A member of the House of Lords has raised concerns that UK government data, including NHS patient records, is being stored in foreign jurisdictions without adequate cybersecurity protections, calling the practice "unacceptable" as the government advances plans for a voluntary digital identity system.
Baroness Manzila Uddin, who co-chairs the All-Party Parliamentary Group on Decentralized Digital Identity, stated in an interview with Yellow.com that critical government data is being outsourced to the United States and Romania without guarantees that it will remain subject to UK data protection standards.
"A lot of the data for GP patients go all the way to America. And I think this is unacceptable," Baroness Uddin said. "I know that Saudis, UAE's, Singapore's and some other countries in Africa have made sure that the data and all the information remains local to their own cloud, national cloud. I'd like some guarantee about that and I think that at the moment we are not able to guarantee that."
The Baroness specifically cited Gov.UK infrastructure as being outsourced without sufficient oversight.
"If the primary source of government data collection, Gov.UK, is being harnessed somewhere else, say, outsourced somewhere, and we don't have any checks and balances and obligation for cybersecurity resilience, data protection like we would here, I think that's a worry," she said.
She referenced Romania as one location where UK government data is being stored, questioning whether cost considerations are overriding security priorities.
"If all of the citizens are the customers of the government, gov.uk, then why is it in Romania? Is it because simply they bid the lowest amount of money for running the contract? And those are the questions that we need to ask."
The comments come as the UK government pushes forward with proposals for a voluntary digital identity system, which has faced public skepticism since a previous attempt by the Labour government in 2008 was rejected.
Baroness Uddin noted that public opposition to mandatory identification systems remains strong in the UK.
"As you know, I think it's 2008, the Labour government tried to implement a digital ID and the context was very clear that our public did not support it," she said.
She expressed concern that the current proposal is being implemented incrementally rather than through transparent public consultation.
"I know that it's doing it almost through the back door. So for instance, the proposal is that all our driving licenses will be digital footprint. Maybe following that there'll be a proposal for the next set of passports to be like that."
The Baroness emphasized that she personally has no objection to digital identity systems but requires transparency about data handling.
"As someone who co-chairs the digital identity parliamentary group, I have no problem with having an ID. We have IDs for so many aspects of our lives now. I think my concern, and I think there's a lot of concerns at the public level, is where is this data going?"
Baroness Uddin cited a recent personal experience that illustrated broader cybersecurity vulnerabilities in financial services.
"As soon as my family member dropped the call with Amex, for instance, there was an immediate call from someone else saying they're Amex and they had all the information and that's supposed to be a secure environment where you talk about the financial interaction," she said, suggesting that major corporations lack sufficient safeguards against data breaches and fraud.
She argued that neither large corporations nor local government entities have adequate resources to protect against sophisticated bad actors.
"Whether it's an energy bill or it's local government, there isn't simply enough financial incentive or resources to safeguard against some of these very, very bad actors who are defrauding," she said.
A significant portion of Baroness Uddin's concerns centered on digital exclusion and inadequate public education about data rights.
She noted that approximately one million UK households lack internet access and smartphones, making them vulnerable to exclusion from digital services.
"When exclusion happens, we are only talking about exclusion so that we can argue that we have to have greater reach of including people into this mire of voluntary data gathering," she said, suggesting that addressing digital exclusion is being used as justification for expanding data collection rather than protecting vulnerable populations.
She emphasized the need for comprehensive digital literacy education beginning in childhood.
"In many countries like Japan and elsewhere, children are taught very early to safeguard themselves on the net. And I think that is something very critical, not just education of our members in parliament, but members who are not in this space, because all these entrepreneurs and companies are making money on the back of all of our ill-informed practices,” she said.
The Baroness cited recent experience with the All-Party Parliamentary Group on Children where young people demonstrated sophisticated understanding of digital risks.
"We had children coming here acting in their role as parliamentarians, asking expert questions. And they're very insightful questions, they're much more aware than our generation or maybe even your generation. So the eagerness to learn is there."
Baroness Uddin argued that current regulatory frameworks cannot keep pace with technological advancement.
"As soon as you safeguard one framework, another one will appear and it will be beyond our control. So it has to be very fluid, all our legislation has to be very fluid in order to meet the demands of advanced technology."
She noted that existing regulations, including GDPR, have not prevented excessive data collection or unauthorized data sales.
"At the moment many institutions including governing institutions, private sector organizations are asking for excessive data. And it's not necessary. My fear is when we are collecting that level of details, who's hosting it? Where is it being kept? Who's monitoring it?
Who's tracking it? And is it going to go into the dark web and someday be used against us as individual citizens?" she asked.
The Baroness stated that organizations can currently purchase citizen data from local governments without sufficient restrictions. "People can buy from the local government a whole lot of our data, they can buy it. Because at the moment there's no restriction. So GDPR obviously has some boundaries, but people are still collecting and mining our data for their well-being,” she said.
When asked about decentralized identity systems based on blockchain technology, Baroness Uddin expressed support for approaches that give citizens control over their own data.
"The promise of new digital technology, including Web3 and AI and all of that, is that we will have a democratic system of exchanging information so that it would become our own private sources of information and we as an individual decide whether we want to give access or not," she said.
However, she emphasized that any system must prioritize citizen data sovereignty.
"If we are going to continue with this trend, where is my data? Who is having it? Why are they not accountable? Why are they giving it away to people who can buy it?"
She argued that blockchain solutions could provide an alternative to current outsourced data storage models.
"The promise of new emerging technology is democratization of information so that you have much more say in how information about you is kept, sent out, given, whatever. That has to be the primary, one of the primary principle commitments of the government,” she said.
Baroness Uddin expressed preference for aligning UK data standards with the European Union rather than the United States.
"I know that there are discussions about who we align with and I would have much preferred that we aligned with the EU because they are our neighbours, they are our borders," she said.
She voiced concern about increasing reliance on US technology companies for critical infrastructure.
"I suppose we need to make sure that we're not going to the US for everything. Just because they are our special relationship and we have an obligation to do ABC, whatever. Recently there were talks of a particular large corporate organization taking over our security. I'm very concerned about that," she added.
The Baroness argued that maintaining data sovereignty within the UK is essential to preserving the country's reputation as a secure financial hub.
"I want the brain drain to return here and to make sure that whatever we end up doing in terms of whether its digital ID is sovereign, digitally sovereign to the UK, that for me is really critical. If it's digitally sovereign in the UK, then it will be digitally sovereign for the individual because we respect individual rights,” she said.
When asked about claims that digital identity systems would accelerate economic growth, Baroness Uddin expressed skepticism.
"I don't think we have proven the case," she said. "I know that some of the stakeholders have experience. Sweden was cited as good practice, Utah, Wyoming. But I don't think we have anything so far in the UK to demonstrate either the economic growth or the use case as a positive gain for ordinary citizens. I think that large corporations are continuing to benefit."
Baroness Uddin questioned whether the government can implement digital identity systems given current levels of public distrust. "In the current framework of public mistrusting government, as you know, the government has been facing a huge amount of criticism with various policies. So I don't know if we can actually claim the confidence of the public. So in light of that, I don't know how they will manage. There is not clear indication of how they intend to win over public confidence and trust for a digital ID."
She warned against implementing systems through emergency measures as occurred during COVID-19. "I think that public feel that they are forced to give out as much information as possible because people think, if I've got nothing to hide, nothing to lose. But that's not the case because the information you're giving becomes somebody else's asset."
The Baroness concluded by emphasizing the need for trust-based regulatory frameworks. "Everything that we're doing about any proposed regulatory framework has to be based on trust and confidence. That goes without saying, and I think that's where the problem lies."
She called for establishing standards that protect individual rights while allowing technological innovation. "If we are going to have a digital ID, we have to have a legacy of trust and confidence and then making sure that the framework is flexible enough for people to come and work with us."
Baroness Uddin stated that the UK's regulatory reputation could set global benchmarks if data sovereignty is prioritized.
"I think we can set a great benchmark for others to follow, including the US. I think we have a sufficient amount of credibility and so many institutions came out of Britain that are now operating in Dubai and Singapore and the US,” she said.