member

Georgina, it’s an interesting response and I think some aspects of midata are, in principle, useful. However you have not addressed the issue of data protection that concerns many of the commentators – current perception is that it is unlikely to be acceptable.

Member
Simon Deane-Johns says:
13 January 2013

@ Malcolm R Data protection is a very significant focus of the midata programme. Increasing numbers of significant retailers are making transaction data available to customers in machine readable format, though they are still comparatively few in number. So this programme provides an early opportunity for the private sector (including consumer groups and independent) to work with the UK public sector to both support and encourage that trend and help ensure the various operational risks are proportionately addressed. Why don’t you want everyone to work together in this way? Would you prefer the adversarial style of public intervention long after problems arise, as in the banking sector?

Member

Dear Ms Nelson

Thank you very much for your comment.

The Cabinet Office want all public services to become digital by default. Individuals and companies will need electronic IDs to transact with the government. Currently we use the Government Gateway (http://www.gateway.gov.uk/). In future the idea seems to be that we would use a new “trust framework” in which we are identified by our PDSs. There is nothing optional here. Companies have to submit VAT returns. Millions of individuals have to submit self-assessment tax returns. 21 million Universal Credit claimants will be “nudged” towards registering on-line. There is no comparison with loyalty cards.

BIS are not alone in wishing to “ensure the security issues are addressed” and that “the necessary protections are in place”. The whole world is trying to achieve that on the web, so far without general success (http://dematerialisedid.com/BCSL/Clouds.html). Until security is achieved, it is irresponsible to lure people into danger.

midata does none of the things it says on the tin. It will not cause suppliers to release transaction data – in the main, they already do (bank statements, phone bills, gas bills, …). It will not put consumers in control of their data – that control is not in BIS’s gift. It will not “empower” consumers – if anything, it is suppliers who will be empowered, and fraudsters. We already have any number of switching applications (more appropriate electricity tariffs, deposit accounts, mobile phone packages, …).

What does that leave by way of a hook to hang midata on? “Providing consumers with information and intelligence which they currently don’t have about themselves”. What does that mean? Kirstin Green, Deputy Director at BIS, consumer empowerment, said she wanted an “app-a-thon” to see what kind of applications could be developed using PDSs. Mydex have now conducted a “hackathon” and here is their CEO reviewing the results, http://www.youtube.com/watch?v=l7GbiG6-AIc&feature=youtube_gdata_player In summary, PDSs will help compulsive narcissists who have trouble raising credit. There is nothing substantial enough there to warrant BIS taking statutory powers.

Member
Simon Deane-Johns says:
13 January 2013

@ David Moss Numerous private and public sector trends appear to be travelling in a similar direction, including the few you mention, but that doesn’t mean they are directly linked or will be coherent in helping to ensure that common operational risks are addressed. If anything you’re giving government departments too much credit for being joined up, whereas they need to be put under pressure to work better and more efficiently together (ideally to spend less in the process of achieving more).

It’s true that the voluntary midata programme might not necessarily “cause” additional suppliers to release transaction data to their customers in machine readable format – that trend began and will continue independently. But resolving some of the issues should help guide their approach and reduce project time/cost. This would bring forward the benefit consumers, as well as ensure that the public sector is proactively supportive, rather than unhelpfully reactive, in helping to control common operational risks.

I certainly don’t agree that we have effective switching applications for energy, current accounts or mobile phone packages, or that there is even enough genuine choice for consumers or micro-enterprises. In fact, there is extensive evidence to the contrary. A dazzling array of packages and pricing designed to deliver fantastic profits for the suppliers at customers’ expense is hardly genuine choice. But I’m sure that the big energy providers, banks and telcos will be as delighted by your perception on this front, as they will be with your assertion that only suppliers and fraudsters could be empowered by making transaction data available to customers.

Member

Simon

On this occasion, you underestimate Whitehall. You may not have realised the connection between BIS’s midata and GDS’s Identity Assurance Programme but Whitehall do. You can’t run midata without identity assurance. The same goes for DWP’s Universal Credit. These aren’t independent initiatives which some fruitcake called Moss is battily linking. They’re the same initiative.

We already have regulators in the financial, energy and telecommunications markets, not to mention retail. If they can’t oversee these markets, if they can’t ensure that tariffs are comprehensible and that consumers can see the data they need to see, if they can’t be “proactively supportive”, why do you imagine that midata will be able to?

The big suppliers already release transaction data in the form of bank statements, electricity bills, etc … You know that. What I’m saying is that storing that data for tens of millions of people on servers in the cloud which could be anywhere in the world, in or out of the UK’s jurisdiction, under the more or less distant control of Mydex or whoever, relying on security tools and procedures which are demonstrated every day to be liable to breakdown would not be wise even if someone could say what is the benefit of midata but, as it is, no-one can and it is therefore incomprehensibly and wantonly irresponsible for anyone to suggest that midata is a good idea.

As for large suppliers, let’s let our hair down for a moment and do a bit of speculation.

62 million or so people in the UK. Over 33 million of them are monthly users of Facebook. A Facebook account is pretty well a PDS. Even more of them use the web. Google will have the browsing history of most of them and GMail/Youtube/Google+ accounts for many – again, that amounts to PDSs for millions of us. That’s where identity assurance is heading if GDS have their way and so that’s where midata is heading, too – forget little young Mydex.

midata is headed straight into the arms of big, quasi-monopolistic suppliers. Amazon (cloud computing), PayPal (payments), Google and Facebook for PDSs. They will all four of them be “delighted with your perception on this front”, as you put it. The rest of us won’t. Or rather wouldn’t. This is just speculation after all.

Member

Simon Deane-Johns
1. You appear not to appreciate the feelings many correspondents have about lack of faith in data protection. It is expected you are focussed on this, but nothing in the past suggests that data protection can be fully assured. Show evidence that this time it will be guaranteed please. Gathering substantial data for individuals in one place that may be susceptible to misuse is extremely dangerous. I would, however, be happy – as I have said before – to collect this data from organisations in a common format and save it in a place that was directly within my control.
2. Your comment about an adversarial approach is quite inappropriate. You appear to insist that unless we (I) support this programme that we are (I am) some kind of Luddite. I have expressed legitimate concerns about aspects of this topic that are supported by some others and that I believe need answering in a constructive way, not in an emotional way. The more you try to ram the so-called benefits down our throats without addressing the objections factually, the more suspicious we might become about the robustness of this project. I may be the only correspondent with these concerns?

Member

It is disappointing how few comments have been made but if the risks were explained I think there would be overwhelming support for our concerns.

‘Luddite’ originally referred to those who went round smashing modern machinery. Let’s hope it does not come to that, but I have seen nothing to convince me that personal data will be held and used responsibly. Every time my phone number rings and the number is withheld, or I get a call from one of these confounded market research companies I think it’s time to put a stop to data use/misuse.

Member

Wow wavechange, something we agree on. It is OUR data not theirs and so it is up to each individual to secure their own.

It would be really useful if individual companies doing cold calling had to provide a unique reference number and name when they contact anyone. That would then allow the recipient to make an application to remove such data from the source and contactor – but that would require some authority to impose such capability!

Also in an earlier post you indicated that you do not like people who will not take NO for an answer (what about NO I don’t want to be forced to use Metric!)

Member

David

I look forward to finding more we can agree on. 🙂

Spam is another example of misuse of information. I have to put email addresses on my website in the form of images to prevent them being harvested and used to deliver spam. Maybe some people do want the benefits of midata, but let them opt in and let the rest of us get on with our lives.

Member

Hi all,

I just wanted to re-iterate that many of your data protection concerns are valid – and they are recognised by BIS – that is why the various work streams have been set up and are attended by experts in the area (including the Information Commissioner’s Office). Back at the beginning of the midata programe I wrote a report – Consumer Protections Needed in a midata World – which had contributions from top data protection lawyers, academics, civil rights activists and technology experts. This report formed the foundation for many of the work streams at BIS looking in detail at what could be the possible solutions for consumer protection – and it is reflected in our consultation response. Our position has always been that our support for the midata programme is contingent upon addressing these issues.

You are free to of course disagree with our recommendations David Moss, and free to conclude because the rest of the world hasn’t found an answer, there is no point in trying. However, I think while we have the Government engaged and eager to work towards solutions to protect consumers – whether it be by legislation, certification or other means – this should not be something to be so easily dismissed. Midata is happening – whether under a Government name and initiative or not – the ecosystem of personal data transfer is going to get increasingly complex (see the provision for data portability in the proposed European Data Protection Regulation) and the consumer issues flagged by the midata program will arise soon enough with or without HMG’s involvement. Surely it is better to work together now, with Government backing, to ensure that there is a framework of protection in place for when these practices begin to get far more commonplace.

Member

Of course we accept that all are working on data security. There have been so many examples in the past of leaky data, from bodies including HMG that no doubt were equally concerned to provide security, that there is little confidence that this time it will be totally foolproof. If institutions such as USA defence can be hacked into then we will take a lot of convincing that this time it will be different.

Lawyers involvement suggest penalties for infringement – too late then. Civil rights activists implies the wish to protect, not the means.

I would happily hold the useful data under my own control. At present I know there is sensitive data of mine in data bases; I know some of that has been mislaid by oner or more institutions. However, as I understand it, the proposal is to collect my data into one place? That worries me immensely if that is the case.

There have still not been, as far as I can see, satisfactory answers to why we (many of us) need third party advice for energy, telecoms, banking and credit cards. Firstly. like many, I am more than capable of sorting these providers out for myself. Secondly – who are these totally independent third parties who will survey the whole market impartially and provide others with their best solutions? And to automatically switch for you? They don’t necessarily know when your circumstances change in a way that would affect your choice.

I think there needs to be much more clarity about exactly what and how and when midata will provide benefits for the sole benefit of consumers and when it will benefit profit-making. organisations.

Member