IT, tax avoidance and the total cost of ownership

The recent interest in “off payroll” taxation of individuals looks like it’s about to be trumped by the much more significant issue of “offshore” company taxation.

The Sunday Times ran a piece last weekend stating that:

“Apple and Google are avoiding up to £800m a year in tax in Britain despite sales here worth billions of pounds”

Only a short time before, Facebook was criticised for apparently similar behaviour:

“Facebook pays only £238,000 in corporation tax on UK earnings of up to £175m”

These companies are not alone: many businesses choose to headquarter themselves wherever the tax impact is most beneficial. They would doubtless argue, with some justification, that their corporate and shareholder obligations require them to optimise tax management, and hence profitability, using whatever legal means is available to them.

Such tax “efficiencies” are not confined to consumer-oriented technology companies. Take a look at a list of the historic top IT suppliers to government for example – just how many of these adopt similar tax efficiencies?

Supplier “SI”	Estimated Public Sector revenues (£million), 2008
HP/EDS	2,235
BT	2,100
Fujitsu Services	1,200
Capgemini	900
IBM	650
Capita	646
Dell	645
Serco	580
CSC	400

(source: “Better for Less”, using figures supplied by Kable)

With such large sums involved, it would be useful to know, both for these and all major suppliers to the public sector. More up-to-date and comprehensive supplier data should become available in the future as a result of the government’s transparency agenda, making it easier to identify those companies who do and don’t declare their full UK revenues here. Ideal material, too, I think for a creative Rewired State mashup …

The whole taxation model is anachronistic and somewhat Alice in Wonderland – with company earnings not consistently taxed where income is earned. It’s all very Janus-like: with one face the companies involved claim that the revenues were not really earned here in the UK; but with the other, they bonus their UK staff on revenues driven here in the UK – something which requires them internally to keep accounts showing very clearly what was earned in the UK. I’m uncertain how EU legislation enables companies to declare earnings from one member state as if they were earned in another – input from specialists in this area would be most useful.

Whilst this taxation issue is not restricted solely to IT providers, the problem is compounded in the IT marketplace by the nature of the distorted model that has arisen in the UK public sector. Its historic concentration in the hands of a small number of mega-players was referred to by the House of Commons Parliamentary Administration Select Committee as an “oligopoly” in its report “Government and IT – “A Recipe For Rip-Offs”: Time For A New Approach“.

This unusual market concentration is also aligned with atypically high public sector IT expenditure. The historic UK government spend on IT has seen some 1.93% of UK GDP spent on public sector IT, rising to 2.23% based on findings of the “Operational Efficiency Programme” undertaken by Dr Martin Read (a former chief executive of LogicaCMG, who led a 2009 Treasury review into the costs of IT and back-office administration).

This is much higher than the average for advanced industrial companies, whose governments typically spend between 1% and 1.5% of GDP on public sector IT (Dunleavy et al). The consequence of this is that a disproportionately large percentage of GDP is being spent on the IT supply base to government. If, as appears to be the case, that supply base contains a number of companies avoiding paying significant amounts of taxation on revenues earned from UK taxpayers, this represents a significant double cost to both the taxpayer and the wider economy.

Still, some of the companies involved at least acknowledge the problem:

“Eric Schmidt, executive chairman of Google, has blamed the Government’s weak tax laws for the fact it has paid just £8m of corporation tax in Britain despite making more than £6bn in revenues in this country in the six years to 2010.”

I’m not sure how much this is a UK government issue and how much an EU one. If we accept that declaring revenues from one EU member state as if they were earned in another *is* permitted (as it seems to be), then perhaps the UK government should at least factor the additional total cost of ownership caused by such tax avoidance into its assessment of bids from any companies operating this model.

After all, the government would normally see some of its expenditure effectively returned to its coffers when companies pay their corporation tax and other business-related taxes here in the UK. For those claiming to have earned some or all of their UK revenues elsewhere however, this will not be true as it will be their nominated member state that collects any business taxes due – inflating the true costs of goods and services in the UK significantly. It also has much broader and significant macro-economic impacts, given the increased net outflow of money offshore and its investment in businesses abroad rather than those here in the UK.

This Wonderland taxation model also impacts other areas, such as the release of public data and its associated intellectual property rights. The government rightly wants to release as much public data as possible into the public domain – so that, for example, innovative companies can build exciting new businesses around the likes of Ordnance Survey maps, or real-time travel information. All good news in terms of generating economic growth. But if the companies that take the data and generate new, multi-million or multi-billion pound companies don’t pay their taxes here, it’s obviously a very different prospect for economic growth than if the companies do pay their taxes here. These things matter and it’s time the current business taxation model was properly reviewed and improved.

One problem in objectively assessing the true scale of the cost of the existing approach is the dearth of analyses of these complex macro-economic issues, despite how central they are to a whole host of debates – from the true total cost of ownership of government IT systems to the best licensing model for public data. According to the Sunday Times the Public Accounts Committee is about to examine the whole issue of corporations and where they pay taxes on their UK revenues, so perhaps some much needed progress is about to be made.

In the meantime, the government’s commitment to increasing transparency remains a strong card in protecting both government’s and taxpayers’ interests. This is one area where much greater transparency would enable us to understand more clearly the scale of the current taxation issues, their true costs to the UK economy and their impact on our potential for improved economic growth.

Sources

• “Apple avoids up to £570m in British Tax”. Simon Duke and Dipesh Gadher. Sunday Times, 14.10.2012.
• “Facebook pays only £238,000 in corporation tax on UK earnings of up to £175m“. Gideon Spanier and Jerome Taylor. Belfast Telegraph, 11.10.2012
• “French tax inspectors search Microsoft offices in dawn raid“. Peter Sayer. ComputerWorld, 04.07.2012
• “Google says it would pay more tax in UK“. Katherine Rushton. The Telegraph, 27.08.2011.
• “Operational Efficiency Programme: back office operations and IT“. May 2009. HMT.
• “UK Public Sector IT“. October 2009, Centre for Technology Policy Research
• “Better for Less: how to make government IT deliver savings“. Liam Maxwell.

cybercrud and related issues

Paul Brown recently posted to the Computer Arts Society a copy of the 1970 catalogue “Software. Information Technology: Its New Meaning for Art“.

It includes a piece by Ted Nelson, which, some 42 years on, largely reads as pertinent now as it presumably did then.

I’m posting a copy of the Nelson piece below without comment: I’m sure you can spot what remains pertinent today, these many years later …

digital government, open architecture and innovation: why public sector IT will never be the same again

UPDATED 07.09.2012: see postscript

The paper I co-authored with Mark Thompson is now online – “Digital government, open architecture, and innovation: Why public sector IT will never be the same again”.

This appears in the advance access section of the Journal of Public Administration Research and Theory (JPART to its friends) – for which, unfortunately, you will need a subscription.

It’s an interesting model of course – where the authors research and write in their own time and at their own expense, and someone else takes the income. Roll on open academic publishing!

If you can’t or don’t want to pay, the article now seeing the light of day was the one covered by Mark Say in his piece for the Guardian last August. Unlike Fleet Street, academic publishing moves at a sedate speed all its own: our article was originally submitted in July 2011, some 14 months ago and accepted in January 2012.

For those of you able to access and read our article in full online, you may need to partially adjust your mindset given that the world of IT reform in Whitehall has certainly not stood still. In particular the UK government’s cloud strategy has manifested itself in the CloudStore, a notable effort to move commodity services onto common platforms and away from the current expensive and highly fragmented model.

Mark and I will be doing some updates and further work in this and related areas – although we may find a conduit that is more open, timely and accessible in the future.

POSTSCRIPT: We’ve now had URL’s provided with free access to both the HTML and PDF versions of our paper. From the guidance provided by JPART/Oxford Journals – “Single copies of the article can be printed and distributed to interested colleagues who wish to use the article for personal research/study purposes only. For those wishing to make commercial use of the article, please direct them to journals.permissions@oup.com”. So now you know.

“enterprise” IT – out of touch and increasingly irrelevant?

So okay … I know it’s been asked before, but it’s not going to stop me asking it again anyway: is the traditional ‘enterprise’ IT department dead? And, if not, why not? What on earth is its purpose?

My recent CIO column “Whitehall zeros in on cost” touched upon the radical, and welcome, impact of zero organisational IT and user-centric computing services. I’m going to explore here what’s happening – and its implications – in a little more detail.

One of the key tenets of a CIO staying relevant to their organisation is knowing when to let go of old, outdated practices and to embrace the new and improved instead. It’s also about having the skills and experience to manage the transition from old state to new state. The role – perhaps now more than ever – is one of learn, adapt, reinvent, or succumb to built-in obsolescence and remain about as useful as yesterday’s gadget. So it’s a sad irony that some IT departments, once seen as the enablers of productivity and competitiveness, are now just as likely to be the direct cause of reduced productivity, inflated costs and complexity.

The contrast between the old and new worlds is telling. New organisations frequently set up with little if any in-house IT infrastructure, obtaining required capabilities from a range of commodity components – from utility end-user devices to cloud-based services. The starting point is a zero IT mindset, making smart re-use of existing devices and services wherever possible – with bespoke or niche requirements only acquired and implemented by exception. This approach is a direct inversion of the operating model of many existing organisations, who have grown up with the idea of the ‘enterprise’ IT department sitting like a plump spider at the centre of a web, acquiring and owning everything, either directly or via contractual arrangements with key systems integrators. The ‘one size fits all’ mindset of many enterprise IT departments was never sensible: today it’s an increasingly  expensive indulgence.

In the commercial world, businesses will either transition to this new model quickly and effectively, or find themselves up against competitors and new market entrants with operational costs as much as 80% lower than their own and with far higher productivity. Whilst these competitive dynamics are not directly mirrored in the public sector, the economic environment and the need to provide better public services at less cost provides an equally compelling driver of change.

This is not only a significant shift in the nature of devices and platforms that users utilise, but also the way they work. The prevailing model of the 1990′s and the last decade is rapidly becoming obsolete. Remember for example when users emailed documents around to each other for review? And each user then sent it back with their comments for the originator to assimilate into an updated version … which they then sent out for review and so on and so on? And each user had to have a PC with a local email client and a local word processing package to edit the document? How so very 1990s. And how terribly inefficient: it was an era that merely substituted a digital form of document exchange in place of the paper equivalent that previously existed: it was not a successful transformation of working practices.

Today’s commodity platform approach has transformed “documents” into online collaborative workspaces, where users simultaneously work on the same information. The “document” is no longer emailed around ad nauseum and hence no longer forks and chews up pointless cycles of in-box handling bandwidth and offline processing. Editing is done through generic end-user device tools, most frequently web browsers, enabling users to access and work on key information wherever they are and through a variety of devices, including their own. The need to move information around, with all that productivity-sucking impact, is rapidly reducing, as is the need for printing out ‘documents’. It’s a semi-realisation of Jaron Lanier‘s comment about Ted Nelson:

“… I think that Ted Nelson‘s first thought was a best thought … that there should only be one copy of a digital file, controlled by the owner”

albeit applied to the workplace rather than the consumer space.

We have passed through an era where the norm became the specification of particular products or service providers, with the ‘enterprise’ IT department acting in god mode and deciding which product or provider to select on behalf of all its users. All too often the IT department did so without any analysis or real understanding of the actual user requirement: ask many IT departments today as they are about to sign or renew a contract what user requirement the good/service meets and what alternative options have been evaluated, and I’m alarmed by how rarely the question can be convincingly answered. This out-dated approach – either automatically renewing incumbent products or service providers, or at best swapping them out to make a like-for-like substitution with self-similar products or suppliers – has become lazy business as usual, with inadequate thought given as to what capabilities are actually required and how those capabilities might best be provided.

Today the focus is swinging rapidly away from specifying products or suppliers in the arrogant belief that “One Size Fits All” to concentrate on user requirements. Where once only ‘enterprise’ features, under the monopoly control of IT departments and their select suppliers, provided the necessary capabilities, today consumer technology has commoditised important ‘enterprise’ requirements such as disk and folder encryption, the ability to remotely wipe a device, real-time device remote tracking and dual-factor authentication and revocation. The irony is that some major ‘enterprise’ product vendors, perhaps too busy cosying up to their favourite ‘enterprise’ IT departments, have completely missed this major gravitational shift. Such features remain notably absent from their own consumer offerings, leaving them badly placed to survive the current transition.

One of the biggest obstacles to genuinely user-centric and effective ways of working has always been the vexed issue of security. Yet this historic over-dependency on IT departments and expensive bespoke suppliers masked an essential reality: that security is not a function solely of technology, but one of people and HR and legal practices. It is the user who is ultimately accountable and responsible for adherence with organisational policies. Embedding such policies into user-hostile technology may have become an accepted way of working in many organisations, but it is not a solution in itself. Indeed, the experience of some organisations suggests that by making technology the main focus of ensuring the security of data and devices, users have abrogated their own responsibilities. “People, process and technology are all part of security” is the standard mantra. So let’s establish just such a balance instead of throwing technology at the problem.

In the early days of the internet there was often one touch-down machine in an office where the internet could be accessed. No other devices were allowed to connect to the new fangled interwebs. Now something similar is happening once again, but almost as the inverse of that earlier approach. For their routine needs, users are making use of commodity services and devices equipped with high quality consumer security. Yet when they need access to particularly secure material they can use a secure touch-down machine in the corner of the office. The era of commoditised, utility computing has inverted the security model. All those earlier unnecessary and expensive practices – such as buying top range new PCs and then sticking glue in their USB ports; or putting custom security software onto them that meant the PC took 20+ minutes to boot before it could be used; or tying users to particular locations and forcing them to work in specific, unproductive ways; or making users print out more secure documents and carry them around on paper; or {fill in your own example here} – are heading the way of the hay wain.

This emphasis on users in place of the ‘enterprise’ IT department is a belated recognition of the reality that most users have fairly lightweight routine needs that can be met by simple email and word processing facilities – and security requirements that can be met through the best of what the commodity world has to offer as standard features.

Apple Macs for example, if they are lost or stolen, can be remotely wiped of all their data and contents by their user, without requiring the insertion of an ‘enterprise’ IT department into the mix. Remotely wiping a Mac removes all data and also locks it down, making it unusable without a set passcode.

Device security itself is increasingly less of an issue anyway. Many business services are now accessed through web browsers with little if anything actually persisting on the device. A service such as Google Drive does not physically copy your docs to your device. Where secure on-device protection is required, whole drive encryption or selected folder encryption can be enabled all under the control of the user. In addition, standard features in hosted services such as Google Apps include two-factor authentication and the ability for a user to revoke a device’s access permissions in the event it is lost or stolen. The majority of software is now self-updating and self-correcting – making redundant yet another of the expensive roles once played by central IT departments and their suppliers. These modern, consumer-friendly tools are finally empowering the user rather than the IT department.

The move to devices making use of open standards is helping remove the previous ‘enterprise’ IT endorsed lock-in to specific products and technologies. By concentrating on the right standards for interoperability and a user-based definition of functionality, future moves between service providers become simpler and a huge swathe of costly and time-consuming infrastructure and bureaucracy can be removed.

For those who cannot or will not rise to the challenge, I’d advise them to read and consider the observations that the Leading Edge Forum made in its report “Preparing for a Post-PC World” (August 2011):

“It would be counter-productive, and even dangerous, for IT executives to deny what is happening and refuse to engage in these post-PC change debates. The inevitable result would be that employees saw enterprise IT and its policies as out of touch and increasingly irrelevant”

CIOs need to refocus on their role as the optimisers of business processes and information handling, and as effective agents of change. They need to demonstrate their capability to reduce costs and improve user satisfaction and productivity. Their biggest challenge is to lead this transition from old mode to new – or otherwise they’d best beware the LEF’s prescient warning above…

data privacy visualised (6 years on….)

It’s over 6 years since I blogged about how the principles of Creative Commons might be applied to privacy and data protection, particularly to help simplify users’ understanding of what would be done with their data.

I included this mock-up of how this might look when citizens are submitting their data into the custody of an organisation, echoing the look and feel of Creative Commons licensing:

So, what progress in the meantime?

In terms of the thinking around how we treat personal data, I think there has been good if slow progress. The recent work on the draft identity assurance principles shows a growing maturity in learning the lessons of the past – and what makes for well designed, or badly designed, information systems.

But I’m not sure there’s been enough progress both in terms of being explicit with citizens and businesses what permissions they’re granting to third parties – nor in terms of making very clear to users in those organisations what rights they have to the personal data entrusted to them.

Alongside the visualisation of the rights associated with data, we need the underlying rights enforced computationally. Ultimately too we need to realise that ensuring the right data is available to the right people at the right time can be done in a secure and trusted fashion – and does not require the potentially dangerous legalistic approach of enforced “data sharing” (with all the security and privacy problems that produces), but rather the better design of our information systems. Achieving this much needed re-design I suspect still remains the most significant challenge.

more detail on the draft principles for the UK identity assurance scheme

In my recent post draft principles for the UK identity assurance programme I said if people were interested, I could post more detail of the thoughts that underpin them. It’s clear from comments on this site and elsewhere that additional detail would be useful, so I’m providing it below.

I preface this with the same important caveat as before – that this is still work in progress and the principles have yet to be formally reviewed, finalised and – most importantly – adopted as an integral part of the programme.

Ref	The Identity Assurance Principle	Rationale / Commentary	Legal Commentary
1	The User Control Principle [Identity assurance activities can only take place if I consent or approve them] An Identity Assurance Provider or Service Provider must ensure any collection, use or disclosure of IA data in, or from, an Identity Assurance Service is approved by each particular Service-User who is connected with the IA data. END PRINCIPLE	Identity Assurance Providers or Service Providers cannot use or disclose IA data without the Service-User’s knowledge and agreement (i.e. consent). Service-Users must be able to control / choose whether or not to use or disclose their IA data. Any exemption from the User Control Principle should be specified via the Exceptional Circumstances Principle.)The Data Minimisation Principle also applies to any collection, use and disclosure	The requirement that processing is either legitimised by consent of the data subject is “necessary for a contract with the data subject …” (sched 2, paras 1 and 2 of the DPA) or unless exceptional circumstances apply.Consent takes the meaning in the Data Protection Directive (or any successor regulation). Also covers some “fair processing” requirements
2	The Transparency Principle [Identity assurance can only take place in ways I understand and when I am fully informed] Each Identity Assurance Provider or Service Provider must be able to justify to Service-Users why their IA data are processed. Each Service-User, prior to using an Identity Assurance Provider or a Service Provider for the first time, must be provided with a clear description about the processing of IA data in advance of any processing. The information provided includes a clear explanation of why any specific information has to be provided by the Service-User (e.g. in order that a particular level of identity assurance can be obtained) and identifies any obligation on the part of the Service-User (e.g. in relation to the User’s role in securing his / her own identity information). Any subsequent and significant change to the processing arrangements that have been previously described to a Service-User needs the prior consent or approval of that Service-User before it comes into effect. END PRINCIPLE	Organisations should engender trust by being open about all aspects of the processing of IA data(Processing means “collecting, using, disclosing, retaining, transmitting, copying, comparing, corroborating, aggregating, accessing” and anything else).Such information does not need to be provided at every transaction, if the Service-User has been previously informed. Where changes occur, any Provider would have to anticipate the fact that consent or approval might not be forthcoming. Any exemption from the Transparency Principle should be specified via the Exceptional Circumstances Principle	First data protection principle requirement that the processing of personal data is fair
3	The Multiplicity Principle [I can use and choose as many different identifiers or identity providers as I want to] A Service-User is free to use any number of identifiers that each uniquely identifies the individual or business concerned. A Service-User can use any of his identities established with an Identity Assurance Provider with any Service Provider. A Service-User can choose any number of Identity Assurance Providers or Service Providers in order to meet his or her diverse needs. A Service-User shall not be obliged to use any Identity Assurance Provider or Service Provider not chosen by that Service-User; however, a Service Provider can require the Service-User to provide a specific level of Identity Assurance, appropriate to the Service-User’s request to a Service Provider. A Service-User can terminate, suspend or change Identity Assurance Providers or Service Providers at any time A Service Provider does not know the identity of the Identity Assurance Provider used by a Service-User to verify an identity in relation to a specific service. END PRINCIPLE	These first three need no explanation.Where Service Providers are a monopoly or near monopoly, they should not be able to require a particular Identity Assurance Provider to be used. However, a Service Provider must be able to insist on a particular (and not unreasonable) level of identity assurance before delivering a service. Any exemption from the Multiplicity Principle should be specified via the use of the Exceptional Circumstances Principle.It should not be possible to link a Service-User’s activities in different contexts.
4	The Data Minimisation Principle [My request or transaction only uses the minimum data that is necessary to meet my needs] IA data processed by an Identity Assurance Provider or a Service Provider to facilitate a request of a Service-User must be the minimum necessary in order to fulfil that request in secure and auditable manner. END PRINCIPLE Note: it is useful to remind the reader that this Principle has a wide reach because of the definitions of IA data and Processing  “IA data includes “Personal data”, “Audit data,  “Attribute data, “Identity data”, “Relationship data”; “Transactional data” and other “General data”  “Processing” in the context of IA data means “collecting, using, disclosing, retaining, transmitting, copying, comparing, corroborating, aggregating, accessing”…  etc).	So for the absence of doubt, any aggregation, correlation or corroboration of IA data from diverse Identity Assurance Providers or Service Providers are subject to all the Identity Assurance Principles.All IA data processed has to be the minimum necessary in the context of service delivery or identity verificationNote that a Service User can, for his own convenience, request a Provider to hold information beyond the minimum necessary. Subject to any audit or legal requirement, the Minimisation Principle requires any aggregation, correlation or corroboration to be of a transient nature. Any decision that requires a risk  assessment of the Service-User will need the correlation of data from possibly a number of sources will also be subject to the Data Minimisation Principle Note that the User Control or Transparency Principle should ensure the Service-User can provide informed consent / approval There should be no centralisation of IA data Any exemption from the Data Minimisation Principle should be specified via the Exceptional Circumstances Principle	Third and Fifth Data Protection Principles (“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed” and “kept no longer than is necessary”).Also Privacy by Design objectives likely to appear in a future data protection regulation
5	The Data Quality Principle [I choose when to update my records] Service-Users should be able to update their own personal data, at a time at their choosing, free of charge, and in a simple and easy manner. Identity Assurance Providers and Service Providers must take account of the appropriate level of identity assurance required before allowing any updating of personal data. END PRINCIPLE	Unnecessary retention and excessive data collection would breach of the Data Minimisation Principle. If a Service User fails to keep his information up to date, then his transactions could fail; this we believe is the incentive for Users to keep information up to date. The Identity Assurance / Service Provider has to be able to decide the level of identity assurance before accepting a change to a Service User’s data. Any exemption from the Data Quality Principle should be specified via the Exceptional Circumstances Principle	Accuracy requirements of DPA (4th Principle)
6	The Service-User Access and Portability Principle  [I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want] Each Identity Assurance Provider or Service Provider must allow, promptly, on request and free of charge, each Service-User access to any IA data that relates to that Service-User. It shall be unlawful to make it a condition of doing anything in relation to a Service-User to request or require that Service-User to request IA data. The Service-User shall have the right to require an Identity Assurance Provider to transmit his personal data, to a second Identity Assurance Provider in a standard electronic format, free of charge and without impediment or delay. The Service-User’s right to data portability shall also apply between Service Providers. END PRINCIPLE	For the absence of doubt, such access includes access to logs of Service-User activity, disclosure logs of any Service-User data, and any audit data relating to that Service-User’s activity but excludes any anonymised data that can no longer be linked or associated with a particular Service-User.The prohibition is needed as there is a practice in the UK of requiring data subjects to use their subject access rights to criminal records and medical records and show the product of their access request to an employer or insurer. The prohibition stops unscrupulous use of the access right. The text is based on the prohibition in the ID Card Act 2005. This is the right to data portability. Any exemption from the Service-User Access and Portability Principle should be specified via the Exceptional Circumstances Principle	Subject access under the DPA Privacy by Design should include a user access functionalityStopping Enforced Subject Access (Data Portability is envisaged in the Data Protection Regulation)
7	The Governance/ Certification Principle [I can trust the Scheme because all the participants have to be accredited]As a baseline control, all Identity Assurance Providers and Service Providers shall be certified. There shall be a certification procedure subject to an effective independent audit regime which ensures that all relevant, recognised identity assurance and technical standards, data protection or other legal requirements are maintained by Identity Assurance Providers and Service Providers. In the context of personal data, certification procedures include the use of Privacy Impact Assessments and Privacy by Design concepts. All Identity Assurance Providers and Service Providers shall take all reasonable steps to ensure that a Third Party cannot capture IA data that confirms (or infers) the existence of relationship between any Participant. Certification can be revoked if there is significant non-compliance with any Identity Assurance Principle. The architecture of an Identity Assurance Service must be based on open standards. END PRINCIPLE	This Principle mandates the use of all relevant standards as the baseline for all information assurance / security / integrity controls used.The “reasonable steps” tries to ensure that web-based services cannot capture details of a relationship between Service Users and any Identity Assurance Provider or Service Provider used by them even though the Service-User might have unwittingly allowed it. (Note: this is why relationship data includes in its definition relevant cookies and programs that collect such data). Any exemption can be specified via use of the Exceptional Circumstances Principle	The Accountability Principle expected in the forthcoming data protection regulation; also obligations in the Seventh Data Protection Principle and HMG Security Framework or ISO27000 Privacy Impact Assessments and Privacy by Design concepts are part of the Data Protection Regulation currently under discussion.Consideration needs to be given as to whether it should be made unlawful for such details to be captured (even overriding any User’s explicit consent). We are very concerned that many Users do not know what permissions they have given nor do they read privacy policies of organisations based outside the EEA. There is a need to take away the defence of a Third Party that it has the permission of the User to capture details from an Identity Assurance Service
8	The Problem Resolution Principle [If there is a problem I know there is an independent arbiter who can find a solution] A Service-User, who after a reasonable time, cannot or is unable to resolve a complaint or problem directly with a Identity Assurance Provider or Service Provider can call upon an independent Identity Ombudsman to seek independent resolution of the issue. As part of the certification process, Identity Assurance Providers and Services Providers are obliged: (a) to co-operate with the Identity Ombudsman and accept his impartial determination and (b) to ensure that contractual arrangements (i) reinforce the application of the Identity Assurance Principles, and (ii) contain a reference to the Identity Ombudsman as a mechanism for problem resolution. The Identity Ombudsman can resolve the same or similar complaints affecting a group of Service-Users. The Identity Ombudsman can co-operate with other Regulators in order to resolve problems and can raise relevant issues of importance concerning an Identity Assurance Service. An adjudication / recommendation of the Identity Ombudsman shall be published There can be more than one Identity Ombudsman. The Identity Ombudsman can recommend changes to standards or certification procedures or that an Identity Assurance Provider or Service Provider should lose their certification END PRINCIPLE	The central problem is that many different Regulators (e.g. Information Commissioner; FSA, OFCOM) could be involved and that an individual has to be able to complain to a central point of contact in order to resolve an issue.Without an Ombudsman / Advocate, there is a risk that the Service User will be passed from pillar to post. One assumes, however, that a Service-User will resolve a complaint in the usual way. However, it is possible that complaints will not be resolved satisfactorily. We expect that any determination made by an Identity Ombudsman can be appealed to the Courts by any party to the dispute.Any exemption from the Problem Resolution Principle can be specified via use of the Exceptional Circumstances Principle (but we can’t see the need of any exemption as explained as follows). Take an extreme example, and suppose there was an exemption needed for say “national security”, then the Regulator who has the responsibility for the national security function could be designated as the “ombudsman” for that purpose. This would maintain the integrity of this Principle and the secrecy required of the national security function.
9	The Exceptional Circumstances Principle [Any exception has to be approved by Parliament and is subject to independent scrutiny]Any exemption from the application of any of the above Principles to IA data shall only be lawful if it is specified in the statutory framework established by the general legislation needed to legitimise all Identity Assurance Services. Any exemption from the application of any of the above Principles that relates to the processing of personal data must also be necessary and justifiable in terms of one of the criteria in Article 8(2) of the European Convention of Human Rights: namely in the interests of national security; public safety or the economic well-being of the country; for the prevention of disorder or crime; for the protection of health or morals, or for the protection of the rights and freedoms of others. Any subsequent processing of personal data by any Third Party who has obtained such data in exceptional circumstances (as identified by Article 8(2) above) must be the minimum necessary to achieve that (or another) exceptional circumstance. Any exceptional circumstance involving the processing of personal data must be subject to a Privacy Impact Assessment by all relevant “data controllers” (where “data controller” takes its meaning from the Data Protection Act). Any exemption from the application of any of the above Principles in relation to IA data shall remain subject to The Problem Resolution Principle. END PRINCIPLE	There are a myriad of data sharing laws each with different standards and rules.To engender trust in the identity assurance and to improve Parliamentary scrutiny, it is proposed that ONLY statutory gateways created by the legislation needed to establish the programme are valid. There might be a phasing in period. The special interests indentified in  Article 8(2) are expressly put into this Principle. However, the linkage to individual human rights means that the link can only relate to personal data (i.e. an identifiable living individual). This is why we need the definition of “personal data”. This allows for limited onward data sharing, so long as it is consistent with Article 8 of the HRA. There is a real issue as to whether the current level of privacy protection is adequate for some public bodies (e.g. is the protection in RIPA adequate? is the Regulatory regime for the Security Service, GCHQ or the Police OK?). This construction avoids the opening up what would be an everlasting debate; however, the last paragraph of this Principle is the necessary “quid pro quo” for this position. (See comments at the bottom of Principle 8 re Governance on national security)	It is expected that any exemption will be limited, and expressed in terms of particular subsets of IA data  (e.g. “personal data”, “audit data”, “relationship data”)  necessary for the application of any exemption

draft principles for the UK identity assurance programme

The snappily named “Identity Assurance Programme Privacy and Consumer Group” has been busy for some time now, debating and distilling a set of privacy-based principles to underpin the new UK Government identity assurance programme.

As Chair of the group, I thought it’d be a good time to share what this work has accomplished so far. With the important caveat that this is still work in progress and the principles have yet to be formally reviewed, finalised and – most importantly – adopted as an integral part of the programme. But great work has already been done.

So this is where we are right now in terms of a high level summary. I’d welcome all feedback on how these principles are shaping up – particularly anything missed or anything that could be improved.

THE IDENTITY ASSURANCE PRINCIPLE	SUMMARY OF THE CONTROL AFFORDED TO AN INDIVIDUAL
1. The User Control Principle	Identity assurance activities can only take place if I consent or approve them
2. The Transparency Principle	Identity assurance can only take place in ways I understand and when I am fully informed
3. The Multiplicity Principle	I can use and choose as many different identifiers or identity providers as I want to
4. The Data Minimisation Principle	My request or transaction only uses the minimum data that is necessary to meet my needs
5. The Data Quality Principle	I choose when to update my records
6. The Service-User Access and Portability Principle	I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want
7. The Governance/Certification Principle	I can trust the Scheme because all the participants have to be accredited
8. The Problem Resolution Principle	If there is a problem I know there is an independent arbiter who can find a solution
9. The Exceptional Circumstances Principle	Any exception has to be approved by Parliament and is subject to independent scrutiny

The above summary is intentionally designed to have clarity and to be easy to understand. Underpinning it is more precise detail of what these mean and how they are to be observed and implemented. I’d like to acknowledge the commitment, contributions and smart thinking and debate of the Privacy group, as well as the great support we get from the team in the Government Digital Service – it’s a real privilege Chairing, which isn’t something that I can often say about such roles.

I’m happy to share the full details of current thinking behind these principles here as well – but that will make for a long blog . So I’ll leave that for a future post if people would like to get into a much more detailed discussion….