Public sector personal data sharing: framework and principles

Introduction

Public sector organisations gather, process, and hold large amounts of data that is needed for the operation of public services and government. In this report, we use the term 'data sharing' to describe those times when data is accessed and reused by third parties for new purposes that are outside of the original purpose for the data collection and processing (Thuermer 2019).

Data sharing can take many different forms, depending on the type of data being shared and the parties involved in the sharing. For example, governments and public sector organisations share large amounts of open data with the general public through open data repositories, such as those run by the UK Government^[1], the Scottish Government^[2] and ONS^[3]. It is important to note that data shared in this way does not contain individually identifiable personal details or information that is commercially sensitive (Scottish Government 2015b). Data sharing can also occur between government organisations (sometimes called 'G2G' (Hamza 2011)), from private organisations to government ('B2G' (Richter 2020)), or from public organisations to private organisations (sometimes called 'G2B'). Each of these cases are governed by different codes of practice and laws depending on the type of data that is being shared.

In this report, we look in detail at one type of data sharing: public sector organisations sharing a particular type of data, called personal data, to private organisations. Currently this practice is extremely rare as it involves considerable risks, such as moral or ethical risks, including damage to public trust in the public sector, but also legal risks (Combe 2009), as there are strict laws around the protection of personal data. These laws help safeguard individuals' fundamental human rights, including the right to a private life as described in Article 8 of the Human Rights Act (Equality and Human Rights Commission n.d.).

We present a literature review of three pathways for data sharing around the world and an evaluation of these pathways. The report first defines personal data, then outlines the common legislative frameworks for data sharing that govern the sharing of personal data. Given the restrictions imposed by this legislation, we then outline two broad pathways adopted for facilitating personal data sharing by public sector to private sector: data sharing agreements and extra legislation surrounding data sharing. A third pathway being developed for AI applications is presented in Section 4.

To gain an understanding of how these mechanisms work in practice and to begin to provide some evaluation of these pathways, we have conducted 9 interviews with individuals from the public sector, private sector, and third sector. The findings from these interviews are presented in Section 5. The report ends with a summary of the literature and findings, offering a reflection on the next steps and recommendations for future pathways for public sector sharing of personal data.