the canary that ceased to be

Yesterday I resigned from the Cabinet Office‘s Privacy and Consumer Advisory Group (PCAG) nearly 6 years after I first became involved, initially as its Chair and more recently as Co-Chair.

As we explained in this 2015 blog for the Government Digital Service (GDS), PCAG was set up to:

provide the UK government with independent expert review, analysis, guidance and feedback on all personal data and privacy initiatives by all departments, agencies and other public sector bodies

Francis Maude, then Minister for the Cabinet Office (MCO), helped encourage and establish the group nearly 6 years ago. He wanted the group to be a sort of “critical friend” – a canary that could detect and help fix policy and technology issues before they got too far down the policy / Bill process. The idea was to try to avoid a repeat of previous fiascos, such as the Identity Card Act, where Whitehall generalists found themselves notably out of their depth on complex technical issues and left Ministers to pick up the pieces.

PCAG brings together a healthy mix of expertise from a diverse range of people and organisations, including some of those who were most vocal in criticising the ID Card proposals. Setting up PCAG was a brave political move in many ways, but always seemed to me a sensible way of government realising the old adage of “Keep your friends close and your enemies closer”.

The group has reviewed and commented upon a wide range of government initiatives, including predicting the disaster that become NHS, the fraud risks of ill-considered “data-sharing” (under various guises), the troubled and late-running GOV.UK Verify identity assurance programme, the Office of National Statistics use of data, the “digital transformation” of the electoral roll, Home Office fraud issues, the Investigatory Powers Bill (now Act), and other proposals and ideas from across government.

Unfortunately, since Francis Maude’s departure, there has been only one meeting with subsequent MCOs, in December 2015. PCAG has experienced less Ministerial level support and encouragement than it once had. Without such backing, those officials who find the group’s expert reviews and analyses “challenging” have found it easier to ignore, attempting instead to smuggle their often half-baked proposals past Ministers without the benefit of the group’s independent assistance.

Part 5 of the Digital Economy Bill seems to me a classic example of what happens when the group’s advice and offers of help are repeatedly ignored by officials who should know better. Worse, in the case of Part 5 the group was repeatedly misled and misinformed by the team that drafted the core of the proposals and the related “codes of practice”. Once again it was Ministers and Parliament left to deal with the consequences.

In Francis Maude’s day, the problems with Part 5 (PDF) of the Digital Economy Bill and its associated codes of practice would have been highlighted and fixed with the help of the group, rather than causing Ministerial embarrassment and confusion when they were published in a disappointingly amateurish and technically-illiterate state.

PCAG has worked hard to ensure the continued full engagement, backing and enthusiasm of subsequent MCOs. Alongside extending open invites to the MCO’s office via GDS, we sent this letter in June 2016 to then MCO Matt Hancock MP. We followed-up with this letter to the next MCO, Ben Gummer MP, in September 2016. Despite repeated attempts by GDS to chase a response from the MCO’s office, there has been no acknowledgement or response to either letter.

I can only assume from this lack of engagement that PCAG’s canary function is either no longer understood, or no longer valued. If the group is no longer wanted – well, surely it would be much better all round if someone just said so openly?

As I step down, I’d like to thank the many civil servants, Ministers and MPs who have engaged constructively with the group and its members over the years, and who have found it of value – even if it may have proved challenging and perhaps a little heated at times. No-one ever claimed any of this is easy – the intersection of technology and policy is notoriously complex – but it’s surely far better for everyone to have the right discussions early in the policy-making process rather than downstream.

I’d also like to take this opportunity to thank the members, both past and current, of PCAG who have always been supportive and keen to make it work, and who have given so freely of their time despite many other demands.

Let’s just hope that after the election the value of the group will be rediscovered and government will breathe life back into the canary. Doing so would help realise Francis Maude’s original purpose – and bring significant benefits to us all, whether inside or outside of government.



  1. Thanks Jerry. Without your chairmanship the group would have been even more easily nullified. I fear there are strong signs that some “officials who should know better” sought to ignore us because they believed they DID know better than outsiders and no criticism or external analysis was tolerable.

  2. Such a shame Jerry to see that all the work the group has done, with the support of Francis Maude, to encourage Govt to ‘lead by example’ is stalled.
    The UK was in a commanding position for a while and could have been a centre of excellence in the global digital economy.
    Keep in touch.
    Kind regards
    Graham Sadd – PAOGA.

  3. Thank you, Mr. Fishenden for your service on the PCAG.

    Is there any advice you would give to the incoming government about what could be done to ensure that the views of the PCAG are properly considered.

    Yours sincerely George Sykes
    Policy researcher Pirate Party UK

    1. Thanks George – one way would be to mandate PCAG review and sign-off of relevant departmental proposals to prevent further “self harm” by officials. If PCAG hasn’t reviewed and approved, or improved, proposals, they can’t go any further. This would be a similar control to the one that Francis Maude put in place over spending to stop the wrong things happening. Of course, there may be better options!



  4. Hi Jerry
    Sorry you felt you were being ignored, bu in these interesting times, that seems to be the reward for common sense. It’s chilling to think that this report might attract the authorities’ attention under the proposed Espionage Act.
    Congratulations too on the Verify piece. Sadly, I’m sure all those comments have long formed part of the PCAG record.
    Best of luck with whatever you do next.

  5. Jerry – this is a very sad development and a poor reflection on Government policy making that we see all too often worldwide. It has led to repeated failures here in Australia for digital ID management schemes. With best wishes and hoping that you will be able to return to the fray again at some time in the future.

    Malcolm Crompton

    1. Thanks Malcolm – I shall still be trying to support and help where I can to get things back on course. I look forward to catching up again at some point.

      Best, Jerry

  6. Dear Jerry

    I have always wondered why you devoted so much effort to PCAG given that, as far as I can tell, the group was tolerated by the civil service only as a means adding a veneer of concern for privacy onto a project – initially IdAP, now Verify – that was designed without any serious thought about the subject at all. But, like others commenting in response to your post, I too am grateful that someone stepped up to the opportunity, thin as it was.

    There may yet be a chance to create a privacy-enhancing ‘Personal Data Ecosystem’ as a complement to Verify, probably starting in the education sector. But getting agreement from Gov to collaborate in such a venture requires a unified voice from those of us concerned about these matters. As you know, I would like to discuss these issues with you. Please do get in touch.

    Best regards,

    John Harrison, PIB-d

    1. John

      Your suggestion that the engagement between PCAG and the civil service was a “veneer” is disappointing – being both misplaced and inaccurate. It doesn’t reflect the reality of what I witnessed and experienced during my time with the group.

      If you’re hoping to make progress with whatever the venture is you’re seeking to promote, I’m not convinced that making unfounded aspersions about civil servants is a sensible or particularly attractive way of persuading others, including government, to come to the table and “collaborate in such a venture”.

  7. Dear Jerry:
    Sorry for my slow reply: I must have missed any notification about your response to my post. And sorry also that I seem to have irked you. I have no doubt that the civil servants working on Verify acted for the best, and I – wearing one or other of my ‘identity’ hats – remain in reasonably frequent, and cordial, contact with a number of them. However, the fact remains that privacy was not ‘baked into’ the design of Verify at the outset, and that attempts at retrofitting were always going to be hard; other countries, when designing national ID systems, did far more at an earlier stage; Austria comes to mind as an example.
    But all that is in the past. There’s now a fair chance of an opportunity to build a Personal Data Ecosystem, starting in the education sector, providing backward compatibility with Verify, and giving individuals far more control over their data. To succeed, it has to be a genuinely collaborative venture, calling on all the talents. I have already sent you – via Linked-In – some information, and a consensus paper. There’s more available at, being the output of various working groups over the years. Please do get in touch, so that we can discuss.
    Best regards,
    John Harrison, PIB-d Ltd

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.