This report is a ministerial commission, originally by Mr Ivan McKee, former Minister for Business, Trade, Tourism and Enterprise and written by the assembled Independent Expert Group (IEG) on Unlocking the Value of Data (UVOD), chaired by Angela Daly and comprised of experts from different stakeholder groups and backgrounds. The IEG was set up to provide 'strategic guidance and oversight' to the UVOD programme on private sector use of public sector personal data in Scotland.
During 2022 and early 2023 we, the IEG, had been tasked with considering the issue of access to public sector personal data by the private sector, in response to stakeholder feedback that data controllers were unsure about decision making in this domain.
The Scottish Government considers in the terms of reference (ToR) that there is 'significant potential to create public benefit from the use of public sector personal data by, or with, the private sector', and set up the UVOD programme on the basis of 'substantive feedback from stakeholders' (mainly public sector data controllers) 'who identified a case for action'.
We have considered the issue of access to personal data held by the public sector in Scotland for use by private sector organisations over the last 15 months, drawing on our own multidomain and multistakeholder expertise, and engaging with various other stakeholders and the general public to inform our views. To that end, we have formulated a Policy Statement, set of Guiding Principles and a series of Recommendations for the Scottish Government. We found it necessary to explore foundational issues and the landscape in Scotland for public sector data use and were unable to produce a framework that is easily put into operation by public sector data controllers in Scotland during the relatively short (15 month) lifetime of the IEG. We trust that our Policy Statement, Principles and Recommendations can inform the creation of such a framework in the near future.
1.2 About the Unlocking the Value of Data (UVOD) programme
The purpose of the UVOD programme is to aid decision-making by data controllers regarding the release of, or provision of access to, public sector personal data by the private sector, for public benefit. The programme reports to the Scottish Government Minister for Small Business, Innovation, Tourism and Trade, Richard Lochhead.
The Scottish Government commenced the UVOD programme in 2022 in response to feedback from data controllers in the Scottish public sector who were unsure of how to respond to requests by private sector organisations for access to personal data held by the data controllers. While such access in certain circumstances may be permitted under UK data protection legislation, an ethical and best practice approach to providing access has not been clear to public sector organisations making these decisions. According to Stevens and Laurie (2017), this has produced a 'culture of caution' due to, among other reasons, 'misperceptions of the law', 'lack of resources and expertise' to manage data requests, fear of reprisals and 'public backlash' if something goes wrong.
The Scottish Government has considered in the IEG's ToR that there is the 'significant potential to create public benefit from the use of public sector personal data by, or with, the private sector'; although there are also significant risks inherent in this that need to be managed. To examine this issue in more detail, the Scottish Government has commissioned three literature reviews, on (i) public engagement, (ii) frameworks, and (iii) benefit realisation, and formed this Independent Expert Group (henceforth 'IEG') on which we sit. Some preliminary public engagement and consultation has accompanied the IEG's activities.
1.3 The Independent Expert Group (IEG)
The IEG was set up in early 2022, with the appointment of the IEG chair, Angela Daly, supported by a Scottish Government Secretariat. IEG members from a diverse range of backgrounds, stakeholder groups and disciplines were appointed, comprising expertise and experience across a range of areas including law, civil society, health, open data, digital media and industry.
The first IEG meeting took place in March 2022, followed by the second in April, the third in May, the fourth in June, the fifth in August, the sixth in September, the seventh in October, the eighth in December 2022, with the ninth and final IEG in February 2023. In August 2022, the IEG published draft Principles in a blogpost, for presentation, discussion and awareness-raising at a public webinar in September 2022. In September 2022 the Scottish Government commissioned The Democratic Society (DemSoc) to lead engagement with experts and members of the general public to discuss the themes underpinning the IEG and the draft Principles, principally in the form of two focus groups with members of the public in Scotland (one online in November 2022, the other in-person in Inverness in January 2023) to discuss and shape the IEG's Principles.
The Scottish Government Secretariat also established a Practitioner Forum Short-Life Working Group in November 2022 comprising representatives of different public sector stakeholders including data controllers. The Practitioner Forum was set up to work alongside the IEG, and to provide advice on the content and priorities for the IEG report and recommendations.
The IEG has also engaged with academics, especially through the organisation of a special track at the Data for Policy conference in December 2022. Feedback from all of these sources has been taken into account in this document and our Policy Statement, Guiding Principles and Recommendations.
1.4 IEG objectives
The IEG has been set up to provide 'strategic guidance and oversight' to the UVOD programme on private sector use of public sector personal data in Scotland. The Scottish Government considers that the UVOD programme:
Intended outputs and activities of the IEG have been to produce a policy statement and framework/guidance for Scottish public sector data controllers, and in doing so engage with different stakeholders including the public and practitioners. We have produced a Policy Statement and Principles to guide decision-making and governance by Scottish public sector data controllers. We have engaged with stakeholders mainly through the aforementioned webinar in September 2022, the Practitioner Forum (which is made up of representatives from the Scottish public sector) and the general public, via The Democratic Society.
The IEG has worked as best as it can within the challenges and limitations outlined below. We have spent much of our time understanding the complex landscape in Scotland as regards private sector access to public sector personal data. While a desirable outcome for our work, we have not been able to produce an easily operationalisable framework for implementation by Scottish public sector data controllers. We considered that scoping the landscape and understanding the problems were key first steps that we needed to take, before a framework could be formulated. We hope that such a framework could be produced, with further input especially from public and private sector stakeholders. Technical considerations to support such a framework would also need to be taken into account.
We did not issue a formal call for evidence as part of the IEG mainly given time constraints and the need for us, as IEG members, to clarify the issues on which we have been working. The Scottish Government may wish to build on the foundational work done by the IEG, and address these gaps in the IEG activities and outreach, by issuing a call for evidence to support the next stages of the UVOD programme after the end of the IEG's lifetime.
1.5 Approach and scope
The IEG conducted our work via a series of IEG meetings, complemented by insights from the engagement sessions and Practitioners' Forum. We also drew on our own multistakeholder experience and interdisciplinary expertise to inform our work. The IEG adopted a consensus-based approach to our work, aiming to find common ground across IEG members especially in terms of our outputs. We note below in Section 2.2 some topics on which consensus was not found but which are still important topics to consider for the UVOD programme after the IEG's lifetime.
Private sector access to public sector personal data via agreements, contracts, etc for the purposes of commercial research, development and innovation.
Not in Scope
Private sector provision of data infrastructure for Scottish public sector personal data.
Non-personal data held by the Scottish public sector.
Personal data held about people in Scotland by UK Government bodies.
Public or third sector access to public sector personal data in Scotland.
Private sector organisations which provide public services and corresponding personal data e.g. GP practices providing personal data to the NHS.
1.6 Preliminary considerations
The IEG was instructed to consider private sector access to public sector personal data in Scotland. In the Glossary above, we offer a definition of 'private sector' as 'the segment of the economy owned, managed and controlled by individuals and organisations seeking to generate profit'. However, 'private sector' is not a well-defined and neat term in practice. Many if not all of the considerations in our Principles and Recommendations could apply to other actors, from other parts of the public sector, or the third sector, requesting access to public sector personal data in Scotland. Our analysis and outputs are confined to private sector use in line with our ToR. However, in implementing the findings from our work, the Scottish Government should ensure that a situation does not result in which the private sector can access public sector personal data more easily or swiftly than other public sector, third sector or other actors.
We know from stakeholders in the Scottish public sector that they are unsure and lack confidence in addressing private sector requests for access to personal data which they hold, which the terms of reference of the IEG are intended to guide/remedy. However, another premise of the IEG/UVOD work is that there is personal data held by the Scottish public sector that the private sector cannot access or cannot access easily enough, and that this is potentially impeding value creation in the public interest for public benefit.
There are some insights from the Scottish Science Advisory Council that earlier in the COVID-19 pandemic 'there was a 10 month delay due to the lack of agreed approaches to proportionate information governance in the context of pertinent emergencies', with the implication that private sector organisations such as pharmaceutical companies were unable to access health data in a timely fashion.
In the Appendix to the Scottish Standing Committee on Pandemic Preparedness Interim Report (August 2022), some challenges were identified:
Data accessibility and in particular project delays due to existing information governance arrangements has been identified as a priority issue. Among the challenges noted, delays in existing information governance arrangements such as the Public Benefit and Privacy Panel (PBPP) for Health and Social Care have led to delays to projects such as linking vaccine effectiveness data with viral genomics – data which has been essential to the Scottish and UK governments' responses to the COVID-19 pandemic. There have also been challenges where ethical and information governance approval processes do not include representatives with expertise in a subject, for example in genomic technologies, which can lead to delays and challenges stemming from a lack of understanding of the desired application of data in genomics. Current processes should be reviewed to consider addressing these challenges, which can delay vital research during pandemics.
It is unclear whether any of these delays and blockages involved requests for data access by the private sector.
Pandemics such as COVID-19 can be, and are, viewed as exceptional events. Personal data, especially health data, held by the public sector should be accessible in order to address emergency health situations, in line with data protection law.
However, further evidence is needed that existing decision-making mechanisms regarding private sector access to public sector personal data, especially outside of a pandemic situation, require revision and amendment, vis-a-vis 'locking up' public benefit and value and being detrimental to the public interest. All relevant societal interests and human rights must be taken into account in such an assessment. More engagement with the private sector, as well as other stakeholder groups, should happen on this point. A future work stream might helpfully be centred on the private sector and their views in order to fully identify and evidence these access concerns. However, it is important to ensure wider views on this point are also sought, not just from the private sector, to ensure a balanced picture of what is in the public interest. Building on the work of the Data and Intelligence Network, including its Ethics Framework, the Scottish Government should consider implementing fast-tracked data access processes for truly emergency situations such as future pandemics.
The UVOD programme originally purported to be 'citizen led' but we have in fact had limited engagement with the public (mainly through the DemSoc initiative and the public webinar run in September 2022) and in practice the programme has been led by the Scottish Government Secretariat and the IEG, which comprise civil servants and independent multistakeholder experts, respectively. Far more engagement and co-creation with the public, including citizens but also taking account of other residents of Scotland who may not be UK citizens, is required. We use the term 'publics' to capture the diversity and different experiences and viewpoints of people, as the 'public' is not a homogenised single entity. For this to happen, it also would need adequate budget and resources, a plan and leadership which the IEG has not been able to provide due to our own resource and time constraints. For such technical and complex policy matters as considered in the UVOD programme, we consider that publics in Scotland should be actively engaged and involved. Nevertheless, it is the government's role to be the decision-making body, and in so doing balance interests and protect the public from undesirable consequences of both action or inaction on this topic.
1.7 Challenges and Limitations
There have been various challenges and limitations to the IEG and our work. IEG members have contributed to this on a non-remunerated basis which limits the time and resources we have been able to contribute - including in light of industrial action in some sectors such as higher education which has also limited the time some IEG members have been able to contribute. We have conducted this work during the ongoing COVID-19 pandemic which has impacted on our own health and entailed that our work has been carried out mostly online.
We are constrained by the resources and expertise available to us as IEG members and vis-a-vis the Scottish Government Secretariat. In conducting our work, we mainly drew on our own multistakeholder and multidisciplinary expertise. We were not able to commission research on economic analyses of potential public sector personal data use by the private sector, which was beyond the expertise of the IEG members ourselves and which was a research gap we identified at a late stage of the IEG's lifetime.
We also had limited input from the private sector, despite our attempts to reach out to them. For instance, the Practitioner Forum only contains public sector practitioners and not private sector practitioners. There has been some engagement with industry as part of DemSoc's engagement activities. For the future stages of the UVOD work, such research and engagement is key. Better formats for engaging with the private sector are needed, which involve a smaller commitment of time and resources than conventional consultations and expert groups request. The Scottish Government should consider what would be more effective ways to engage with industry and at what point in the policy and consultation cycle.
We have had input from third sector organisations, but recognise the pressure under which such organisations operate, especially those which are smaller and have even more constrained resources. The Scottish Government should consider whether some kind of resource support could be provided to facilitate the involvement of these groups and individuals in the policy and consultation cycle.
Our analysis is relevant and reflects the state of affairs as of April 2023 including vis-a-vis legislation in force. This means that we do not include a detailed analysis of the Data Protection and Digital Information Bill (DPDI Bill) proposed by the UK Government.
There is a problem
Thanks for your feedback