Ministers Have Repeatedly Refused To Reveal The Legal Basis For Boris Johnson’s Secret Plan To Track User Data
Different departments have given contradictory reasons for withholding the legal basis for a huge data-tracking exercise on the government's website.
Boris Johnson's government is refusing to reveal the terms of a sweeping data-tracking plan that the prime minister privately said would gather “targeted and personalised information” about the British public to support Brexit preparations.
It has denied multiple requests from MPs, journalists, and privacy campaigners to publish the data-sharing agreements underpinning the tracking, which the prime minister’s chief aide Dominic Cummings described in a leaked email as “TOP PRIORITY”.
Officials in different departments gave contradictory reasons for withholding the documents.
BuzzFeed News reported last month that Johnson wrote to members of the cabinet’s “XO” committee, which is responsible for no-deal preparations, on Aug. 19 instructing departments to urgently share data about the users of their online services with the Government Digital Service (GDS). The leak revealed several new developments:
A new layer of tracking is being added to the GOV.UK portal so that the entire “user journey” of visitors is collected in a single Google Analytics account maintained by GDS, giving the government a vastly more detailed and useful picture of how the British public interact with digital services than it previously had;
GDS has been asked to develop an “accelerated implementation plan” for a new digital identity scheme that could be rolled out across the government’s digital services in a single “joined up and interoperable GOV.UK ‘ecosystem’”;
Data experts working on non-core projects were asked to move to GDS for up to six months to help deliver “Brexit communications and service provision priorities” on the GOV.UK website.
“This is a big step for Government in how we use data intelligently and proactively,” Johnson wrote to ministers. He ordered any delays to be reported to his office. Members of the XO committee include chancellor Sajid Javid, home secretary Priti Patel, and the minister responsible for no-deal planning, Michael Gove.
In separate communications also obtained by BuzzFeed News, departments were instructed to sign a memorandum of understanding with GDS setting out the terms of the data-sharing arrangements and to return it to the Cabinet Office by Sept. 3.
GDS and the Department for Culture, Media, and Sport were asked to “work through data ethics issues” relating to the tracking and the memorandum of understanding “covers this off”, one of the leaked documents said.
While it's not unusual for a large website to track user data across its functions, opposition MPs and privacy campaigners, alarmed by the haste and secrecy in which the data-sharing project had been conducted and unsure about the legality of it, urged the government to publish the memoranda. However, it has refused numerous requests to do so.
The Cabinet Office, in response to a Freedom of Information (FOI) request by BuzzFeed News, said it won’t release the memoranda now because it intends to publish them at some point in the future.
“The MOUs will be regularly updated in line with the government’s commitment to continuous improvement in digital services and best practice in data and privacy standards,” it said. “While it is therefore not possible to provide the MoU at present owing to further development, it is a long-standing government policy to operate in the spirit of full transparency, and GDS plan to publish the document in due course.”
The Cabinet Office added: “In developing this project, we have taken into account both the data protection regime and other guidance like the Government’s Data Ethics Framework. There are specific technical, privacy and information assurance guidance in place to mitigate against risks.”
However, the Home Office gave a contradictory response in a written answer to a parliamentary question by Labour MP Mary Creagh, saying it doesn’t routinely publish agreements with other departments “and will therefore not be publishing this agreement”.
The Ministry of Housing, Communities, and Local Government, answering an FOI request by BuzzFeed News, gave yet another reason for withholding the document: Because the memorandum relates to sensitive Brexit preparations and disclosure would deny officials a “safe space” to formulate policy.
And the Treasury told BuzzFeed News it didn’t have any information about the matter, even though the Cabinet Office said it was among those that were asked to sign the agreements. Other departments have yet to respond to similar FOI requests.
Separately, the Cabinet Office has not responded to requests from a coalition of campaign groups who wrote seeking more information about the legal grounds for the tracking.
In one letter, Foxglove, Big Brother Watch, and the Open Rights Group said the intention to use of GOV.UK to gather targeted and personalised information raised “a number of serious data protection and privacy concerns”, including whether the government is complying properly with the European Union’s general data protection regulation (GDPR).
Cori Crider, director of Foxglove, an advocacy group that promotes justice in technology, told BuzzFeed News: “We’ve written twice to ask the government what they’re up to with this new data-mining and been ignored both times. This isn’t good enough. Stonewalling legitimate questions about what they are up to, while silently tacking on what looks like a new tracker, isn’t a good look.”
Nicky Morgan, the culture secretary, is expected to be asked about the data tracking when she gives evidence before the Commons’ Digital, Culture, Media, and Sport Select Committee on Wednesday.
In public statements since the existence of the data tracking plan leaked last month, ministers and officials have downplayed the gravity of it.
They have insisted that central collection of GOV.UK user data is a straightforward change that was planned before Johnson became prime minister and is necessary to improve services on the platform. Before now, departments responsible for different parts of GOV.UK collected user data but did not share it, which meant GDS didn’t have a comprehensive view of how people interact with the government online.
The Cabinet Office has also been quick to stress that the data is anonymised.
However, it has not explained why the project is being rushed through the no-deal planning committee and why the public wasn’t told that their entire journeys across GOV.UK would now be centrally tracked.
Nor has the government addressed important aspects of the prime minister’s private memo, including his assertion that GOV.UK will gather “targeted and personalised information” about users, or the plans to push through a new digital identity scheme.
Some civil servants regard the data-tracking as part of a Whitehall “power grab” by GDS.
In their view, the department is using the cover of the Brexit crisis to push a data initiative it has long desired and to reboot its Verify digital identify scheme, which failed to meet performance targets and was resisted by other departments.
But that doesn’t fully explain why the prime minister and Cummings chose to prioritise the plans and why they were being driven through the XO committee.
Cummings wrote in an email to senior officials on Aug. 28:
To stress: as per the PM note to all Cabinet and ministers yesterday, please ensure that all ministers, Perm Secs, and spads know that this is TOP PRIORITY.
We must get this stuff finalised ASAP and there are many interdependencies resting on this happening.
The PM says a) his office must be informed of anything that will delay the GDS / comms plan by 24 hours and b) CDL [Michael Gove, the Chancellor of the Duchy of Lancaster] will deal with any problems/delays today…
One Cabinet Office official said the data has to be collected now, before Brexit, because GOV.UK “just isn’t very good” and won’t be able to handle a surge in demand as Britain’s departure from the EU approaches.
The prime minister’s leaked memo suggested another reason: With just weeks to go before their target leaving date of Oct. 31, ministers on the XO committee needed better information to support their contingency planning. And so they're using GOV.UK as an intelligence tool to compile data about usage of Brexit-related services which can then be “fed back actively to support key decision making”.
By tracking users as they browse across the web and aggregating that information in Google Analytics, the government will get an incredibly rich insight into the British public, data experts said. “You’d be running one of the largest dynamic opinion polls in British history,” as one put it.
In response to an FOI request by BuzzFeed News, the Cabinet Office said that only 23 people had access to the central Google Analytics account as of Sept. 23, all security-cleared officials working for GDS. But it added: "High-level reports will be seen by ministers and senior officials as part of informed decision-making, as is the case with other performance data and analysis."
Johnson’s leaked memo also intimated that the data tracking was the first step in an overhaul of public services. He urged departments to “move at pace to deliver the service transformation required to deliver a new generation of digital services and outcomes post-Brexit”.
Seventeen departments were told to sign data-sharing agreements with GDS. As of last week, though, DCMS, the Foreign Office, the Department for Work and Pensions and the Cabinet Office had not signed a memorandum of understanding, despite the push from Downing Street. It is not clear why they had not yet complied.
Among the domains to have had the new tracking code added so far are GOV.UK pages through which members of the public to apply for passports, pay driving fines, and search for schools.
This is the full text of Johnson’s private memo:
THE PRIME MINISTER
TO MEMBERS OF THE EU EXIT OPERATIONS (XO) COMMITTEE
The UK will be leaving the EU on 31 October. This note is to outline the next steps on mission critical data analytics and progress towards low friction, trusted and personalised services, and seek support across Departments to enable Government collectively to make rapid progress.
GDS have been tasked through the XO committee to ensure GOV.UK is serving as a platform to allow targeted and personalised information to be gathered, analysed and fed back actively to support key decision making. In effect, focussed on generating the highest quality analytics and performance data to support Exit preparations.
This will mean a shared endeavor to remove any barriers and a further prioritisation of digital skills within Departments to be working directly with GOV.UK to create a single, shared view of user activity on Brexit related content and related services. To achieve this I am asking Departments:
1. To share their service data and GDS and work in partnership so that it can build a single consolidated view of how citizens interact with Government through GOV.UK.
2. To review their data science capability and capacity working on non-core programmes and consider if they could be reallocated to work on the central analytics platform being developed by GDS as part of the Insights programme to support Brexit preparations for a period of up to 6 months.
3. With DDaT specialists working on non-priority programmes to contact GOV.UK with a view to loaning such staff, as required, for a period of up to 6 months (effective immediately) to work in multi-disciplinary teams delivering Brexit communications and service provision priorities on the core GOV.UK platform.
Whilst there are immediate tasks in support of preparations for 31 October - as outlined above - it is also essential we move at pace to deliver the service transformation required to deliver the new generation of digital services and outcomes post-Brexit.
At the heart of that is our approach to UK digital identity, transitioning to a model driven by ubiquitous digital identity standards. There are decisions ahead on how best to accelerate convergence onto these standards, including next steps on Verify. XO has tasked GDS with developing - in cooperation with others - a digital identity accelerated implementation plan and I would ask you all to engage in that work urgently.
Any and all competing philosophies need to be resolved as they continue to impede progress so that when Departments are building and reforming services, they do so in accordance with the UK digital identity standards. This will allow: GOV.UK to commence work on the creation of a joined up and interoperable GOV.UK ‘ecosystem’, confident that HMG is committed to a shared and trustworthy understanding of who our users really are.
There are also digital identity factors that relate to preparations for 31st October. There is a desire to develop personalised ‘account creation’ feasibility studies pre-31 October which can deliver benefits shortly after. The greater the volume of data structured through personalised ID, the more impact the outcome. Steps that Government can take to increase that volume now whilst continuing to deliver critical services, must be looked at. This includes fully exploiting various current pilots such as use of passport data for identity checking and that new services are meeting an appropriate identity standard that can help not hinder convergence. The accelerated implementation plan can pick this up.
This is a big step for Government in how we use data intelligently and proactively. Whilst there will, of course, be challenges in how we make it work, I look forward to seeing progress and ensuring we remove blockers that have previously prevented success. I expect everyone to act immediately to execute the above actions and I have asked Alison Pritchard and Jennifer Allum in GDS to inform my office if any departments act such as to delay preparing for 31 October by 24 hours.
I am copying this minute to members of the EU Exit Operations (XO) Committee.
[PRIME MINISTER’S SIGNATURE]
19 August 2019