Selecting a data sharing structure: a value-based choice

27 March 2020

This post explores how we might map the suitability of different data sharing structures to different types of data use

Sharing data can bring a range of benefits for individuals, organisations and society. It can help tailor products or services, make business processes more efficient, and improve a range of public services, from healthcare to transport and more. Achieving these aspirations requires governance structures that enable data access, while managing the rights and responsibilities associated with different data types. Different forms of such structures exist. They are differently suited to different purposes. The right data governance framework is dependent on who is participating, what their objectives are and what the nature of the data is.

It is important to emphasise at the outset that each of the data sharing structures considered in this ‘landscape’ document -from contractual terms for horizontal data sharing to data trusts, via data commons and data coops- is valuable in its own right and fulfils an important function. This guide provides a framework for identifying the type of structure that might best suit different needs. It is presented in the form of a series of questions. These questions are drawn from experience in discussing data sharing arrangements with representatives from each of the groups we mention above.

Question 1. Has the data been collected already?

This feels like the most obvious question but like many obvious questions, we sometimes forget to ask it. Data sharing agreements cannot alone unpick the challenges that arise from confusion around consent. If the data is already collected, then the originators of the data may have rights over this data. Concomitantly, sophisticated processing may also grant IP rights that constrain or limit the effectiveness of some data sharing structures (see next question).

Question 2. Does the data give rise to rights?

Broadly-speaking, two types of rights need to be taken into account when considering the suitability of different data sharing structures:

  1. Personal data rights: in some jurisdictions citizens have (limited) rights to restrict processing and/ or delete their personal data, as well as portability and access rights.

  2. IP rights: depending on the level of sophistication, the processing of data can give rise to IP rights.

There are also many circumstances in which neither of these types of rights apply to the data to be shared: consider data about the bottom of the oceans, or data about the movement of endangered animals.

The impact of those three possibilities - personal rights / IP rights / no rights - on the choice of data sharing structures is illustrated in Figure 1 (below).

Figure 1: Decision tree for data sharing. The root node splits agreements into those where the data has and hasn’t been collected. The scope and nature of rights pertaining to the data is the next branch.

Figure 1: Decision tree for data sharing. The root node splits agreements into those where the data has and hasn’t been collected. The scope and nature of rights pertaining to the data is the next branch.

Question 3. What legal and ethical obligations constrain data sharing?

Legal and ethical obligations may affect the shape and implementation of a particular data sharing structure.

When using a Data Commons, access to the data may need to be restricted to take into account an ethical obligation to prevent unintended harms (such as poachers having access to endangered animals’ movement data) or legal obligations (such as statutory obligations pertaining to national security). Such controlled access can be achieved through technical means, such as accreditation mechanisms.

When personal rights are at stake, both the legal and ethical obligations in play and the values and aims of data sharing will affect the choice between data trusts, data coops or ‘databanks’. This leads to the fourth and last question.

Question 4. What values and aims are sought through data sharing?

The choice of data access agreement is shaped by the values and aims of those creating it. Our simple framework, illustrated below, highlights four types of considerations:

  • Individual concerns, relating to the benefits that an individual or entity might seek to gain by sharing data.
  • Societal concerns, or the pursuit of ‘social good’ activities, including improvements to public services or the natural environment.
  • Managing vulnerabilities, often stemming from power asymmetries that are emergent or embedded in social relationships and that can be compounded through poorly governed use of data.
  • Promoting enfranchisement, relating to the ability of individuals or groups to seek redress after mistreatment or to pursue representation in the digital environment.

Within these four considerations are embedded tensions, for example between individual rights and those of wider society. These tensions and trade-offs need to be actively managed in designing data governance systems, recognising that resolution of these is not likely to be possible. Different legal frameworks for managing data access have different strengths and weaknesses in this respect.

When personal data is at stake, the following three data sharing structures are more or less suited to each of these considerations (see figure 2).

  1. Data Coops: the contractual underpinnings of data coops make them relatively easy to set up and well suited to empowering groups of individuals to obtain individual goods (such as financial returns) or services (such as the monitoring of health or education services) that they would not be able to secure without pooling their data. Data coops may to some extent facilitate the pursuit of societal goods (such as health research) on an ad-hoc basis (depending on the contractual terms).
  2. Public Databank: (à la Sidewalk labs latest instantiation): The fact that this type of data institution is run or held by a public entity makes it particularly well suited to purposes relating to the furthering of societal goods. Nothing prevents this type of institution from also endeavouring to facilitate the delivery of individual goods (like monitoring the quality of health services). This type of institution may seek to address or minimize the vulnerabilities that stem from data sharing. Its being a State-provided, monolithic type of institution may however hinder its ability to address some types of vulnerabilities and enfranchise marginalised groups.
  3. Data Trusts: Data Trusts distinguish themselves from data coops and public databanks not only through the level of legal safeguards they are able to provide (within the framework of trust law). They are also uniquely capable of any combination of these aims (depending on the focus of each particular data trust). This mechanism is well-placed to address concerns about enfranchisement, by providing a mechanism for under-represented and potentially vulnerable groups of individuals to reverse the direction of consent: their data trustee will have the fiduciary responsibility to exercise their data rights in a way that promotes the aspirations set out in the terms of each trust.
Figure 2: The four primary considerations when designing a data governance structure for sharing personal data.

Figure 2: The four primary considerations when designing a data governance structure for sharing personal data.

Each of these structures has its roots in different areas of the law. Data trusts draw from trust law, and raise novel questions at the intersection of property law, data protection, and public law. Other mechanisms – such as repeatable terms and conditions, or data commons – pose challenges to contract law and similar mechanisms when determining how best to accommodate the legal and ethical obligations associated with data sharing. This ‘landscape post’ is meant as a starting point: much work needs to be done in mapping the relationship and complementarity between the different data sharing structures that have been considered.

Authors: Sylvie Delacroix, Neil Lawrence and Jess Montgomery (2020)

Previous
Previous

Data trusts and the EU data strategy

Next
Next

Media and comment (Spring 2019 review)