Striking a Balance: Data Sharing and Risk Management in UK Policing

The Challenge of Data Sharing in the Public Sector

Data sharing within the UK public sector, particularly in policing, presents a complex challenge. It's vital to share information effectively to prevent crime and protect the public. However, this must be balanced with the need to safeguard sensitive data and ensure responsible use.

A Framework for Proportionate and Adaptive Governance

The BSI "Proportionate and Adaptive Governance of Innovative Technologies (PAGIT)" framework offers valuable guidance for navigating this challenge (click here for more detail - https://bit.ly/4a2PFvL). It emphasises the importance of:

• Product-Based Governance: Focusing on the specific properties and risks of the data being shared, rather than adopting a blanket approach. This means that the governance of data sharing should be tailored to the specific types of data involved and their intended uses.
• Technology Readiness Levels (TRLs): Guiding the timing and sequencing of data-sharing decisions based on the maturity of the technology involved. For instance, if a new data-sharing technology is still in its early stages of development, it may be appropriate to start with a pilot project or a limited rollout before implementing it more widely.
• Disruptive vs. Incremental Innovation: Recognising that data sharing can disrupt existing workflows and systems, requiring careful management. This means that it is important to consider how data sharing will impact existing processes and systems, and to take steps to mitigate any potential disruptions.
• Soft and Hard Law: Utilising a mix of standards, guidelines, and regulations to ensure flexibility and adaptability in data governance. This could involve using standards and guidelines to provide guidance on best practices for data sharing, while also using regulations to set clear legal boundaries.

Five Practical Steps for Sensible Risk-Based Decision Making

?1. Comprehensive Risk Assessment

?Conduct thorough risk assessments before sharing any data, considering potential harms and benefits. This should include identifying the types of harm that could occur, the likelihood of each type of harm, and the potential severity of the harm, consider:

• Types of Harm: Identify potential harms to individuals, organisations, and society that could result from data sharing (e.g., privacy violations, discrimination, reputational damage, security breaches).
• Likelihood of Harm: Assess the likelihood of each type of harm occurring, considering factors such as the sensitivity of the data, the security measures in place, and the intended use of the data.
• Severity of Harm: Evaluate the potential severity of each type of harm, considering the potential consequences for those affected.
• Benefits of Data Sharing: Identify the potential benefits of data sharing, such as improved crime prevention, enhanced public safety, and increased efficiency.
• Proportionality: Weigh the potential benefits against the potential risks to determine whether data sharing is justified.

2. Rigorous Data Minimisation

?Share only the minimum necessary data to achieve the desired outcome. This could involve aggregating or anonymising data to reduce the risk of identifying individuals.

• Identify Essential Data: Determine the specific data elements that are absolutely necessary to achieve the purpose of data sharing.
• Data Aggregation and Anonymisation: Explore ways to aggregate or anonymise data to reduce the risk of identifying individuals.
• Data Masking: Consider using data masking techniques to protect sensitive information while still allowing for analysis and research.

?3. Strict Purpose Limitation

?Establish clear and specific purposes for data sharing, and ensure data is used only for those purposes. This could involve implementing strict access controls and data retention policies:

• Document Purpose: Clearly document the specific and legitimate purpose or purposes for which data is being shared.
• Data Retention: Establish clear data retention policies to ensure that data is not kept longer than necessary for the specified purpose.
• Access Controls: Implement strict access controls to limit who can access and use the shared data.

?4. Transparency and Accountability

?Be transparent about data-sharing practices, and establish mechanisms for accountability. This could involve establishing data-sharing agreements and conducting regular audits:

• Data Sharing Agreements: Establish formal data-sharing agreements that outline the terms and conditions of data sharing, including roles, responsibilities, and data protection measures.
• Data Sharing Audits: Conduct regular audits to ensure compliance with data protection policies and procedures.
• Public Reporting: Publish regular reports on data-sharing activities, including information on the types of data shared, the purposes for which it was shared, and any incidents or breaches that occurred.

?5. Meaningful Stakeholder Engagement

?Engage with relevant stakeholders, including the public, to build trust and ensure responsible data use. This could involve establishing mechanisms for consultation and feedback:

• Identify Stakeholders: Identify all relevant stakeholders, including law enforcement agencies, other government departments, community organisations, and the general public.
• Consultation and Feedback: Establish mechanisms for consultation and feedback to ensure that stakeholder views are considered in data-sharing decisions.
• Transparency and Communication: Communicate clearly and transparently with stakeholders about data-sharing practices, including the purposes, benefits, and risks of data sharing.
• Build Trust: Foster trust and confidence in data-sharing initiatives by demonstrating a commitment to responsible data use and data protection.

?Sensible risk-based decision-making is crucial for successful data sharing in the public sector. By adopting a proportionate and adaptive approach, we can harness the power of data to prevent crime and protect the public, while upholding the highest standards of data governance.

?Interested in exploring this topic further and enhancing your data-sharing practices within the public sector? Visit the Oxon Advisory website at www.oxonadvisory.com for further in-depth insights and access to guidance.