Transparency data

DSA Steering Board Minutes, Tuesday, 1 July 2025 (HTML)

Updated 28 August 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/meeting-minutes-for-the-data-standards-authority-governance-boards/dsa-steering-board-minutes-tuesday-1-july-2025-html

Attendees

  • Jenny Brooker, Chair (DSIT)

  • Firoze Salim (DSIT)

  • Alex Smith (DSIT)

  • James Freeland (DSIT)

  • Charles Baird (ONS)

  • John Olatunji (DSIT)

  • Idris Malji (DSIT)

  • Hattie Kennedy (MHCLG)

  • Zelda Wheatley (DWP)

Record of discussions

1. Welcome and introductions - Jenny Brooker, JB, Chair (GDS), Chair

  • JB opened the meeting by welcoming all attendees and thanking them for their time.

  • JB highlighted the two main agenda items for the session:

    - Personal Data Security Principles

    - Essential Shared Data Assets (ESDAs) and the Data Ownership Commitments

2. Personal Data Security Principles, Alex Smith, AS (DSIT)

Purpose and Scope

AS introduced the Personal Data Security Principles development to address inconsistencies in how personal data is processed and protected across government services.

Intended for system designers, developers, delivery teams, and commercial/legal professionals involved in building and maintaining digital services—not for routine personal data handlers.

Key Motivators for Development

Inconsistent approaches to personal data security across departments.

Rise in cyber threats and public sector breaches involving sensitive data.

Need for cross-cutting guidance that sits between existing cybersecurity principles (e.g., Secure by Design) and data protection rules (e.g., GDPR, ICO guidance).

Risk Context

Focus on protecting vulnerable and at-risk individuals in datasets—e.g., those in witness protection, sensitive government roles, or high-profile public figures. 

Emphasis on risks when sharing personal data or combining datasets across systems—especially in population-scale services.

The Principles

A total of 10 principles were agreed upon (originally 11; the 11th relating to enforcement was removed for the initial publication phase). 

Highlights include:

  • Principle 3: Addressing supply chain risks and third-party systems.

  • Principle 4: Reinforcing lawful and ethical data processing aligned with data protection laws.

  • Principles 8 and 9: Inclusion of at-risk individuals and appropriate use of personal identifiers when combining datasets.

  • Principle 10: Ensuring team capabilities, clearances, and competencies for personal data security.

Next Steps and Implementation

Published on GOV.UK as voluntary guidance; not mandatory at this stage.

Departments such as ONS are volunteering to pilot and test adoption.

Intention to iterate based on feedback and explore formal adoption in future versions.

Plan to publish a technical blog post to further socialise the principles.

Discussion Points

Charles Baird (ONS) referenced the “toxicity matrix”, which helps assess data risk levels. Though not widely published yet, DSIT acknowledged its relevance and may consider referencing it in future guidance iterations.

Departments invited to nominate contacts to support rollout and testing.

Action:

  • Departments to nominate contacts for pilot testing and provide initial feedback.

3. ESDA’s and Data Ownership Model, Firoze Salim, FS (GDS)

Context and Progress to Date

FS updated on progress of ESDA’s and data ownership artefacts following beta testing and working group consultations. 

Artefacts are intended to underpin key government initiatives, including:

Planned Next Steps

Intend to seek collective Cabinet Committee agreement in late July or early August 2025.

The process includes internal governance approvals and socialisation across government bodies.

Clear ministerial backing sought to ensure cross-government commitment and alignment.

Draft Departmental Commitments

Phase 1 (First 6 Months – Identification Phase)

Departments and ALBs to:

  • Identify and provide metadata for assets meeting ESDA criteria (esp. for service delivery and statistics).

  • Engage with key ALBs to coordinate phased rollout.

  • Adopt and embed data ownership policies for identified assets.

  • Identify and document all data sharing agreements related to ESDA assets.

  • Audit open data assets on data.gov.uk to confirm continued relevance and discoverability.

Phase 2 (Next 6 Months – Minimum Standards Phase)

Departments to:

  • Expand ESDA identification across other categories (e.g., policy, compliance, resilience).

  • Develop data quality action plans for at least 80% of identified ESDA assets.

  • Audit compliance with minimum government data standards, such as UPRNs.

  • Ensure compliance with Sensitive Identity Protection (SIP) guidelines where applicable.

  • Commit to ongoing metadata maintenance and notification of changes (e.g., data owners, status).

  • Conduct annual reviews of ESDA metadata to ensure accuracy and currency.

 Discussion and Feedback

Charles Baird (ONS): Strong support for the direction and commitments; keen to align with minimum standards efforts internally and across external data partners. 

Zelda Wheatley (DWP): Sought clarity on what identifying data sharing agreements entails. 

FS clarified that high-level information on reuse cases, legal basis, and frequency of sharing would be sought—not detailed contents of agreements. 

Departments expressed concerns around:

  • Funding and resource pressure

  • Navigating ALB independence and influence

  • Need for central coordination and communication support from DSIT and GDS

Actions:

  • Departments to review and provide comments on the draft commitments by 10 July 2025.

  • DSIT to support communications and central messaging.

4. AOB and Close, Jenny Brooker, JB, Chair (GDS)

Any Other Business

Domain Expert Group: Attributes of a Person

Presenter: Firoze Salim (DSIT)

  • Update on the reinstatement of the Attributes of a Person domain expert group following the passage of the DUO Bill.

  • Work was paused due to sensitivities around definitions of sex and gender.

  • Group to reconvene in July 2025 to continue defining standards for key personal attributes (e.g., name, DOB, gender).

  • Departments encouraged to ensure representation in the working group.

Action:

  • Departments to reconfirm or nominate participation in the expert group by 12 July 2025.

Closing Remarks

  • JB, thanked all speakers and presenters.

  • Encouraged departments to:

   -  Review and share feedback on draft ESDA/data ownership commitments

   -  Nominate points of contact for personal data security principles testing

   -  Ensure participation in the Attributes of a Person expert group

Back to top