Transparency data

DSA Peer Review Group Minutes Tuesday, 24 June 2025 (HTML)

Updated 28 August 2025

Attendees

• Idris Malji, Chair (DSIT) 
• Jenny Brooker (DSIT)
• Michelle Bowen (ONS)
• John Olatunji (DSIT) 
• Murat Soncul (DSIT)
• Kiran Mistry (DSIT)
• Graham Mckenna (DWP)
• Megan Clokey (DCMS)
• Alex Smith (DSIT)
• James Freeland (DSIT)
• Ben Gilburt (DSIT)
• Elena Hess-Rheingans (DSIT)
• Gerald Wong (CO)
• Patricia Ryser-Welch (CO)
• Sophie Davis (DESNZ)
• Jasbinder Singh (CO)

Record of discussions

1. Welcome, introductions and agenda - Idris Malji, IM, Chair (DSIT)

IM opened the meeting by welcoming all attendees and thanking them for their time and provided an overview of the agenda items for the session. IM welcomed Michelle Bowen, MB, from Office of National Statistics (ONS), who has replaced Ria Sanderson (ONS) as Co-chair for future Peer Review Group  meetings.

2. Personal Data Security Principles - Alex Smith, AS (DSIT) and James Freeland, JF (DSIT)

Notes:

• AS and JF presented an update on the personal data security principles.
• AS apologised for not being able to present at last PRG.  AS stated principles are guidance and not a new standard, and are about to be published on GOV.UK.  The aim is to put principles in place for securing personal data across government, specifically addressing risks to sensitive individuals in bulk population-scale datasets.
• The principles distinguish themselves from day-to-day data handling and existing government security classifications, focusing on those designing, building, and operating systems that process personal data.
• AS emphasised the increased cybersecurity risk and the need for additional security controls for vulnerable and at-risk individuals (e.g., witness protection, assumed identities, public figures).  The principles address the risks of sharing data outside an organisation and combining different data sources.
• AS further clarified that “sensitive identity data” aligns with the definition of “personal data” in existing data protection legislation, rather than creating a new category.  Key activities in system design include identifying data assets (referencing existing policies like the Essential Shared Data Assets policy) and identifying risks (referencing existing risk management frameworks like “secure by design”).
• AS explained that the principles were developed in partnership with GSG (sensitive identity protection) and National Cyber Security Centre (NCSC).  AS emphasised that each principle had a set outcome, controls and mitigations to manage risks associated with it.  Examples include, knowing who owns and is accountable for data, applying appropriate data security controls, processing personal data lawfully and ethically, (signposting to ICO guidance and data protection legislation), matching data using appropriate pseudonymous identifiers, and treating vulnerable or at-risk individuals inclusively (i.e., including them in datasets rather than removing them).
• AS informed that NCSC has produced more technical guidance which cross-references these principles.  The principles have been approved for publication on GOV.UK, expected early next month.  There is an appetite to make this guidance more mandatory in the future.
• JF highlighted the extensive work and consultation with various stakeholders (internal and external) that went into developing these principles over 12 months and feedback is still welcome for future versions of the guidance.

Questions and Answers:

Pat Ryser-Welch, PRW (CO) asked about how the principles will be enforced and verified.

AS response:  An 11th principle about checking implementation was removed due to pushback on additional burden, but it may be revisited if the guidance becomes mandatory.  Technical implementation is being addressed through collaboration with NCSC technical guidance.

3. Data Governance Standardisation: Gap Analysis Following Discovery, Kitan Mistry, MS (DSIT)

Notes:

IM Introduced KM the Lead of Data Protection and Privacy to provide an update on Data Governance Standardisation:

• KM opened the discussion on the ongoing development of the Trust Framework, reiterating its significance as previously highlighted by JB.
• KM pointed out the inconsistent data sharing and governance across central government and the public sector, with a lack of understanding of applicable rules.
• KM recognised the need to standardise data sharing governance by identifying good practice, building on the work of the Data Marketplace, and simplifying bottlenecks (e.g., data sharing agreements, MOUs, DPIAs).
• KM updated on the progress made so far: stakeholder mapping, collaborative workshop with the Data Sharing Network of Experts for initial feedback and alignment, engagement with Government Legal Department to support standardised data sharing agreements/MOUs, engagement with the data protection community and departments to standardise assessments (e.g., DPIAs) and better understanding of legal frameworks for data sharing, including data linking.
• Murat Soncul, MS (DSIT) reiterated that the work builds on the data marketplace program to standardise the end-to-end data request journey and address bottlenecks. They aim to work with as many departments as possible to amalgamate good practices into a standardised process.

Questions and Answers:

• Megan Clokey, MC (DCMS) discussed looking at data contracts and agreements for defining schemes for data pipelines and offered to chat offline, which KM agreed to arrange.
• Sophie Davis, SD (DESNZ) asked about input timing, and KM confirmed they are currently getting feedback and welcome stakeholder engagement.
• Jasbinder Singh, JS  (CO) asked about the completion date for the document. KM stated the landscape review should be ready by end of week/early next week, and standardisation in a couple of months. Jas offered to share Cabinet Office’s data sharing and quality frameworks and align with the new standards when ready.
• Graham Mckenna, GM (DWP) asked if the work covers data quality. KM confirmed they will link up with existing data quality teams to ensure coverage.

Actions:

• Finalise landscape review soon and present at future PRG & Steering Board meetings.
• Identify other relevant stakeholders and share key standards for data sharing considered as good practice.

4. National Data Library (NDL) Research Update: Benjamin Gilburt, BG (DSIT) and Elena Hess-Rheingans, EHR (DSIT)

Notes:

BG and EHS (Data Ethics Team) presented research on public attitudes towards the National Data Library.

• BG explained the National Data Library (NDL) manifesto pledge to help people discover and share datasets (potentially government-to-government, or with private companies, academia, NGOs, and for AI development) and their role was on the ethics and public trust workstream, assessing public reactions to the NDL’s potential activities.
• BG highlighted the existing research on the Publics Attitude Towards Data and AI tracker survey: with longitudinal survey showing generally low trust, but increases when personal benefit is clear.  Recent declines in trust related to accountability and fairness.  Concerns about data security and commodification with the public assuming the government is sharing data.  People are more concerned with the trustworthiness of the receiving organisation than the sharing organisation.
• BG explained the research design used an external supplier (Ipsos) for qualitative research (focus groups and one-on-one telephone interviews with digitally excluded people) to get honest feedback and rich data at an early stage of NDL development.  Sample size: 69 participants in focus groups, plus 10 digitally excluded individuals for one-on-one interviews.  Sample aimed for demographic representation (location, gender, age, ethnicity) and also considered capability (naive, middle, highly capable with technology) and baseline opinions on data trust (highly trusting, middle, highly distrusting).
• BG also highlighted four areas of research: baseline attitudes towards government data sharing, reactions to the NDL concept itself, rules and governance mechanisms that would build trust, preferred communication methods about the NDL and data use.
• EHG outlined the following key findings:  
• Low trust in government data sharing, technology use in government, and general scepticism.  Widespread assumption that the government collects vast amounts of data, sometimes conflating it with private sector data use.
• Personal experiences (e.g., positive examples of data sharing helping individuals) were strong drivers of positive attitudes.
• Demographic differences: Higher social grades more trusting and inquisitive; lower social grades and digitally excluded more sceptical.
• Term “National Data Library: Met with concern. “Library” suggested a central repository ingesting all data and being accessible to anyone, which did not align with the decentralised concept being communicated.
• Trust builders: Opt-in/out systems were desired (though hard to implement).  Trusted Research Environments were not well understood.  Anonymisation and data in aggregates were preferred over individual-level data sharing.

Question and Answers:

• SD (DESNZ) asked when the strategy and research are due to be published.  BG responded within the month.

5. AOB and Close - Idris Malji, IM, Chair (DSIT)

IM invited anyone with AOB to share their comments in the chat and closed the meeting by thanking all participants for their time and contribution.