How data consent underpins Sunderland City Council's IoT projects

Local authorities are increasingly turning to internet of things (IoT) use cases to find solutions to their delivery challenges. But they're also learning to navigate new dilemmas from using devices and sensors that collect huge amounts of data, sometimes anonymised but sometimes personal.

Liz St Louis, Assistant Director of Smart Cities at Sunderland City Council, explains to Government Transformation how transparency and consent are essential to build trust with the people that local authorities serve - and why cybersecurity is at the top of the agenda.

Consent at the core of IoT use cases

A survey carried out by the Economist Intelligence Unit before the pandemic found that the majority of respondents (92%) want to control what personal information is automatically collected by IoT devices, and 74% were concerned that small privacy invasions may eventually lead to a loss of civil rights.

St Louis acknowledges that the huge increase in data collection and sharing by organisations, whether private or public, is moving people to become more concerned about how their data is being used. In Sunderland, the UK’s ‘smartest city’, data transparency has always been a precondition to any technology implementation, she says.

“When you're working in the world of digital transformation, I think you have a real duty to be very open and transparent with what you're doing [with data] and why you're doing it,” St Louis tells Government Transformation. “We've had, shared and been the custodians of people’s data for years and years; we take our duties around that very, very seriously.” 

We can only use data for the purposes it was shared

Data collection is essential for local authorities to perform their statutory duties, from delivering social services and providing education, to maintaining roads or bin collections. St Louis reckons that local authorities are “largely very trusted” to secure people’s data and they have a reason to believe so. 

“It's our duty to make sure that the public knows that we're safeguarding that information, and that we're using it wisely and only ever using it for the purposes it was shared with us,” she adds. “That's really important: we can only use data for the purposes it was shared for and if there's a legal gateway that exists to share that data. If there is a legal gateway, then absolutely we can proceed, if there isn't, then we can't.” 

From the outset of every IoT project, St Louis and her team will always begin with a data privacy impact assessment. Underpinning the trust in how local authorities use people’s data to deliver services lies consent. This is particularly relevant to IoT use cases that involve older or vulnerable people. 

Like other councils around the country, Sunderland uses IoT devices in residents’ homes to allow them to live independently. Sensors that monitor room temperature or detect if a kettle is switched on are used to warn family or carers in case of a fall or lack of activity. Before these devices are installed in users’ houses, the council makes sure that users and their families or carers are fully aware of how the technology works and what they do with their data.

“We make sure that there's a full understanding, and everybody's absolutely aware of exactly what's happening,” says St Louis. “Within that we've done a significant amount of user consultation working with carers, family members, individuals themselves, to help develop the systems and the processes that we use.”

To inform users about how the council uses the technology and data, they have produced short videos and easy to read informative materials: “It all obviously goes back to our statutory duty that we have as a local authority in terms of Adult Social Care, and keeping people safe in communities,” adds St Louis.

Strong cybersecurity foundations

In the case of anonymised data, like that collected for traffic management or building emissions monitoring, the considerations around privacy are different. “Basically, they are objects, so you take away some of the concerns around data privacy,” says St Louis. However, although personally identifiable data is not an issue here, cybersecurity standards are still kept at their maximum.

As councils take their services online, local authorities are increasingly becoming targets for cyber gangs. Between 2013 and 2017, 29% of the UK’s councils experienced at least one security breach, according to a report by privacy campaigning group Big Brother Watch. To strengthen local authorities' cyber capabilities, the Chancellor announced during the 2021 autumn review that English councils would receive £85.8m to deal with cybersecurity.

St Louis explains that all providers they work with are always assessed against the National Cyber Security Centre’s (NCSC) guidance and cloud principles. In 2016, the NCSC published 14 security principles designed to give guidance to cloud service providers to protect their customers. 

The council also carries out regular penetration testing to ensure that devices are safe, up to date, patched and meet the latest security standards: “We always make sure we take full ownership and responsibility for equipment as it's installed.”

Cyber security will continue to be at the core of Sunderland’s ongoing IoT and smart city projects, including a long range wide area network (LoRaWAN) across the 153sq km of the city that will enable St Louis’ team to implement use cases at a very low cost.

(Photo by Ethan Wilkinson on Unsplash.)