“Harder to get consent for data use than it is to get consent for medical treatment”
The Open Data Institute (ODI) has published a report on three pilot “data trusts” – legal structures designed to provide independent stewardship of data – it set up under a government-funded trial that may have far-reaching impact.
The pilots ran for three months to 31 March 2019 and focused on tackling illegal wildlife trade, reducing food waste, and improving public services in Greenwich. A key metric: whether they could “increase access to data while retaining trust.”
The report by the non-profit ODI comes as the government looks to find ways to unlock and monetise vast public data sets (e.g. healthcare data in the NHS) without alienating the public or causing significant trust and privacy concerns.
A key benefit for data users – like the AI and machine learning companies that need huge data sets to train and deploy their algorithms on – would be the ability to tap public data sets that have already been collated in one place, with a single legal agreement governing their use, streamlining current access agreements.
Data Trusts: A Safe Way to Secure, Share, Monetise Public Data?
The ODI found that there is “huge demand” from private, public and third sector organisations in countries around the world to explore data trusts; a somewhat inchoate term for a legal vehicle that can facilitate the sharing of data from several sources while respecting varying legal interests.
(“While data trusts cannot take the form of ‘trusts’ in a legal sense, they use legal structures and forms that take inspiration from them”, it notes, pointing to community land trusts and “trust ports” run by independent boards for the benefit of different stakeholders and governed by their own local rules as examples).
It determined that data trusts could be a good approach to data sharing where there are conflicting interests between parties, or where there is a need to bring together commercially sensitive information from multiple parties. The ODI proposes a detailed six-stage approach to establishing them: scope, co-design, launch, operate, evaluate, and where agreed, retire.
Launch Follows Parliamentary Warning
The report, launched this morning at the Royal Society of Arts, comes a year after the House of Commons’ Science and Technology Committee urged the government to “realise more value” tied up in restricted public data sets, including those of the NHS, and hold them in such data trusts; including by demanding more from the companies granted access to it for research and development purposes.
The Committee’s May 2018 report, “Algorithms in decision-making”, noted: “The Government could… negotiate for the improved public service delivery it seeks from the arrangements and for transparency, and not simply accept what the developers offer in return for data access…”
“The Government should explore how proposed ‘data trusts’ could be fully developed as a forum for striking such algorithm partnering deals. These are urgent requirements because partnership deals are already being struck without the benefit of comprehensive national guidance for this evolving field.”
(The report comes as legal experts note that a “great irony” of modern data protection law is that it is harder to get consent for data collection and use purposes than it is to get consent for medical treatment…)
Launching the ODI’s report today, Business Secretary Greg Clark said: “Access to data is pushing forward huge technological change that can benefit our economy, provide better services to consumers and lead to the creation of new highly skilled jobs. Fundamental to this opportunity is that organisations maintain the trust of their customers and use data responsibly.”
Jeni Tennison, CEO at the ODI added: ‘We only unlock the full value of data when it gets used, so we really need to find good ways to share data more widely without putting people at risk. We have learnt a huge amount from our research about how data trusts can help, and are very grateful to everyone who worked on the pilots with us, but there is more to do. We need to understand more about how data trusts should be monitored, audited and regulated so we can trust them.”
She added: “We need more pilots, such as the wildlife pilot, to be funded to move into the next phase. We also need more research into other data access models such as data cooperatives, data commons and people-led data trusts which may sometimes be more appropriate.”
An accompanying report (from BPE Solicitors, Pinsent Masons and Queen Mary University) that focuses more tightly on the legal issues, warns of four key legal obstacles that need to be overcome to make data trusts work as a way of sharing disparate public/private data sets with a commercial user.
1) Data protection and privacy law. Unless data sharing via a data trust was disclosed as a purpose and consented to when personal data were collected, sharing requires a fresh legal justification.
2) Commercial confidentiality also needs to be protected by the data trust, because both data providers and third parties who have confidentiality rights in the data might have a claim against the data trust or against data users if confidentiality is breached.
3) Intellectual property rights can, to some extent, exist in data, and where they do then the data trust will need to secure appropriate licences from rights owners and to ensure that the terms of those licences are complied with.
4) Data providers will also need to ensure that their contractual obligations to third parties do not preclude them from sharing data via the data trust.
Early Buy-In, Engagement Vital
The report emphasises that even when there is a well-established delivery guide it will still take time for organisations to build relationships, so even if they have competing interests they can align on some common purposes and approaches.
“We saw the effects of this particularly in the Food Waste pilot, where not enough data holders could spare time. The need for this commitment should be recognised as organisations are engaged into a scoping or co-design phase.”
It also warns of the risks around “technology-first” solutions: “Our work mostly focused on stewardship. Our definition of data trusts is deliberately independent of technology architectures or solutions. Independent stewardship could work with centralised data sharing platforms, decentralised data publishing, cloud hosting or blockchains.”
“Despite this, we found many people being drawn to technology solutions and offerings. Building technology before governance, rather than at the same time, risks lock-in to a particular approach, exclusive access deals with particular vendors, and limits on how data can be accessed or shared.”
“Data trusts, and organisations building them, need to retain technical flexibility, avoid vendor lock-in and be able to respond to changing needs”, it concludes.