Developing technology infrastructure for NHS Citizen:

(1)

Developing technology infrastructure for

NHS Citizen:

Discussion paper looking at the technology platforms and standards needed to support the NHS Citizen system design

April 2015

Version 3.0

(2)

1. NHS Citizen Technology Infrastructure

Green Paper: Introduction

1.1. What is NHS Citizen?

NHS Citizen is a programme commissioned by the board of NHS England. It is designed to answer two simple questions:

1. How can the board of NHS England better take into account the views of patients, service users and the general public when making

decisions about the NHS?

2. How can the board of NHS England be held to account by the public which it serves?

Through an open design process the NHS Citizen project team has developed a model for NHS Citizen which comprises:

 Deliberative and decision-making processes and events, such as the Gather process and Assembly meeting.

 A set of values and behaviours which are intended to create a culture of participation within NHS Citizen.

 A set of tools and approaches designed to find and connect pre-existing patient participation as well as to identify gaps and hidden voices.

In developing this model NHS Citizen has also considered how NHS Citizen might help direct questions and ideas to other parts of the NHS system in recognition of the fact that NHS England has a role as system leader.

(5)

NHS Citizen is not a technology project but it has been designed with technology at the forefront of what is possible from the design by which we mean a number of things:

 It will create a social infrastructure for participation, supported by an open digital ecosystem of connected tools which will support collaboration and innovation, rather than a simple technology platform

 It is designed to support the way in which citizens and staff use social media today and to encourage and spread best practice  It takes a view on personal contributions and identity management

that ensures it is ready for the future, and meets high privacy and security standards.

 The technology platform will be required to take technical

measures to ensure that promises made to the citizen, and the choices they make on that basis, are enforced in transparent and understandable manner by the citizen.

This paper outlines, for discussion, what the technical infrastructure might look like to support the NHS Citizen design. It is intended as a starting point for a wider debate and will inform development and delivery in 2015/6.

1.2. What do we mean by Citizen centred architecture?

Throughout the process we have used the phrase ‘citizen centred architecture’ in order to communicate the way in which the NHS Citizen seeks to use the technology infrastructure in order to reinforce the design principles of NHS Citizen. This is subtly different from the more commonly held description of software and infrastructure being ‘user-centric’.

(6)

The emphasis within the NHS Citizen design is on the creation of a trusted space where citizens and decision makers can interact authentically.

Therefore much of the thinking with respect to the technical architecture of the NHS Citizen has focused on it might be possible to build trust in NHS Citizen from the point of view of citizens who are participating as much as from the point of view of decision makers who would be influenced by the discussions there.

The management of personal data has been identified as one of the key drivers of citizen trust and also a way of signaling an individual’s personal efficacy within the system. The challenge for NHS Citizen is in ensuring that personal data is managed in a way which ensures citizens remain in control of their data at the same time as building an environment where people can collaborate and share data.

An important aspect of this will be in the use of social media contributions. NHS Citizen needs to ensure that the use of social media leads to greater levels of participation and engagement rather than simply being used as a surveillance tools to monitor citizen’s conversations online.

Citizen-centred means that the system as a whole starts from the view that people are citizens and owners of the NHS, rather than only being passive recipients of services, and that they should be able to express their views and engage with discussions about how the way services work. In order to do this in a way which empowers people the architecture must give them control over their identity and data, and give them the widest possible latitude to use the tools, spaces and participation methods with which they feel comfortable. While user-centred design aims to make a platform or tool well-adapted for a user’s needs, our citizen-centred design aims to collect and protect the widest

(7)

range of participants in an environment where they feel empowered. This means, among other things:

 Bringing the widest possible range of voices in, and maximising their impact, by using methods to which they are already adapted;  Designing in ways that allow online and offline contributions without

separating them into different channels

 Allowing options on tools, platforms and methods of participation wherever possible

 Putting a focus on accessibility and not creating a culture of debate that privileges some voices and excludes others;

 Giving participants control over their data and their identity.

NHS Citizen has 5 design principles which have been used to shape the overall system. These principles are shown in Table 1 below:

Table 1: NHS Citizen Design Principles

1 Public A public space that is available to any interested citizen.

2 Co-productive Creating an equal and co-productive relationship

between the citizen and the NHS (a relationship where both sides take responsibility for the space, and the development of ideas

(8)

3 Allows self-defined geographies and topics

The issue and its geography should be self-defined by users with administrative boundaries being subordinate to ‘natural place’ described by the participants.

Similarly, the topic should be defined by participants and not imposed by outside forces.

4 Open and information rich

The space should support the principles of open government with respect to data, process and

transparency alongside a commitment to data privacy. This means, for example, no systemic information or analysis should be available in the space that is not available for all participants – with the proviso that published analysis must never made personal data identifiable without prior permission.

5 Able to authenticate identity

The space should know the identity of participants to a standard that makes their contribution available to the decision making process, but should afford the citizen the right to contribute with their identity kept private from other participants whilst having their contribution to be still be treated as valid

1.3. What makes this truly citizen centric?

NHS Citizen is designed with active citizenship in mind and is intended to balance ease of use with the needs of a democratic and deliberative system which are distinct from what might be needed with respect to a transactional

(9)

system. In developing this document the following areas have been taken into consideration:

 Personalisation based on circumstances and preferences.  Seamless, easy to use, where and when the citizen wants it.  Trustworthy and safe - the individual needs to be assured their

personal data is used correctly and is secure and that they retain control over its use

 Enables citizens to truly participate, make choices, take responsibility.

 Provides auditable informed consent to data use 1.4. Do we need a social currency?

NHS Citizen is designing a social and technical infrastructure in parallel. The technology is intended to reinforce the behaviours and cultural qualities which are necessary to create a more effective social infrastructure. Much of this is built on the concept of the active citizen which is described more in the

discussion of what it might mean to be an NHS Citizen. One way of bringing this to life within the technical architecture would be either the adoption or the development of a social currency such as those which enable sites such as Wikipedia or StackOverflow to operate. These systems combine peer

recognition with acknowledgement of personal contribution in order to create social standing and related efficacy in the system. This is a complex area and one which is not being proposed for the next phase but we think that the

concept should be further explored in the future.

1.5. How does it relate to other digital programmes?

There are a number of digital, or digital related, programmes already in

progress which NHS Citizen could learn from and contribute to while remaining

(10)

focused on the intention to create something very different. .The debate around the data sharing agenda, for example, is an area where the question of an individuals control over their own data is central and NHS Citizen takes a clear position on this point. This section highlights some of the main

connections which have been identified so far.

1.6. Online communities and citizens

Digital by Default and Open Policy Making: From April 2014 all new and

redesigned transactional government services are required to meet the digital by default service standards1_{. Where available, these online services will be}

underpinned by the government's online verification service (see below). Verify. Part of the government's digital by default agenda, Verify aims to

provide a safe and secure method of identity verification for online government services. 2 At present this is focused on the Gov.UK platform but there is much to learn from this work for other parts of government such as the NHS. Verify separates those that verify and authenticate access from those that deliver the services - so the certified company does not know what services the citizen accesses. This prevents two service providers from comparing notes about a citizen because the way in which each citizen is identified to a service

providers is unique. It means the citizen can use the same credentials to access multiple services with no privacy bleed. This service is currently being trialled with a number of online services including the HMRC and DEFRA, and

1 _{https://www.gov.uk/service-manual/digital-by-default}

2

https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify

(11)

this will be the default means of accessing central government services by 2017.3

Assisted Digital. The Government’s principle is that digital is the default channel, so spending on other channels is diverted into helping those less digitally enabled or skilled, or those who cannot use digital to use the digital channel. This means NHS citizen can be assured that any citizen will be able to take part in NHS citizen by accessing assisted digital service providers so no one is left out or behind, due to it being a digital channel.4

1.7. Relationship to Data distribution

There are multiple programmes across the NHS looking at different type of data sharing. This programme of work is in no way about individual level data, collected about citizens but instead focused on content created by citizens. NHS Citizen is a space where Citizens can discuss whatever they choose, and control how those contributions are used. However, we must recognise that all contributions will be potentially identifiable to those who know of the

experience from the healthcare setting. The introduction of a process of evidence creation and licencing (see section 3.7) is intended to address this point.

Any information that citizens contribute will only be shared according to their preferences, which the Citizen will be in full and final control of using the personal data store. While NHS Citizen makes promises of intent, it is the

3 https://identityassurance.blog.gov.uk/2015/01/05/services-planning-to-use-gov-uk-verify-update/

4 _{https://www.gov.uk/service-manual/assisted-digital}

(12)

citizen who will be in control of the delivery of those promises, and can validate that their wishes have been followed.

The use of Gov.UK Verify ensures that NHS Citizen platform can trust that an individual participating is entitled to access the services on which they

comment, but that they can do so in an anonymous (or identifiable) way, as the individual chooses using the Personal Data Store. The PDS will enforce the citizen’s choices when passing data to others, and also allow the NHS Citizen programme to be aware that the Citizen meets the stated criteria, without necessarily knowing the individual’s identity. The PDS provides the chain of trust, but the chain of identity is only visible when the citizen has allowed their PDS to allow it to be. Whether the NHS chooses to honour or bypass a

citizen’s choice is outside of the scope of this design document.

1.8. Open questions

NHS Citizen positions itself within this landscape as making best use of the data revolution to make discussions better-informed and more focused, while ensuring that personal data is protected and secure. This requires careful balance between these two priorities and will be an ongoing area of discussion and development

One of the areas where NHS Citizen will need to break new ground is with respect to the use of user generated content within the evidence process and how this can remain under the control, or at least within sight, of the individual who has generated this content. While social media has been used within public engagement it is often used simply to amplify opportunities to engage rather than capturing content and feedback into the discussion

(13)

2. Architecture

2.1 Overview

NHS Citizen is not designed as a single platform. Instead it is envisaged as connective social infrastructure, supported by secure technology. In a citizen centred architecture, it enables participation activity to be better connected and as a result more visible. Rather than large scale social media monitoring much of the connective infrastructure is provided by active citizens who will agree to share their contributions to the NHS Citizen discussions and also create a bridge between the different platforms (including NHS Citizen) which they use. Within the Gather and Assembly process specific technology tools are needed these will be designed as modules which can be replaced as the system

evolves.

There will be a web presence to support the process which will comprise of several connected tools:

 An informational website and project blog which will provide an overview of NHS Citizen as well as access to the learning and research materials and discussion which underpin the programme  An ‘active listening’ space which will provide insight into

conversations and activities within the NHS Citizen system

 A social media research space which will connect conversations outside of NHS Citizen and ‘discover’ new potential NHS Citizen participants (see the section on active listening for more discussion of this point)

 An online community which provides a space for NHS Citizens to collaborate and discuss NHS Citizen

 A “pinboard” where people can raise issues and look for related flags and potential collaborators

(14)

 An “issue tracker” where issues that have progressed to discussion are tracked through the system and a response followed up

 A deliberation space (“Gather”), through which ideas are developed with evidence and discussion leading to a final position that is

taken to the right part of the NHS, or to the Assembly;

 A tool for ranking the different flags emerging from Gather to give a sense of how significant participants feel them to be;

 The Assembly – live and archived webcasts and discussion for each of the assembly meetings and the results of the citizen jury sessions that set the agenda.

In addition, NHS Citizen will create a ‘Participation Passport’ to connect active citizens throughout the system and allow for responsible sharing of information (more on this in section 5).

2.2 Scale

NHS Citizen is aspiring to influence strategic decision making for the NHS at a national level. It is a self-evident truth that this is of significant interest to a large number of people but as the form of participation that is being proposed is very new there is a need to look at a number of proxy measures in order to estimate the scale of what might be reasonable to plan for in terms of system size.

At present patient participation within the NHS system can be measured in a number of ways. The first group of measures refers to the pre-existing

conversations that NHS Citizen seeks to connect. For example:

 Number of people who are already active in NHS participation – for example patient of leaders / members of clinical reference groups etc

(15)

 Membership of groups such as patient participation groups within GPs surgeries or local healthwatch groups

With sufficient marketing and awareness raising participation in NHS Citizen could be of the magnitude of hundreds of thousands of people.

In order to progress this thinking the NHS Citizen team have created a simple model of scale, shown in Table 2 below, which will be tested and updated as part of the ongoing development process and will stand as proxy in the initial development phase:

Table 2: Model of scale

Aspect of the design Participation Scale

Assembly meeting Citizens and Board members

5-10 issues, discussed by 250 citizens and 20 board members

Citizen’s Jury 10-15 Citizens 20 issues Flag ranking All participants in the

Gather space

50 issues which have successfully met the

conditions of the balanced scorecard

Gather deliberation space

Citizens and staff working together on issues

200 issues being worked on at any one time

Pinboard Citizens and staff working together on

issues

5,000 issues, 25,000 people

(16)

Active listening and Active citizens who 100,000 people connected have agreed to

conversations participate and have a participation passport

2.3 Open standards

NHS Citizen is to be delivered in the form of independent but interoperable tools and services – this is referred to as the ‘ecosystem’. In order to support this approach NHS Citizen proposes identifying standards which already exist in the following areas:

 Data: to be consistent with best practice with respect to use of personal data and where this does not contradict, adopting open open data principles

 Security: to ensure that data, including personal data, is stored

and handled in an appropriate way using the PDS approach

 Identity: to ensure that individuals have control over their data and

also presentation of that data within the system

It is proposed that these standards will be identified via the Cabinet Office Standards Hub (http://standards.data.gov.uk). NHS Citizen may also require the development of additional standards with respect to the storage and management of social network analysis data, participation processes, and storage of the results of the active listening aspect of the system. It is intended that these will be suggested as challenges within the standards hub for further discussion.

NHS Citizen will be taking the approach to open source software that has been developed by GDS. In short, where possible software should be open source

(17)

and code open and reusable by the community. However, given the effort required to create a community to support open source projects in the short term the focus of NHS Citizen will instead be on the development of an open API (see next section) and the Participation Passport (both to be developed using open source software) which are intended to support the development of a more substantive ecosystem of tools.

Furthermore, while NHS England is technically the owner of all published content, by agreement all published content - unless otherwise stated – will be available via the Open Government license already in use by NHS England. This will be built into the terms and conditions for the participation passport and made clear to anyone taking part in the Gather or Assembly process. The consequence for this will be the need to ensure that participants are made aware of the consequences of their content being published by NHS Citizen in order to be able to exercise informed consent over their content.

2.4 Accessibility

An essential part of a citizen-centred architecture is that it is open to all citizens and that its design does not discriminate. We want to ensure all citizens are able to take part in the open-design process and that the needs of all citizens are fully understood in the design of NHS Citizen.

In keeping with this, we are committed to fulfilling the needs of citizens and to meet and where possible exceed obligations such as those under the Disability

Discrimination Act and the NHS’s accessible information standard. This means that unless it can be shown to be technically or practically

impossible, all content must be made accessible. Wherever possible, we would like to give control to the user in deciding how they will view the content we

(18)

create. In this regard, we are looking to work with citizens, and organisations that are committed to representing their accessibility needs.

Any provider in the NHS Citizen system will need to be actively engaging with this topic and be able to discuss the specific needs to communities operating with the space.

2.5 Developing an open API

The intention for NHS Citizen is that is that the infrastructure is developed with an open API. In practical terms this means that:

 The Participation Passport will be available for other engagement platforms to use as a identity management mechanism

 Gather tools will be designed in such a way that they connect to platforms or tools which can meet the requirements of the

deliberation phase of the process and data that is stored as part of the evidence gathering component of the process is available as open data (using the Open Government Licence). For this

purpose, Gather evidence will be treated as published data with the appropriate consents sought

 It is intended that output of the research activities of NHS Citizen (such as the social media research) are published as openly as possible within the criteria of the separate research ethics

statement. The detail of what this means is going to be developed via the NHS Citizen research hub which is planned for the next phase of work.

2.6 Interaction with other systems

NHS Citizen is one of a number of programmes being developed by NHS England in order to better support citizen participation. As such any solution

(19)

will need to work closely with People Bank and the Participation Academy. There are fully described elsewhere but in summary:

 People Bank: A system which will help coordinate patient involvement with NHS England and can give better visibility to volunteering and participation opportunities

 Participation Academy: A resource which will help sign post opportunities for learning and development for patients and staff interested in developing their participation skills

It is envisaged that both of these programmes will also use the Participation Passport as it develops.

2.7 NHS Citizen: work to date

Many of the requirements which are outlined in this document have been, or are in the process of being, prototyped in some way as part of the initial design process. An area of the delivery site will be dedicated to signposting these prototypes, including the Gather tool prototypes that will be used to support the NHS Citizen’s Assembly meeting in September 2015. This includes:

 Examples of active listening tools

o Examples of network maps and a process for creating them o Social media monitoring tools which meet the criteria needed

for active listening

 The online community space is already being prototyped using the open source Lumen platform

 Gather tool prototypes will be created following a hack day which is being organized as part of the Participation and Innovation fund  The Assembly meetings and associated social media content are

already available via Public-i’s Citizenscape platform

(20)

 The NHS Citizen website is in the process of being redeveloped in order to make the final deliverables and descriptions from the current phase of work available

 It is intended that these items will continue to be in use and be developed iteratively alongside the creation of the operational systems required to run NHS Citizen at scale.

3. Content within the system

3.1 Overview

NHS Citizen will need to interact with 3 different categories of data in order to function effectively:

 Personal data, including personal contributions to debate and any self-reported data about conditions or life experiences. This will also include the individuals public profile and background captured as part of the Participation Passport

 System data generated by individuals interaction with the NHS Citizen ecosystem (for example number of issues raised, intensity of debates) is needed in order to support the active listening and system metrics

 Evidence data which is published and committed to the Gather Evidence store as part of the Gather process. Evidence data can be made up of personal or system data – the difference is that it will have been through a process of publication which seeks the appropriate consent for use.

The Participation Passport is discussed in section 5. There are two other main aspects of the NHS Citizen system where data management is a

consideration. A principle of ‘minimum viable data set’ is to be applied in all of

(21)

these areas. The detail of what is required in each of the areas of the design will be developed over the course of the drafting process for this document.

 This refers to the need to collect and hold only which data is necessary for the smooth running of the system and to, where possible, use data directly from the personal data store rather than replicating storage. The goal is always to minimise the amount of data retained while supporting the smooth running of the system  Individual contributes that are used will only be available for a

particular use that the citizen has allowed their PDS to share. Any breach of this principle is a breach of the underlying covenant of NHS Citizen and the basis on which individuals participate. 3.2 Active Listening

The active listening element of NHS Citizen is intended to provide a window onto health and care discussions happening across potentially hundreds of active forums and networks and invite participants to take part in NHS Citizen. Users of NHS Citizen can view discussions across all these networks, and join in discussions on any of the networks (by posting comments). However simply listening to social media conversations – social media monitoring as it is often referred to – is closer to surveillance than true participation and engagement. In order to ensure that digital content is used in a way which aligns with the values of NHS Citizen the infrastructure will need:

 To be able to filter content from digital channels based on

permissions stored in the individuals participation passport. For example, a citizen might give permission for NHS Citizen to monitor their twitter activity in order to understand the reach of NHS Citizen discussions. This permission could be limited to consent with specific hashtags or certain contexts.

(22)

 To have mechanisms in place that will actively seek the informed consent of individuals who have been identified through social media monitoring as being potential interested in NHS Citizen discussions. This requires the balancing the potential of social media to open up participation and engagement to a wider group of citizens with the need to ensure that this data is used responsibly to create better engagement and decision making and not just surveil people.

In order to support this aspect of the design NHS Citizen is developing a research ethics statement to capture the requirements in this area as well as developing some prototypes of appropriate tools. Social media research is a relatively new field and NHS Citizen will need to ensure that it responds to developments in this area.

As highlighted above, this is a window onto existing communities, and is not a new community itself. Features in the active listening space are limited to searching, and tagging favourite searches and discussions.

In addition to this there will be an associated activity of online research which looks for relevant conversations with the purpose of inviting participation in NHS Citizen or at least raising awareness. This activity, when combined with the active listening function, will provide what has been previously described as Discover in the NHS Citizen design.

To ensure user anonymity and privacy, NHS Citizen will store only the minimum information required to enable users to access the discussion

network, and post comments to discussions. No user identifiers will be linked to information stored, only in the users’ personal data stores.

 Sign-up and login: To access NHS Citizen in anything other than the most basic fashion (see next section for more on this), citizens

(23)

will use a personal data store login. No data will be shared from the citizen’s personal data store without their direct active consent.  Activity on the NHS Citizen sites – for example using Gather tools:

Users can search for and express an interest in flags raised on NHS Citizen. Details of the issues they are following will be stored in their personal data store, and not on the NHS Citizen site. To be able to highlight which issues are most engaged by with users, NHS Citizen will record details of searches carried out, and flags. To ensure user anonymity and privacy, the details of the search and flags will be stored (time-stamped search term and details of returned search results) but no “identifiers” will be kept of which users carried out which searches.

 Posting comments to the discussion networks. In order to post a comment on a particular network, users will need to choose to login to that network using their personal data store. Their comments on the network will usually be linked to one (possibly of several)

‘display-name’, which could be a known pseudonym, that they select from their personal data store. Where someone contributes on an NHS Citizen discussion or deliberation space, the citizen will be able to retain a record of their contributions in their own

personal data store as a personal independent record.

 Site analytics or system data. NHS Citizen will store time stamped details of accesses to the site, searches made, favourite searches and discussions tagged. To ensure user anonymity and privacy, these analytics will not be tagged to individual user metadata such as user identifiers or IP addresses. No usage data will be passed to commercial analytics tools such as Google Analytics. If a NHS Citizen wishes to join a research community for UX they will be

(24)

able to approve data sharing directly from their personal data store for the express use case they wish to support. This is an efficient privacy friendly way of securing high quality insight.

3.3 Gather

The Gather element of NHS Citizen enables users to highlight (or ‘flag’) an issue as a high priority that they believe the NHS should be discussing. In order to flag the issue, the highlighting user will need to provide some initial details:

 Overview: Title and brief description

 Discussions. Search terms and tagged discussions across the network that highlight why this issue is important.

 Additional evidence. Links to any external evidence, including papers & reports, media articles and so on.

Gather relies upon the collection of evidence to support the issues being discussed. This will reflect not only the data being collected but measures of the quality of the debate. This is described in more detail in section 4.6 as the balanced scorecard.

Gather process data: (This section provide an overview of data stored around specific flags and their status).

 Audience and discussion. All issues raised by participants are visible through the issue board. Once users are logged-in, they will be alerted to new issues that match any of their favourite searches or discussions (matched using sematic search techniques). Any NHS Citizen users can register their interest in any flagged-up issue, and take part in discussion around this issue. Participation within the Gather deliberation space will not require people to identify themselves beyond their chosen display name. This is

(25)

discussed in more detail in section 4 on the Participation Passport  Issue tracker. Issues that have progressed past the initial comment

and into discussion will be searchable through the issue tracker, and responses from the NHS system will also be visible.

3.4 System data

System data refers to any data which is required in order for active listening and gather to function. At present the required data is believed to be:

Table 3: Data required for active listening and Gather to function System Data Description & Purpose

Active listening

Network maps Data showing the connections between different people within the system

Social Media content pre-analysis

Social Media content (for example

tweets, blogposts) will need to be stored for analysis process

Social media listening results

The analysis of that data needs to be stored for future reference for the Gather process

Gather Issues See above for data to be stored for each flag

Evidence See above for data to be collected to form evidence for flags and issues Status See above for system status data

System data Issue tracker Information describing issues, including their status and owner

(26)

3.5 Individual data

This table starts to outline data which might be needed for an individual to participate in NHS Citizen. It is envisaged that this data would be managed via the personal data store as described in the next section. At present only public profile data is being collected as part of the online community prototype. In the longer term, using a personal data store provides a unique opportunity for NHS Citizen to more easily tap into a richer source of information about an individual for example the record of their contributions or the issues that they have

raised, without increasing the burden of effort on the individual. The consent process and access process is citizen centric and over time, as new

opportunities are identified, NHS citizen can adapt and grow to meet these opportunities with minimal cost, risk or effort as the core process of storage and data sharing remains the same.

The system will include no health data, unless the citizen has explicitly contributed it themselves, in the form of comments about their health experiences, which will likely be highly sensitive personal data, and wider sharing would likely be considered highly intrusive if unexpected.

We see currently see data as falling in three main categories as shown in Table 4 below. These are still under discussion and subject to further testing:

Table 4: Categories of personal data in the system

System Data Description and Purpose

Public profile for online community

Name Your real name

Display name The name (or names) by which you would prefer to be addressed

(27)

and, in the future

participation passport

Email address Preferred email address for online interaction with NHS Citizen

Roles Description of which roles you fulfil within the NHS

Organisations Any organisations which you work with (paid or unpaid)

Connections to social media profiles

Permissions around social media accounts and active listening

Profile description

How you wish to describe yourself to others

Areas of interest Topics that you are interested in

following, captured either by you noting this topics of via saving search terms that you have used within NHS Citizen

Personal copies of interactions stored in PDS

Issues you are following

Specific flags in gather

Issues you have raised

We will need to return to the question of how people indicate that they are

advocates for other groups or individuals Advocacy Personal data Dietary preferences Accessibility requirements 24

(28)

Locations you are interested in

3.6 Data as evidence: The balanced scorecard:

The “balanced scorecard” has been developed as a way of measuring the different sorts of evidence that were presented in the course of a discussion, to ensure that a wide range of voices and views were being taken into account. It will need to be reflected in the data that is managed via the NHS Citizen

infrastructure and stored in the Gather evidence store All data shown in Table 5 would need to go through a publishing process, which deals with licensing and consent, before being added to the evidence store.

Table 5: Examples of data to be stored in the Gather evidence store Evidence

Category

Definition Examples

Representative Representativeness was thought to be a measure of both people and

conversations. Representative

discussions were thought to be:

 Broad and deep – they involved a wide range of voices, and those with different levels of knowledge

Measures of who has

contributed to the debate and shown an interest. For

example:  Count of contributions  Measure of reach  Measure of range of backgrounds  Contributions broken down to illustrate support or disagreement (nb this implies we will need a

(29)

 Networked – going beyond one discussion place to bring in other views

 Different experiences – people can come at the issue from different perspectives

 Different views – there is constructive disagreement rather than “me-too”. mechanism for measuring agree/disagree)  Measure of contributions based on how active the

individual is within the system

 Could also include the results of the crowd sourcing answer to question “is this an addressable question” (see below)

Honest Honesty in the discussion was seen to be a question of authenticity. The

discussions should be:

 Authentic, with people saying who they were

 Open as to people’s interests – not

excluding people with interests but declaring them

Honesty can be seen as a

measure of ‘good faith’.

An example of this could be that we ask participants in the deliberation process to peer review each others discussions on this basis

 The development of a social currency (as introduced in section 2.3) would also provide a measure of honesty

(30)

Knowledgeable Knowledgeable  Measure of evidence

discussions were seen as sources which have

using evidence in the right been curated elsewhere

way to support in the system – some

discussions. Participants kind of source ranking

thought that system may be needed

knowledgeable here.

discussions:  Statements and personal testimonies  Made use of

which capture people’s evidence rather than

lived experience just being based on

speculation or opinion

 Took place with understanding of the policy context, so they did not come up with impossible

solutions

 Used different sorts of evidence (this point was repeated in the

“representative” section)

(31)

Addressable An addressable issue for It is proposed that the gather

discussion would be: issue statements be re- Solvable

 Needing action  Can be affected by

action

 One that is at the

circulated via the sorting space in order to crowd source the answer to the question “is this an

addressable question”? heart of the matter,

not a side-issue.

3.7 Data licensing

NHS Citizen stores only the minimum viable data needed to evidence issues that have been flagged-up – with other sensitive data held inside the personal data stores – it is designed to allow public, community and commercial

organisations the same access to the evidence-base.

By ensuring that the data in the Gather evidence store has been through a publishing process (which is yet to be defined) reasonable efforts are being made to ensure that personal data is not made publically available without information consent of the individual. This data will be published under the OGL.

It is intended that data (for example personal stories and contributions) that are shared as part of the Gather deliberation but prior to publication as evidence would be freely available with the deliberation space but that this will not constitute any permission to republish or use this content without consent.

3.8 Questions to discuss for security, privacy and anonymity

There are a number of outstanding questions to be considered. These include:

(32)

 Do we wish to create NHS Citizen a “safe place” where anybody can search across a wide range of discussion forums, without being tracked by user-identifier, IP etc? (i.e. this would mean that you don’t need to login to the service unless you want to ‘tag’ or ‘flag’). This could potentially be handled via the Consent model in PDS where an individual could define what data can be shared and in what form.

 Do we need to know who the audience is for any particular issue that has been flagged? (i.e., does NHS Citizen need to retain a user identifier if they have decided to ‘follow’ this issue, or is this info held within the personal data store?)

 Do we need to be able to link comments made by any particular user on a Gather issue discussion board, so we can understand their argument / position across multiple comments? (i.e., do we need to link these comments to user identifier – whether or not we know who they are). Volume of feedback on issue could indicate a strong view of the community or it could be the views of a single person expressed in volume. This distinction is part of the

discussion within NHS Citizen with respect to how to filter content through the system where the resource of time and attention is limited as well as the democratic trade offs required between different types of issues. The technical infrastructure will need to be shaped to respond to this debate as it develops

 What information can we make freely available from NHS Citizen? Can we create an open environment that is also safe for people to share personal data and experiences?

(33)

4. Identity: a Participation Passport

4.1 Why do we need a participation passport?

The management of personal data and identity verification is a central part of a modern democracy. From the ongoing debate about the need for online voting to the need to make better use of digital engagement platforms the way in which we handle personal identity is critical to the quality of the participation experience. The Participation Passport is a way to both signal the significance of individual participation in the NHS Citizen system but also to ensure that in doing this the individual remains in control of their own data and their own, often complex and always unique, set of preferences and relationships. It is also a significant design element intended to help avoid NHS Citizen becoming a single large platform. By promoting a federated data and identity approach we reduce the risk of capture by any one provider or platform. It also has wider benefits. The participation passport will be a standards based component which can be used by the same citizen in other such processes across any sector, not just NHS Citizen.

The Participation Passport is made up of two elements:

 Identify verification to confirm that “this is a citizen” is participating (but not necessarily who that citizen is, to preserve the option of anonymity), which could be at multiple levels from verified email address to direct connection with a particular individual; and  A personal data store (PDS) where the NHS Citizen can control

and manage their participation data (as described in section 4.4) 4.2 Importance of the Citizen being in control

NHS Citizen is designed to ensure that citizens feel listened to, as well as being listened to. One ambition of NHS Citizen is about sharing decision

(34)

making – and power – with a group of people who often feel disenfranchised and disconnected. The decision to focus on citizen centered architecture is a way of supporting this objective. Citizen empowerment is enabled by the citizen being and feeling in control.

The underpinning design assumption is that the trust that this engenders

supports greater participation, responsiveness, more volunteered data sharing and connected conversations. There are trade offs in this approach with

respect to levels of participation (the concern being that it is another barrier to entry for people who do not currently participate) but the overall concept has been extremely well received when discussed in the abstract. The next phase of work needs to see this concept being worked through in more detail the prototyping process.

In developing this part of the technical infrastructure the team is referencing the work being carried out by Gov.UK. Verify programme but exploring how this might be applied to support democratic rather than simply transactional interactions. It is worth noting at this stage that Gov.UK Verify as a source of verified identity may be available to the NHS within the next two years but is not currently planned to be available to wider community of relying parties for some time.

4.3 Prototyping and development process

NHS Citizen has been working with Mydex CIC to develop this part of the thinking as their organizational values are closely aligned with the NHS Citizen design principles and as a CIC there are fewer commercial sensitivities than might have been found in working with the other named identity providers on the current gov.uk.verify framework.

Mydex CIC is a social enterprise; a privately held Community Interest

Company backed by the Young Foundation. Mydex CIC provides a practical,

(35)

person-centric approach to identity and data sharing based on citizen centred consent and operating within a technical and legal trust framework.

The Mydex Platform is built with open source software from end to end with open APIs and a range of open standard protocols that are inline with the NHS Citizen design principles. Mydex CIC is totally committed to the use of open source components and standards as a means to enable collaboration, ensure security and to support innovation. Mydex are also part of the Gov.uk.verify framework and are the only open platform provider accredited in this way. Mydex CIC provides an open source content navigator that allows anyone to see what components are used across their environments. There is full online documentation at dev.mydex.org and a Sandbox which mirrors the live

environment.

Mydex CIC is an ISO27001 certified company for information security management, and a Certified Fair Data organisation and enabler

While the prototyping has been carried out with Mydex CIC it is intended that the final system design will enable users to chose other identity providers as per the Verify programme framework

4.4 PDS approach

By using a Personal Data Store NHS Citizens will be able to share their profile data and their preferences and intentions while staying in control of the

contributions they put onto the platform.

There is no intention to automate the inclusion or sharing of data from other NHS/Government data sources into the NHS Citizen platform, nor to allow that linkage to be made by other bodies (whether NHS, Government or elsewhere).

(36)

They will be able to participate in the active listening and Gather processes, sharing their questions, views and opinions at the same time as retaining control over this process.

They will do so with the knowledge that they are making contributions securely and that it can’t be used beyond the choices they make for their contributions. It will enable NHS Citizen to offer a truly citizen centric solution by bringing the individual into the process as an active participant equipped with a Personal Data Store (PDS) and a set of tools to manage their identity and consent to data sharing online.

This arrangement enables individuals to collect, manage, control and share their data and contributions. This includes their profile information, browsing history and bookmarking, their questions and opinions. They can engage online with NHS Citizen, complete transactions and prove their identity safely and securely. NHS Citizen can ask to subscribe to an individual’s information in order to understand their behaviour and activity, and it is up to the citizen whether they wish to consent.

Only the individual can see the contributions and metadata held in their PDS and when they share it it is only visible to those they choose to share it with. Individuals can use their ID to authenticate themselves and access the NHS Citizen services and systems that form part of the overall NHS citizen platform. This is all done with complete privacy and trust that they are doing so in a secure and transparent way. The ID unlike social sign in solutions preserves the citizens privacy by only logging their activity within the PDS.

Via their PDS, if they wish, individuals can share their verified data, for

example their dietary requirements, in a privacy friendly, quick and easy way. This could include a wide range of content in the future; preferences to enable

(37)

personalised conversations; browsing, bookmarking, tagging and annotation to enable insights into their use, activity and behaviours; and their views,

questions and opinions. They can choose how much data they wish to share, when and how, for example information for one time use, or the provision of an anonymous view, or permission for a specific use case. This ability to control data sharing engenders trust and confidence supporting participation and deeper relationships.

5. Design

process

5.1 What next?

This paper provides an overview of the expected requirements to support the NHS Citizen design. It has been published as a discussion paper in order to get feedback and advice from a range of people. We have also published the document online and promoted it on social media in order get as wide an audience as possible.

Over the course of the next phase of development a number of open events will be held in order to explore and improve the different elements of this paper.

In parallel NHS Citizen will prototype and type some examples of these ideas and concepts in order to test them.