Concerns Over Foreign Data Storage
A member of the House of Lords has voiced significant concerns regarding the storage of UK government data, including sensitive NHS patient records, in foreign jurisdictions. These concerns stem from inadequate cybersecurity protections, a situation described as "unacceptable" as the government progresses with plans for a voluntary digital identity system.
Baroness Manzila Uddin, co-chair of the All-Party Parliamentary Group on Decentralized Digital Identity, highlighted in an interview that critical government data is being outsourced to countries like the United States and Romania. She stated that there are no sufficient guarantees that this data will continue to be protected under UK data protection standards.
"A lot of the data for GP patients go all the way to America. And I think this is unacceptable," Baroness Uddin stated. She noted that other nations, such as Saudi Arabia, the UAE, and Singapore, have implemented measures to ensure their data remains within their own national cloud infrastructure. Baroness Uddin expressed a desire for similar assurances for UK data, indicating that such guarantees are currently lacking.
The Baroness specifically pointed to the Gov.UK infrastructure, suggesting it is being outsourced without adequate oversight. She articulated, "If the primary source of government data collection, Gov.UK, is being harnessed somewhere else, say, outsourced somewhere, and we don't have any checks and balances and obligation for cybersecurity resilience, data protection like we would here, I think that's a worry."
Romania was identified as another location where UK government data is reportedly stored. Baroness Uddin questioned whether cost considerations might be taking precedence over security priorities in these outsourcing decisions.
"If all of the citizens are the customers of the government, gov.uk, then why is it in Romania? Is it because simply they bid the lowest amount of money for running the contract? And those are the questions that we need to ask."
Digital Identity System and Public Skepticism
These concerns arise as the UK government actively promotes its voluntary digital identity system. This initiative has encountered public skepticism, particularly given the historical rejection of a similar mandatory identification system proposed by the Labour government in 2008.
Baroness Uddin acknowledged the persistent public opposition to mandatory identification systems within the UK. She recalled, "As you know, I think it's 2008, the Labour government tried to implement a digital ID and the context was very clear that our public did not support it."
She expressed apprehension that the current digital identity proposal is being implemented incrementally, bypassing transparent public consultation. Baroness Uddin observed, "I know that it's doing it almost through the back door. So for instance, the proposal is that all our driving licenses will be digital footprint. Maybe following that there'll be a proposal for the next set of passports to be like that."
Despite these concerns, Baroness Uddin clarified that she personally has no objection to digital identity systems, provided there is transparency regarding data handling. She stated, "As someone who co-chairs the digital identity parliamentary group, I have no problem with having an ID. We have IDs for so many aspects of our lives now. I think my concern, and I think there's a lot of concerns at the public level, is where is this data going?"
Broader Cybersecurity Vulnerabilities
Baroness Uddin shared a personal experience that she believes illustrates wider cybersecurity vulnerabilities, particularly within financial services. She recounted, "As soon as my family member dropped the call with Amex, for instance, there was an immediate call from someone else saying they're Amex and they had all the information and that's supposed to be a secure environment where you talk about the financial interaction." This incident suggests that even major corporations may lack sufficient safeguards against data breaches and fraud.
She argued that both large corporations and local government entities often lack the necessary resources to defend against sophisticated cyber threats. Baroness Uddin explained, "Whether it's an energy bill or it's local government, there isn't simply enough financial incentive or resources to safeguard against some of these very, very bad actors who are defrauding."
Digital Exclusion and Education
A significant aspect of Baroness Uddin's concerns relates to digital exclusion and the inadequate public education surrounding data rights. She pointed out that approximately one million UK households do not have internet access or smartphones, rendering them susceptible to exclusion from digital services.
Baroness Uddin suggested that the issue of digital exclusion is sometimes framed in a way that justifies expanding data collection rather than protecting vulnerable populations. She stated, "When exclusion happens, we are only talking about exclusion so that we can argue that we have to have greater reach of including people into this mire of voluntary data gathering."
She stressed the critical need for comprehensive digital literacy education, starting from childhood. "In many countries like Japan and elsewhere, children are taught very early to safeguard themselves on the net. And I think that is something very critical, not just education of our members in parliament, but members who are not in this space, because all these entrepreneurs and companies are making money on the back of all of our ill-informed practices,” she commented.
Baroness Uddin referenced a recent experience with the All-Party Parliamentary Group on Children, where young people demonstrated a sophisticated understanding of digital risks.
"We had children coming here acting in their role as parliamentarians, asking expert questions. And they're very insightful questions, they're much more aware than our generation or maybe even your generation. So the eagerness to learn is there."
Regulatory Challenges and Data Sovereignty
Baroness Uddin argued that current regulatory frameworks struggle to keep pace with rapid technological advancements. She observed, "As soon as you safeguard one framework, another one will appear and it will be beyond our control. So it has to be very fluid, all our legislation has to be very fluid in order to meet the demands of advanced technology."
She noted that existing regulations, such as GDPR, have not effectively prevented excessive data collection or unauthorized data sales. Baroness Uddin expressed her fears: "At the moment many institutions including governing institutions, private sector organizations are asking for excessive data. And it's not necessary. My fear is when we are collecting that level of details, who's hosting it? Where is it being kept? Who's monitoring it? Who's tracking it? And is it going to go into the dark web and someday be used against us as individual citizens?"
She further stated that organizations can currently acquire citizen data from local governments without significant restrictions. "People can buy from the local government a whole lot of our data, they can buy it. Because at the moment there's no restriction. So GDPR obviously has some boundaries, but people are still collecting and mining our data for their well-being,” she explained.
Support for Decentralized Identity and Data Control
When discussing decentralized identity systems, particularly those based on blockchain technology, Baroness Uddin expressed support for approaches that empower citizens with control over their personal data. She stated, "The promise of new digital technology, including Web3 and AI and all of that, is that we will have a democratic system of exchanging information so that it would become our own private sources of information and we as an individual decide whether we want to give access or not."
However, she reiterated that any such system must prioritize citizen data sovereignty.
"If we are going to continue with this trend, where is my data? Who is having it? Why are they not accountable? Why are they giving it away to people who can buy it?"
Baroness Uddin suggested that blockchain solutions could offer a viable alternative to current models of outsourced data storage. She believes, "The promise of new emerging technology is democratization of information so that you have much more say in how information about you is kept, sent out, given, whatever. That has to be the primary, one of the primary principle commitments of the government.”
Alignment with EU Data Standards and US Reliance
Baroness Uddin indicated a preference for aligning UK data standards with those of the European Union rather than the United States. She explained, "I know that there are discussions about who we align with and I would have much preferred that we aligned with the EU because they are our neighbours, they are our borders."
She voiced concerns about the UK's increasing reliance on US technology companies for critical infrastructure. Baroness Uddin added, "I suppose we need to make sure that we're not going to the US for everything. Just because they are our special relationship and we have an obligation to do ABC, whatever. Recently there were talks of a particular large corporate organization taking over our security. I'm very concerned about that."
The Baroness emphasized that maintaining data sovereignty within the UK is crucial for preserving the nation's reputation as a secure financial hub.
"I want the brain drain to return here and to make sure that whatever we end up doing in terms of whether its digital ID is sovereign, digitally sovereign to the UK, that for me is really critical. If it's digitally sovereign in the UK, then it will be digitally sovereign for the individual because we respect individual rights,” she said.
Economic Growth and Public Trust
When questioned about claims that digital identity systems could accelerate economic growth, Baroness Uddin expressed skepticism. She stated, "I don't think we have proven the case. I know that some of the stakeholders have experience. Sweden was cited as good practice, Utah, Wyoming. But I don't think we have anything so far in the UK to demonstrate either the economic growth or the use case as a positive gain for ordinary citizens. I think that large corporations are continuing to benefit."
Baroness Uddin raised doubts about the government's ability to implement digital identity systems effectively, given the current levels of public distrust. She commented, "In the current framework of public mistrusting government, as you know, the government has been facing a huge amount of criticism with various policies. So I don't know if we can actually claim the confidence of the public. So in light of that, I don't know how they will manage. There is not clear indication of how they intend to win over public confidence and trust for a digital ID."
She cautioned against implementing such systems through emergency measures, drawing a parallel to the COVID-19 pandemic. "I think that public feel that they are forced to give out as much information as possible because people think, if I've got nothing to hide, nothing to lose. But that's not the case because the information you're giving becomes somebody else's asset."
The Baroness concluded by highlighting the necessity of regulatory frameworks built on trust and confidence. "Everything that we're doing about any proposed regulatory framework has to be based on trust and confidence. That goes without saying, and I think that's where the problem lies."
She called for establishing standards that protect individual rights while simultaneously allowing for technological innovation. "If we are going to have a digital ID, we have to have a legacy of trust and confidence and then making sure that the framework is flexible enough for people to come and work with us."
Baroness Uddin suggested that if the UK prioritizes data sovereignty, its regulatory approach could establish global benchmarks. "I think we can set a great benchmark for others to follow, including the US. I think we have a sufficient amount of credibility and so many institutions came out of Britain that are now operating in Dubai and Singapore and the US,” she stated.