Transparency data

Vulnerability Working Group - Notes 5th Meeting (HTML)

Updated 4 July 2025

Attendees

• Firoze Salim (FS), DSIT
• Idris Malji (IM), DSIT
• John Olatunji (JO), DSIT
• Jeanette Rycroft (JR), Wigan Council
• Nicholas Oughtibridge (NO), NHS England
• Paul Davidson (PD), SAVVI
• Debbie Spiers (DS), HMRC
• Fiona O’Carroll (FO), HMRC
• Shona Nicol (SN), Scottish Government
• Malcolm Davies (MD), HM Treasury
• Kirsty Hendry (KH), DLUHC
• Suzanne Fry (SF), DSIT
• Nailah Ukaidi (NU), SAVVI
• Damian Rees (DR), DHCW
• Sadia Siema (SS), DSIT
• Andrew Vourdas (AV), DSIT
• Guha Shantanu (GS), DWP
• Murat Soncul (MS), DSIT
• Simon Roberts (SR), Improvement Service
• Kiran Mistry (KM), DSIT
• Luisa Braig (LB), Social Finance
• Iain Pick (IP), DfE
• Shelley Heckman (SH), SAVVI
• James Freeland (JF), DSIT
• Emma Smith (ES), DfE
• Arushi Gupta (AG), Cabinet Office
• Kate Cooper (KC), LGA
• George Russell (GR), DHSC

Apologies:

• N/A

Record of discussions

1. Welcome, introductions and agenda - Firoze Salim (FS), Chair - DSIT

FS opened the meeting by welcoming all attendees and outlining the agenda, which focused on updates to the SAVVI project, API development, standardising terminology, and establishing a trust framework for data sharing. FS acknowledged the contribution of key members and emphasised the importance of aligning on standards to improve the identification and support of vulnerable individuals.

2. Workstream 1:Modeling and APIs - Paul Davidson (PD), SAVVI

PD provided an overview of progress to date, including the concept and logical models underpinning the SAVVI (Scalable Approach to Vulnerability via Interoperability) framework. These models define core entities such as “Person”, “Residence”, “Household”, and “Risk Indicator”, as well as their relationships and the attributes needed to represent them in digital systems.

One of the key components of the model is the use of binary indicators to capture vulnerability-related characteristics (e.g. “Oxygen user: Yes/No”, “Lives alone: Yes/No”). These indicators are designed to be simple, consistent, and machine-readable, enabling them to be aggregated and interpreted by vulnerability assessment engines.

PD highlighted that the model is structured to separate identifiers (such as NHS numbers or UPRNs) from attributes (such as risk indicators) to support both data minimisation and compliance with data protection principles. This ensures that systems can query and combine data for decision-making without unnecessarily exposing sensitive personal information. In terms of technical delivery, PD showcased early API designs based on the OpenAPI specification (OAS), which support:

• Retrieving risk indicators for an individual, given a verified identifier
• Querying for risk indicators associated with a property or household (e.g. using a UPRN)
• Accessing metadata about indicators, such as their source, update frequency, and confidence level

These APIs are being developed to be RESTful, with a focus on clarity, reliability, and ease of integration with existing public sector systems. PD noted that they are deliberately domain-agnostic, allowing for use across a wide range of services, from emergency response to welfare provision.

PD had a meeting with Alex Smith and James Freeland and they are currently scheduling for PD to present to the API community including. JF endorsed the RESTful approach and cautioned against premature adoption of GraphQL, citing potential performance and complexity concerns, especially for multi-layered queries across linked entities.

NO raised the importance of semantic precision in API design, especially when working with sensitive or context-dependent attributes such as gender and sex. He also suggested that the API architecture should accommodate features such as cohort tracking, which would allow users to subscribe to updates when an individual’s vulnerability status changes—an idea PD acknowledged as valuable for future iterations.

The API models are being iteratively refined based on stakeholder input, with a prototype implementation planned to support testing and demonstration. PD noted that reusability and modularity are key design principles, and that the models will be freely available for local authorities and partners to adopt or adapt.

In closing, PD emphasised that Workstream 1 is central to delivering on the broader goals of the Vulnerability Data Standards Group, as it provides the infrastructure and tooling necessary to make data-sharing safe, efficient, and actionable. He encouraged continued feedback on the API specifications and logical models, and confirmed that updated documentation would be shared in advance of the next steering group review.

3. Workstream 2: Update on Taxonomies and Terminologies: Andrew Vourdas (AV), DSIT

AV presented an update on Workstream 2, which aims to tackle one of the fundamental barriers to effective data interoperability: inconsistent use of terminology across departments, local authorities, and sectors. He emphasised that this challenge not only hinders technical alignment, but also undermines confidence in the accuracy and relevance of shared data - especially when used to identify and support vulnerable individuals.

AV explained that Workstream 2 is focused on developing a shared set of definitions and vocabularies that can be adopted across organisations to ensure clarity, consistency, and machine-readability of key terms. This is essential for enabling automated systems to understand and act on data reliably, and for ensuring that human decision-makers are operating from a common semantic foundation.

The workstream is being structured around a defined process that includes the following stages:

• Identifying domain experts and special interest groups to advise on terminology in specific areas such as housing, health, education, or emergency response.
  Gathering existing term usage from across departments and local authorities, identifying overlaps and variations in how terms are defined and applied.
• Investigating applicable public ontologies or controlled vocabularies, such as those published by central government, standards bodies, or sector-specific regulators.
• Evaluating, comparing, and proposing standardised definitions, ensuring they are fit for purpose and aligned with both operational use and legal frameworks.
• Incorporating feedback from the Terminology Group and other experts, including service designers, data architects, and governance leads.
• Validating definitions against an agreed taxonomy framework, ensuring structural coherence and the ability to scale across different domains and datasets.
• Finalising and publishing definitions, ideally via a centralised and open terminology service to support consistent adoption and ongoing governance.

AV encouraged attendees to nominate themselves or colleagues to join a subgroup that will drive this work forward. The initial focus will be on a use case related to work being done by Resilience Direct, such as those used in the context of flooding and extreme weather. This domain was chosen for its urgency and relevance, and for the presence of well-documented risk indicators that could provide a useful starting point.

PD supported this approach and suggested engaging with Resilience Direct and other emergency planning stakeholders, who are already using structured data to support their work. PD noted that aligning definitions across operational systems and planning tools would bring immediate benefits to local authorities and partners dealing with civil contingencies.

4. Workstream 3: Update on Trust and IG Framework - Kiran Mistry (KM), DSIT and Nailah Ukaidi (NU), SAVVI

KM and NU presented an update on Workstream 3, which is focused on developing a Trust Framework to support responsible and secure data sharing across public sector organisations. The goal of the framework is to provide a shared set of principles and practical mechanisms that can be used to build and maintain trust among data providers, processors, and users—particularly in the context of identifying and supporting vulnerable individuals.

KM explained that the Trust Framework is currently in a discovery phase, during which key components and expectations are being defined in consultation with stakeholders from across government. This includes representatives from DSIT, GDS, the DSA, legal and ethics teams, and local authority partners. The discovery phase is intentionally broad to ensure the framework is inclusive, robust, and adaptable to real-world data sharing scenarios.

KM and NU presented an update on Workstream 3, which is focused on developing a Trust Framework to support responsible and secure data sharing across public sector organisations. The goal of the framework is to provide a shared set of principles and practical mechanisms that can be used to build and maintain trust among data providers, processors, and users—particularly in the context of identifying and supporting vulnerable individuals. KM explained that the Trust Framework is currently in a discovery phase, during which key components and expectations are being defined in consultation with stakeholders from across government. This includes representatives from DSIT, GDS, the DSA, legal and ethics teams, and local authority partners. The discovery phase is intentionally broad to ensure the framework is inclusive, robust, and adaptable to real-world data sharing scenarios.

Core areas under exploration include: - Legal foundations for data sharing (e.g. Data Protection Act, UK GDPR) - Ethical standards around purpose limitation, data minimisation, and fairness - Transparency and accountability, including audit trails and user access management - Risk assessment procedures for data exchanges - Standards for data quality and provenance - Inter-organisational agreements, such as data sharing memoranda and service-level contracts

KM emphasised that the Trust Framework is not intended to duplicate existing governance structures, but rather to harmonise and support them by offering a reusable, adaptable model. One ambition is for the framework to help overcome reluctance to share data by clearly articulating the conditions under which sharing is both lawful and beneficial.

Pilot projects are planned to test the application of the Trust Framework in practical settings. These pilots will provide insight into how the framework performs in diverse contexts—for example, between central government departments and local authorities, or in multi-agency partnerships addressing complex needs.

KM invited participants to engage with the discovery work and encouraged expressions of interest from organisations keen to participate in pilot initiatives.

NU provided an update from the National Information Governance Committee (NIGC). NU stressed the importance of embedding information governance considerations early in data standards and design. N also emphasised that clarity around purpose, consent, and lawful basis is critical when dealing with vulnerability-related data.

NU encouraged the group to align its work with wider ethical and regulatory guidance, including transparency obligations and accountability to the public. NU highlighted the opportunity for this group to demonstrate best practice in cross-sector governance, and offered support from the NIGC to help shape the Trust Framework and standards development.

AOB and close - Firoze Salim (FS), Chair, DSIT

FS closed the meeting by thanking attendees for their contributions. He confirmed that links to the SAVVI logical model and API specifications would be shared for further feedback. Work on terminology and API development would continue in subgroups, and feedback would be consolidated ahead of the DSA Steering Board presentation.

FS also gave special thanks to NO for his valuable input to the group, noting that this was his final meeting.