It is a characteristic of a democratic system that the public have clear opportunities to understand and influence how that system works. Also, that it works in a way that is equitable and stable. As states digitise their public services, enable the use of digital identities by wider society, and make greater use of data in policymaking, how should government leaders ensure they maintain these principles?
This first blog looks at the concept of data usage trackers — a way for a member of the public to view a log of how data about them has been used.
Greater use of data to deliver public services opens up new and increased opportunities for real and perceived misuse of data. Examples range from isolated instances of individual public servants accessing data for malicious purposes - such as the example of the leaking of data about 14,000 people diagnosed with HIV in Singapore, to fears about the use of technology provided by external suppliers - such as the debate around the use of technology by the NHS during the current pandemic.
Digital public services can also result in a data ecosystem that is opaque to the public and their proxies. Recent user research by the UK Government Digital Service, for example, found that “people assume that data about them is already held centrally in government”, and a similar effort by the Canadian government’s Tell Us Once programme similarly found that the public “assume data is shared by default”1. While in reality, data use is complex and has real-world consequences - as researchers at medConfidential found when trying to piece together the data flows of the UK’s Universal Credit welfare system; or when Public Health England had concerns about data sharing between the health and immigration systems in the UK.
In many countries, the public have rights to understand how data about them is used — such as the rights provided under GDPR — but, in practice, these often require people to actively request information is disclosed, and for them to know who to request it from. Data usage trackers are interesting, in part, because they provide a complementary approach to general data rights. By providing a single, central, service, a member of the public can view a log of how data about them has been used and by whom, without having to understand the structure of government.
What follows is a description of three examples of data usage trackers from Estonia, India and Chile. Descriptions are based on interviews with the teams responsible for them, and from public documents. The aim is to detail some basic facts about how these systems work so that designers and policy-makers in other governments looking to adopt or critique similar measures have a better starting point for their own work.
Estonia - Andmejälgija
In Estonia, citizens access the ‘andmejälgija’ (‘data tracker’) service by signing into the government's main public facing website, eesti.ee, and then clicking on the top-level ‘andmejälgija’ menu item. The service displays basic information on how data about a citizen has been used. The organisation that has accessed the information, the date it was accessed, and a reason, are shown in a list format. There are also basic filtering and sorting options.
An example screenshot of the Andmejälgija service, published by the Estonian Government
If a user has doubts or questions regarding the use of data, they can contact either the data requester or the data provider directly. The level of control varies to some extent, with additional controls for health data that allow users to explicitly restrict access to certain datasets (although users see a message advising against this). There is no central process for raising a query — users need to email the agency concerned. If that approach does not provide enough answers, the Data Protection Inspectorate provides a point of further escalation for the public.
According to Sander Randorg, the product owner for Andmejälgija, the service gets approximately 30,000 visits a month (an increase since it was given a more prominent position on eesti.ee). Some of those visits also come from government agencies who signpost the service to eliminate the need for manual enquiries. Not all agencies are included in the service, although there are moves to increase the number using it and eventually make it universal.2 The source code for Andmejälgija is published in the open along with documentation about how agencies can integrate with the service.
Randorg says the team receives a lot of positive attention and feedback for the service from the public. “By creating a unified way of recording the data usage logs to the public (i.e. a protocol) and a single point of access assures that people will find and understand the contents of such a service”. Although communicating what has happened to users is not without challenges: “Right now we are rather explaining the data set itself, rather than the actual reason behind its use by a third party. What could be said from the quantifiable feedback we've received is that the reasons [for access] (e.g. a legal basis, a consent, data subjects own request etc.) are important to people and the better you describe the intentions the happier (or at least content with the data use happening) the public seems to be.”
Randorg says that the service is made substantially easier to manage due to Estonia’s unified X-Road data access platform. “We have a solid foundation by using X-Road as our transportation layer, as it is quite easy to modify the services technology-wise. It is a whole other story when we talk about redesigning hundreds of data exchange services to accommodate these kinds of features”. He suggests that teams from other countries developing similar services need to ensure that their data exchange systems are designed with a “transparency by design” mindset. And that the same mindset should guide the way audit logs are created inside public agencies: “it should be expected that most if not all of the information should be accessible by the public”. He also points out that in Estonia, transparency is quite unanimously accepted as something necessary in the relations between the citizen and the government.
Luukas Ilves, former digital policy lead during Estonia’s 2017 EU Presidency, and now head of Strategy at Guardtime, also made this point. “There is an expectation by Estonians of no misuse, and there is a clear understanding by public servants of data protection measures. They know that there is auditing and that improper data access will be discovered. Transparency measures work on a systemic level, even if only 0.01% of people actively avail themselves of them”. News coverage of misuse of data, such as a recent example of a medical worker aiding a police officer to check up on their spouse, helps to reinforce public understanding.
India - Aadhaar Authentication History & Aadhaar Update History
While Estonia’s data tracker aims to help citizens understand when data from a government registry has been used, the Indian government’s Aadhaar Authentication History service aims to help it’s users understand when their government issued digital identity has been used. Linked to from the Unique Identification Authority of India’s (UIDAI) website, Aadhaar Authentication History gives users access to a six month authentication history for their Aadhaar identity.
It was not possible to interview someone from the Aadhaar Authentication History team, but UIDAI’s FAQ’s and tutorial videos explain the information that is presented to users.3 4 5
Example screenshot Aadhaar Authentication History (2017) published by UIDAI
Example screenshot Aadhaar Authentication History (2019) published by UIDAI
This includes a timestamp for each authentication, if the authentication was successful, the method (e.g. biometrics or a one-time passcode), the name of the service or agency that was accessed using the identity (called an Authentication User Agency), and any error or response codes, which are displayed as a number e.g. 800 means “invalid biometric data”. As with the Estonian data usage tracker, users who spot something anomalous need to contact the agency concerned directly, there is no inbuilt escalation route.
In addition to Aadhaar Authentication History, UIDAI also operates a separate service for viewing and checking historical updates to the data held against the Aadhaar account, such as a user’s address.6 7
Chile - ClaveÚnica mi actividad
ClaveÚnica is Chile’s digital identity platform. It is built on top of the existing civil identity registry and uses the OpenID Connect standard. Over nine million Chileans have a ClaveÚnica account and it is integrated into services provided by multiple government agencies.
When signed in to their ClaveÚnica account, a user can access a basic data tracker called ‘mi actividad’ (‘my activity’). It is similar to the Aadhaar Authentication History service, in that it allows users to see when their identity has been used to sign in to a digital service, and the organisation responsible for that service.
Example screenshot ClaveÚnica Mi actividad, provided by the product team
The current functionality of mi actividad is quite basic, but the team is actively developing the service and have plans for a more powerful system. This work is taking place alongside the development of an interoperability network for the exchange of data between different government agencies.
Emilio Muñoz, product owner for ClaveÚnica, and Francisco De la Carrera Sepúlveda, product owner for interoperability, described their ambition to use this interoperability network and the ClaveÚnica account as a base for a broader data tracker service along the lines of Estonia’s. "We are aiming for the Estonian example. Citizens will be able to give or deny access to an institution". They also explained that the way the government is organised is different from Estonia, meaning the technology approach must be different - “departments are more like islands, so we have to adapt to the technology of the departments".
The ClaveÚnica team see transparency as important for the further uptake of the platform. “Today we have 9 million users, but we need different strategies for reaching more users. Trust and transparency are part of the digital inclusion strategy.”
Questions for states looking to create data trackers
Data trackers are clearly an emergent pattern and it is unlikely that these examples will transpose exactly to other states. Different attitudes to privacy, rights structures and technology landscapes will all play a part. There are, however, some questions raised by these examples that other countries should consider.
Firstly, the designs are relatively basic. Users must spot anomalies from relatively sparse information and, in the case of Aadhaar, understand technical error codes. With few examples to copy, and limited parallels in the private sector, this is understandable (Google’s My Activity is one, rare, example). This is clearly an area that would benefit from more user centred design research to understand different ways of making this information meaningful to users, and for different governments to share their learnings in the open.
Secondly, all three represent examples of using technology and design to abstract the structure of government, while simultaneously creating space to describe the actions of the institutions making use of data. There is one place to understand interactions with a range of government agencies. They also represent a piece of shared infrastructure for government - a platform for agencies to make use of. Countries looking to emulate this approach will need to ask themselves if they have the capability in place to design and operate such a shared central platform.
Finally, data trackers are designed around the idea of an individual citizen playing the role of guardian against the misuse of the data that is held about them. The question that needs to be asked is: which types of user does this serve and is it enough? Data trackers feel like “power user” tools. That may be ok, if by their very existence and use by a minority of users they contribute to public trust? Or maybe additional tools need to exist to support users to understand how data about them is used, either at the point of use of services or through third sector organisations?
If there is one underlying principle that may be replicable, it is this: while citizens should not have to understand how data about them is used by the state to interact with it, that does not have to mean denying them routes to do so when the circumstances demand it. Estonia, India and Chile are actively exploring how to achieve this.
1 “Tell Us Once/Single Window Prototype: Research Through Design Final Summary Report”, 2020, Office of the Chief Information Officer of Canada & Treasury Board of Canada Secretariat.
2 Interview with Luukas Ilves, former digital policy lead during Estonia’s 2017 EU Presidency, now head of Strategy at Guardtime.
About the author
Richard Pope, Affiliated Researcher
Richard was part of the founding team at the UK Government Digital Service, working as product manager for the first version of GOV.UK, which went on to win the Design of the Year award in 2013, and co-authoring the Digital by Default Service Standard, which ... Learn more