Data protection reform and the future of data policy
2023 began with both uncertainty and promise in data policy.
Uncertainty, because it was unclear when the Data Protection and Digital Information Bill (DPDIB) would return to parliament. The Bill came out of ‘Data: a new direction’, a consultation on draft reforms to the UK’s data protection regime launched in September 2021. In November that year the ODI submitted a formal response to this consultation, drawing on expert roundtables and our wider work. In June 2022, the Government published its response to the consultation, with the Bill laid before Parliament the following month. But two changes of Prime Minister and resultant changes to the UK Government and its Cabinet, and a focus on other digital legislation (particularly the Online Safety Bill) meant the Bill’s passage through parliament has been paused. Last month also brought a change to the machinery of government, with data policy and responsibility for the Bill moving to a new Department for Science, Innovation and Technology. It seems the Bill may be returning to parliament this week.
But there is promise to go with the uncertainty, because whatever happens to the imperfect DPDIB, as the UK approaches its next general election, data policy is back on the political agenda. We believe this presents an opportunity to shine a light on some topics that should be considered in amendments to the DPDIB in future, and in UK data policy more broadly, so that data can be made to work for everyone.
As the Bill returns, we highlight three such topics: the role of data intermediaries, the importance of assuring data and data practices, and how better use of data by government can have a wider impact.
Supporting the role of data intermediaries
The Centre for Data Ethics and Innovation (CDEI) defines ‘data intermediary’ as ‘a broad term that covers a range of different activities and governance models for organisations that facilitate greater access to or sharing of data.’ Its report Unlocking the value of data: Exploring the role of data intermediaries describes seven different types of data intermediary, including data trusts, data exchanges and industrial data platforms. The concept overlaps significantly with the ODI’s work on data institutions: organisations that steward data on behalf of others, often towards public, charitable or educational aims.
Examples of data institutions include the UK Biobank, which stewards sensitive genetic data and samples from around half a million people, and grants researchers access to it under restricted conditions. HiLo Maritime Risk Management collates and analyses data generated by around 3,500 ships globally to generate vital risk and safety analyses related to lifeboat accidents, engine room fires and other incidents; this can then be used by companies looking to make their safety processes more efficient.
In recent years, we’ve seen a number of data institutions – or ‘data intermediaries’ – emerge that enable people and communities to exercise greater control over the collection, maintenance and sharing of data about them or that they have a vested interest in. Open Humans, for example, enables people to share data about themselves and decide to whom and under which conditions it can be made available; while also allowing users to explore and analyse data shared by others for research purposes. Grassroots worker organisation Worker Info Exchange retrieves and aggregates workers’ data that is collected by companies, such as the number of deliveries completed by a driver in a given day, or the reviews left by customers. It relies on subject access requests submitted to data holders by workers, and then aggregates that data manually. It seeks to support workers to better use data in collective bargaining and collective action, to investigate unfair practices by employers and to support litigation processes. As well as giving people more control over data, these types of data intermediaries may help improve data availability across the economy, one of the pillars of the UK’s National Data Strategy, and drive efficiency, productivity and economic growth.
Many of these types of data intermediaries are possible because of the right to data portability recognised in the UK General Data Protection Regulation (UK GDPR) as enacted as the Data Protection Act 2018 . But, as we outlined in our report on mechanisms for government support for bottom-up data institutions, we think the UK Government could be more supportive of the role data intermediaries play, for example by:
Supporting continuous access to data rather than limiting it to one-off requests, where feasible and reasonable. While the GDPR allows users to request access to data about themselves from data holders, this relies on placing one-off requests rather than offering continuous access. In some cases, continuous access would allow bottom-up data institutions and other intermediaries to establish more efficient processes for ensuring people can exercise their right to data portability effectively. But there is a balance to be struck in not placing unreasonable burdens on data holders
Clarifying the requirements for individuals to be able to delegate or mandate their rights to data portability to other organisations. This would make it easier for people to delegate data requests and decisions about how their data can be accessed and used by institutions they trust, such as data cooperatives or other forms of bottom-up data institutions that rely on subject access requests.
Supporting initiatives to create a stronger evidence base. For example, by commissioning research and trials to measure the potential market for data institutions, and by continuing to fund pioneering research into potential models for data intermediaries.
Fostering public trust in participatory data intermediaries to drive adoption. One measure that can be taken to do this is to provide a legal definition and standards for participatory data intermediaries, which would help bottom-up data institutions work towards a particular legal standard and enhance public trust by providing clarity on what they can expect data institutions to do. Other options that could be explored include creating a register of existing intermediaries, which could provide greater clarity about the purpose of the data institutions with which people and organisations are sharing data, and supporting the development of an assurance sector for data intermediaries.
Improving the infrastructure that underpins the functioning of intermediaries. This can be done by directly funding, piloting and testing the development of open-source tools that can be used by data intermediaries, and by supporting the development of open standards for data-sharing more broadly.
With the recently published Digital Governance Act (DGA), the European Union has taken an important first step to support data intermediaries in its jurisdiction. We believe this should instil a sense of urgency for the UK to keep up with the EU to continue being a global pioneer in this space. Supporting data intermediaries, and particularly participatory data intermediaries, could be the cornerstone of a distinctively UK approach to data rights. The UK has an opportunity to give people greater control over how their data is used, beyond what is currently contemplated in GDPR, and to improve data availability across the economy, with its associated benefits in terms of productivity gains and economic growth. However, it is important to note that while improving data availability has generally a positive impact on the economy, the potential benefits of policy measures aimed at improving data availability need to be balanced against the additional costs that organisations may have to incur in order to comply with them.
Supporting data assurance
At the ODI we consider that data policy can ensure that data plays a central role in underpinning the innovation ecosystem, both within the UK and globally. But in an innovation ecosystem that relies on using and sharing data, organisations and individuals need to be assured that the data they hold or have access to is fit to share and trustworthy enough to inform their decisions and support their products and services. In an expert roundtable we held around the ‘Data: A new direction’ consultation, participants agreed that assuring the quality and integrity of data will be a vital task for the future data-enabled services and for the future of data rights.
Data assurance is ‘the process, or set of processes, that increase confidence that data will meet a specific need, and that organisations collecting, accessing, using and sharing data are doing so in trustworthy ways.’ Organisations sharing data, such as intermediaries, need to be able to provide assurance that it is suitable for others to access it, use it and share it. Organisations reusing data need to be able to assure others that they are trustworthy in their use of data from third parties. At the same time, organisations need to be able to assure themselves that data is suitable for their own use, which might be through assessing or auditing their data practices or being able to see that their data providers also follow data assurance practices.
For example, an organisation, such as a biobank, that stewards and shares health data with researchers, needs to be confident they have the processes and infrastructure in place to access and store the sensitive data securely. If the organisation can’t be assured about that, it may limit the data it provides in order to protect itself from legal or reputational damage. On the other hand, research institutions that use data provided by this organisation may want to make sure that patients can be assured that their data is safe and being used in ethical ways. These institutions will need to seek assurance from the biobank that patients know data about them will be used in this way, and that the data is shared in such a way that individuals cannot be identified within it.
By helping build trust in data and data ecosystems, data assurance can help increase the willingness of people and organisations to share and reuse data. This can lead to economic benefits as detailed in a report by Frontier Economics on the economic impact of trust in data ecosystems, commissioned by the ODI.
When looking at it from a data protection angle, data assurance can play a role in ensuring the UK maintains its current international trade position. Countries around the world place great importance on making sure that data about their citizens is safe when transferred to other locations. The UK data ecosystem must retain the trust of the international community, so that countries will continue to treat the UK as an adequate partner for international data transfers and international data players will continue to base their operations in the UK. Any reforms that potentially harm trust in data ecosystems can also compromise the capacity of the UK to remain integrated into international data transfers. This could also impose additional burdens to UK businesses when processing data from citizens of countries with different regulatory regimes, as they would be required to maintain two-tier standards, or apply the most strict standards to all their data.
In this space, there’s also an opportunity for the UK to lead globally. Currently, the UK has a global competitive advantage rooted in trustworthiness and high standards for data processing. Moreover, recent research commissioned by the ODI found evidence of a nascent but growing data assurance sector in the UK, with around 900 firms offering data assurance products and services, more than half of them being less than 10 years old. By supporting this emerging sector, data policy can ensure the UK not only maintains its international position in the technology sector, but also becomes a leader in the provision of data assurance services.
Finally, data assurance can play a role in advancing the environmental goals of the green finance agenda, by helping ensure that businesses’ claims about their environmental performance rely on trustworthy data. In a report released in 2022 we explored how embedding data assurance in green finance can help improve trust and trustworthiness of corporate environmental disclosures and thus drive better more environmentally conscious investment decision-making.
Data use by government
Government should lead by example in using data intelligently and ethically. Beyond just legislative measures, our Mapping data in the UK government report identified five ways in which government might influence how cross-sector data ecosystems can unlock the value of data:
- Publishing: The government is a major publisher of open data, which can be used by businesses and others for economic (and social) growth
- Leading: The government has a major influence on what others do through setting expectations and sending signals – it can inspire others and lead by example
- Collaborating: The government’s own ambitions are likely to require support from private (and voluntary) sector partners, providing them with opportunities which could lead to wider economic benefit
- Supporting: The government can produce resources of wider interest and benefit, such as toolkits and research, which other actors in the data economy can learn from
- Stewarding: The government is a major steward of data that can be valuable to data economies and data flows.
Indeed, our conversations with researchers and organisations working with data suggest the main challenges they face don’t necessarily require legislative change. In an expert roundtable conducted with Wellcome, researchers repeatedly expressed the view that improved guidance could have a more positive impact than changes to legislation which risk introducing new sources of uncertainty. A recent Institute for Government publication also suggests legislation isn’t the primary challenge, arguing that government should take other parts of its role more seriously. For example, tackling cultural barriers and fostering data literacy to create an enabling environment for better use of data.
In that sense, government can take a more central role in developing guidance and in leading by example through establishing and adopting best practices for data governance like data assurance. It should also lead on transparency for trustworthiness, and be open about how it uses and plans to use data. This is important for building trust in data ecosystems. As the Centre for Data Ethics and Innovation public attitudes tracker survey has shown, public confidence in data use is damaged when people don’t have enough knowledge about how data about them is being used. Algorithmic transparency reporting in the public sector is also something that could help build trust in data ecosystems. This is currently being piloted in some areas of government, but it could be made mandatory, as was originally proposed in the government’s consultation.
The Data Protection and Digital Information Bill (as currently drafted) also proposes removing the requirement to conduct Data Protection Impact Assessments (DPIA) for data processing that is likely to result in a high risk to individuals. A DPIA helps organisations (including public bodies) identify and minimise the data protection risks of projects that are likely to result in high risk to people. Instead of removing them, DPIAs should be strengthened and, where possible, made public. Conducting DPIAs helps organisations understand in a systematic way the risks associated with data processing, and publishing them could be a useful way for third parties to be able to understand what data collection and processing is happening, why, and how harms are being mitigated. This would help to build trust and nudge organisations towards more ethical and trustworthy data practices.
Another area in which the government can have an influence on building trust in data ecosystems is procurement. In our response to the government’s green paper on transforming public procurement, we highlighted the need for the government to have the capability to assess the data-related capabilities of contractors, and recommended that opening and sharing data should be embedded through the whole life of the procurement process. In our response to the ‘Data: A new direction’ consultation we also argued that, where private companies are granted access to publicly held data, the government should clarify what further benefits there might be to the public from private companies processing their data. For example, private companies might learn from processing the public’s data, which could translate into new or better products or algorithms leading to profit for the company. How would the public sector ensure it benefitted from any such developments? As the access to patient records granted to Google DeepMind by the Royal Free London NHS Trust in 2015 demonstrates, public trust can be damaged if there is a lack of transparency about the use of and benefits accruing from access to sensitive personal data.
The government has also said it is planning to refresh its open data strategy this year, something we will be following with interest.
Call to Action
These are just some of our aspirations for the future of data policy in the UK, and some of the ideas we are currently exploring. We’re planning to continue the conversation in this area, and we’d love to bring in more voices. If you have any opinion about these topics or want to talk to us about them let us know on Twitter @ODIHQ or email email@example.com.