Public sector personal data sharing: framework and principles

5. Conclusion and Recommendations

This report has outlined three different pathways for the re-use of personal data held by the public sector. Firstly, in accordance with GDPR much of the current sharing of personal data is undertaken through the establishment of data sharing agreements, which must be set up between each of the data controllers. This pathway is predominantly used by academic researchers for the completion of research that is in the public interest. Given the wide-reaching scope of GDPR and the DPA 2018, a second pathway has emerged through the drafting of extra legislation to facilitate the re-use of data in certain circumstances. The example of Findata represents the most innovative approach taken to this. Under Finland's Act on the Secondary Use of Health and Social Data, personal data can be reused for the purposes of development and innovation, widening the scope for the private and third sector involvement. Finally, early draft legislation from the EU Commission suggests there may be future scope for the reuse of personal data through AI sandboxes, which would be applied to crime, public security, public health and safety and environmental issues.

The report has also identified the ongoing issues with current practices of public sector data sharing for purposes of research, including technical barriers related to data quality and harmonisation of datasets across agencies, along with legal barriers when actions are governed by multiple areas of legislation, as is the case with health data. Culturally organisations will often not make the reasoning behind their decision to reject a data sharing request transparent, and they may be hesitant to share data even when legally allowed to. Public trust continues to be a major barrier; to address this issue, we find innovation in consent-based models, such as personal data stores.

We want to conclude by arguing for the importance of exploring pathways that remain in harmony with GDPR. Such a route avoid proposals by a UK government consultation that ran in autumn 2021 (UK Department for Digital, Culture, Media & Sport 2021). This consultation included a wide range of proposed reforms to UK data protection laws and the scope and roll of the Information Commissioner's Officer (ICO). The authors of this report wish to state clearly that while in this report we do acknowledge the difficulties of sharing data under current data protection laws, these difficulties do not warrant the widespread amendment or dismantling of these laws as proposed in the UK Government consultation. As summarized in an excellent chapter by Savirimuthu (2021) that examines AI and data protection laws in healthcare:

"GDPR helps empower relevant actors in the healthcare environment [… by]: (i) framing the subjects and objects of regulation, (ii) providing mechanisms for determining transparency, accountability and legitimacy (iii) and enhancing the ideals of responsiveness through processes for managing risks from the use of digital health solutions." (pg 8).

Although Savirimuthu is considering data protection laws a healthcare context, we believe these three points of empowerment apply to any context where these laws apply. Data protection laws serve to balance knowledge exchange and innovation with the protection of personal data, and it is important that one is not abandoned in pursuit of the other.

Ultimately, based on this literature review and our interviews, we have pulled out five recommendations for models and approaches for public sector data sharing of private data:

1. Focus on creating shared data standards and protocols across agencies and local and national contexts - a public agency could be dedicated to this role. These data standards should create confidence in the quality of the data as well as the consistency of the data sets.

2. Develop a clear way to define and demonstrate public interest and public value. This includes involving the public meaningfully from early stages in the designs of the data sharing infrastructures and models to generate public licence.

3. From earliest phases, develop ways to market the value and utility of the data sharing infrastructure to immediate stakeholders and users (i.e. researchers, private sector innovators) and be transparent about the risk and opportunities. Ways of doing this include involving stakeholders in the designs of the infrastructure or creating a typology of data and datasets that may be of value.

4. Develop a central resource or agency, such as a data permit authority, that helps aggregate, combine and link data and has the autonomy to decide which permissions to grant, as well as the resources needed to provide quality data. Make the process of this as transparent as possible.

5. Share ethical standards and best practices internationally. Develop and maintain an international community of practice that explores the "Futures of GDPR". Many countries and regions developing data-sharing approaches will have similar needs for support and learnings, which they could do from each other.