Effective data use could help develop policy responses to these concerns. Data in coastal communities, in particular, has been under the policy spotlight: a concluding statement in the ‘Health in Coastal Communities Report’ (2021) by Chris Whitty (UK CMO) says, “The paucity of granular data and actionable research into the health needs of coastal communities is striking.”¹ Our research in Brixham confirms this pattern: there is a lack of specific and detailed data available about the place. Data is often siloed in disparate organisations and is often hard to access. Underpinning these difficulties is the model of data sharing whereby citizens’ personal data, or ‘data about me’, is routinely transacted with commercial organisations via standard consents in an asymmetrical power relationship, which many people feel is past its sell-by-date. We think a data trust can help disrupt this pattern, and more effectively leverage local data to respond to local concerns.

Communities – Summary and recommendations. Chris Whitty. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1005217/cmo-annual_report-2021-health-in-coastal-communities-summary-and-recommendations-accessible.pdf

In this blog, we share some findings and insights from our journey to build the foundations for a data trust in Brixham, and some thoughts about a new form of civic institution, for community benefit, that may arise from exploring data in a physical place.

As architects, responding to the DTI’s call for ideas to take data trusts from theory to practice, we proposed a place-based data trust. The idea of a data trust provided a structure for managing data rights connected to local data through collective action, in the context of a transparent, trusted and secure governance structure with oversight. We also felt a place-based approach could leverage the proximity between citizens, data sources, community and action for change to produce rich insights, and an intensity of interest and participation. The place-based data trust is an opportunity to bring the people who know the place and the community best to the centre of decision-making about local data, data rights and the purposes that local data should be put to. It can show how insights from personal data, with the necessary protections in place, can be harnessed for collective benefit.

The idea of enhancing data collection and use in the context of cities has already been the subject of much attention, but the all-seeing eye and all-knowing algorithmic mind of ‘smart city’ and ‘big data’ constructions are not appropriate for our project. The Brixham data trust focuses on an area of just a 3km radius from the town centre, including 14km^2 of the marine environment. In this context, we’re looking at specific issues where data could serve community interests, supported by a lean, nimble, and responsive organisation that we believe will result in a more economical and sustainable data trust model. Four themes have been guiding our conversations and ideas with the community: placemaking and public spaces, environmental stewardship of the land and marine environment, health and wellbeing, measures to address the climate emergency, energy efficiency and net-zero ambitions.

The pilot project is designed as a journey to a data trust, allowing the time to nurture a data ecosystem or a data culture, and the space to be responsive to needs expressed by local people. We are guiding the project to grow organically from ‘what already exists’ in Brixham, starting with sharing data literacy resources. We are cultivating familiarity with data by seeking out people in the community who are working with data and sharing their stories and insights. We are building foundations incrementally, listening as ideas, concerns, networks and campaigns emerge from the place and asking the question, ‘What can data do for us?’. Prospect Brixham CIC was set up to support this process.

A ‘touchpoint’ is our term to describe a meaningful connection between people, data and place – this is where the abstract concept of data comes to life. Data can have colour, interest, meaning and value when its potential to illuminate a local issue, tell a story, or lead to a change, is revealed. This specificity is at the heart of this project. Naturally, these ‘touchpoints’ will change over time because they have a social and cultural context, sometimes borne of economic necessity, or environmental crisis. The data trust allows for the slow careful archiving of data for heritage and environmental stewardship or for extracting fast insights for an urgent issue. Both these paths of data discovery and data activism are both important. For the discoverer, recording, documenting and finding out new, quality data about a place and its people can reveal things that cut through long-held emotional responses and refresh thinking about the future. The activist focuses on data for change, as an evidence base. Both are about creating value in the place and for the community.

The final form of the data trust will be a response to these ‘touchpoints’ - made-to-measure for the needs of this place. To be relevant and useful, the data trust must address real needs and offer benefits - a clear value proposition that is sustainable over the longer term. This sets a hard test for data – it needs to prove its worth as a change-maker, and a valuable community asset. And the community has a challenge too - to move from the data shallows to the deep end as data-literate citizens.

Conversations about data are already happening in the community. Scratch the surface and many people will share their concerns about, for example, lack of control over personal data consents, issues of data rights, use and abuse of personal data online and knowing what data people hold about you. Sometimes people express a feeling of resignation that the power balance is so skewed, there is no point fighting it. The data trust will help to navigate these issues and build strong governance for data in the community, but it must first build trust with citizens.

Our proposal is to set up a Charitable Incorporated Organisation (CIO) – it has trustees, the oversight of the Charity Commission, and participatory governance through a citizens’ panel.

The work to create the data trust is progressing across various fronts:

• A data challenge competition, open to all, invites ideas and offers mentoring and support to five winning projects.

• Talks, workshops and pop-ups

• Trialling small research projects using personal data with specific use cases e.g. recording energy use in the home (with Mydex CIC). Participant’s data is shared between Personal Data Store (PDS) and the data trust pilot. Data anonymisation, aggregation for collective insights and the user’s experience are part of the study.

• A new open data platform (with The Data Place) will provide access to a curated selection of open-source data.

• Investigating data-sharing opportunities with local partners e.g. the local authority and environmental groups.

• Stakeholder involvement in the development of plans for the data trust.

We can see ‘data’ is coming out of the shadows. Some individuals and organisations are already on their own data journey, and are curious to take part in a collective project for the community. There is interest in how data could create social and financial value for the community. A local network of organisations involved in conservation of the marine environment is collecting sensitive data and using citizen science methods. A central car park site is a focus for debate about public space in the town. Data and digital tech people in the community are coming forward to join the project. Recent issues – the local housing crisis, cost of energy crisis, sewage on beaches, water shortages, climate change heatwaves – have highlighted how useful data can be in revealing what is behind the story, leading to informed decision-making.

Local voluntary organisations and other intermediaries are doing impactful work with limited resources. They know their sector of the community well, and the issues that need tackling and they have rich insights drawn from years of experience in the place. They have good ideas about ‘What can data do for us?’, but limited capacity to develop and implement them. This must be factored into the pilot stage, both growing the data ecosystem and the ongoing sustainability of the data trust. 

Place helps us to make sense of data. A place gives spatial mapping and a framework for understanding relationships. The physical world is where cause and effect play out, helping us to see our impact on the environment and our community. Maybe we care more about things when they are close to home?

Perhaps this new digital institution with its feet on the ground, bridging the digital and the physical world, managing our data rights and security and stewarding data about our place and community, is uniquely positioned to connect the functions of existing civic institutions. It sits alongside them, but it brings fresh thinking and a new set of skills and enables them to function better in the digital age. A new kid on the civic block? We look forward to finding out.

Learn more about the Brixham Data Trusts development

However, as with data systems at large, individuals and communities tend to have little say in how data is collected, used and shared for climate action. Data trusts and other forms of ‘bottom-up’ data stewardship have emerged to reverse this trend and empower people to take part in the data economy, and to further contribute to tackling the climate crisis. 

Aapti Institute and the Open Data Institute, in partnership with the Global Partnership on Artificial Intelligence (GPAI), undertook a research study to co-design and evaluate the feasibility of bottom-up data trusts in tackling the climate crisis and its impacts.

Why is data stewardship important?

Significant advancements in the field of artificial intelligence have bolstered the fight against climate change by distilling raw data into actionable information and accelerating scientific modelling.

In order to train, develop and deploy these AI models we need access to data, and given the complexity of the challenge we face in the climate crisis, we need many different types of data from multiple sources. Data stewardship is an approach to data governance that aims to unlock the societal value of data in a ‘rights preserving way’, and can be viewed in response to the common scenarios of ‘data hoarding’, where data is locked away in silos by a few organisations, and ‘data fearing’, where data is not shared for fear of privacy and related harms arising from data misuse.

The idea of ‘bottom-up data stewardship’ is a tonic to the typical exclusion of individuals and communities from data collection, use and sharing. Bottom-up data stewardship recognises individuals and communities as more than mere providers of consent (or recipients of information about how data about them is used), and seeks to empower them to participate in the process of data collection, use and sharing. It provides them with a say in decisions over who has access to data about them, how that data is shared, for what purposes and to whose benefit.

Bottom-up approaches to data stewardship are already being used to tackle the climate crisis. They are often framed as ‘citizen science’, whereby individuals contribute data towards a particular project through observations or sensors, such as iNaturalist and Sensor.Community.

Why data trusts?

Articulated as a collective action tool for communities that enables them to govern how their data is shared with and used, data trusts have seen various definitions, each highlighting different criteria. The Data Governance Working Group of GPAI reconciles these differences by identifying 5 functions that are core to a data trust:

1. mutually agreed terms and conditions of data use

2. expert trustees who govern the trust’s assets;

3. strong fiduciary responsibilities binding trustees to act in the interests of the trust’s members;

4. use of trust assets in accordance with agreed terms and conditions; and

5. safeguards and oversight mechanisms to prevent data misuse and to take remedial action.

Not all of these functions are unique to data trusts. For instance, data cooperatives and data collaboratives also allow for the negotiation of data in accordance with agreed terms and provide safeguards to prevent data misuse. The key component of a data trust that differentiates it from other forms of data stewardship is the placing of fiduciary duties on independent trustees. Fiduciary duties imply that the trustees have a higher than normal, legally bound, a duty of care towards the beneficiaries of the trust, making data trusts inherently more trustworthy than other forms of stewardship. This is especially important given the potential for misuse of data, and the threats to privacy and other rights that such misuse can entail.

Our feasibility study of data trusts in climate

As part of our study, we co-designed three bottom-up data trusts that can impact domains contributing to and /or affected by climate change: (a) a data trust for cyclists in London (page 14 of the report); (b) a data trust for small shareholder farmers in India (page 26); and (c) a data trust related to indigenous climate displacement in Peru (page 37).

We evaluated the feasibility of these based on a set of 8 criteria: the incentive to create a data trust, capacity to run and engage with a data trust, the existence of necessary legal levers to create and run a data trust, the technological feasibility of a data trust and financial sustainability of the data trust. Based on our analysis, we determined the London Cycle Data Trust to be the most feasible, while the feasibility of the other two data trusts was less certain.

The feasibility of the London Cycle Data Trust was a result of a few key factors: the clear demand for the improvement of cycling infrastructure in London, a high demand for mobility data from local authorities for more informed decision making, a high level of digital literacy amongst potential users of the data trust, the availability of multiple legal forms for the data trust to take and strong digital infrastructure in London. 

However, many of these factors were missing with the other two data trusts. Not only do farmers in India not possess the required level of digital literacy to engage with a data trust, but the lack of adequate digital infrastructure in India (including internet access) in most parts of rural India is also a major limiting factor. This is compounded by the continuing lack of data protection legislation that recognises key rights over data and provides guardrails against the misuse of data.

In Peru, while there is a strong demand for accurate data regarding climate displacement, the relatively low levels of digital literacy amongst the communities that are at risk of displacement was a major hindering factor.

Key Takeaways

We’re optimistic about the potential for a London Cycle Data Trust and other, similar data trusts to emerge to enable communities to use data to advocate for, and inform the design of, sustainable transport infrastructure. Existing initiatives such as Posmo.Coop and the Bike Data Project show that there is interest and motivation among communities and that there are defined uses for data in this context, as well as momentum behind the idea. While the feasibility of data trusts for small shareholder farming in India or for indigenous climate migration in Peru is much less certain, there are clearly opportunities to improve how data is collected, used and shared in these areas and we hope this work serves to highlight them.

While our work demonstrated the high potential for a data trust in a specific context, it also highlighted the high barriers for success facing data trusts in other areas. While the differentiating characteristics of a data trust are theoretically attractive ones (the placing of fiduciary duties on the trustees), in a practical setting these characteristics have yet to be applied and tested.

Thankfully, data trusts are but one manifestation of responsible data stewardship, proposed as a tonic to problematic ‘one size fits all’ approach to data governance. In some cases, other forms of bottom-up data stewardship may be better suited to meeting the needs of their beneficiaries. We can see some of these in action already, empowering individuals to take more control over their data. Driver’s Seat Cooperative is one such example. A driver-owned data cooperative, Driver’s Seat allows drivers in the gig economy to maximise their rideshare and delivery earnings through use of their data. 

Furthermore, given that bottom-up institutions presuppose a degree of digital literacy and capacity to engage on data rights, there is a need to explore a range of different institutions. In such contexts (which are more common in the Global South) there is merit in encouraging stewards that are not set up by the members themselves but by an organisation (typically an NGO or CSO) that nonetheless acts in the interests of the communities, they work with. Abalobi, a South African non-profit that empowers local fishers through the use of their data, is a great example of this. While not set up by the fishers themselves, Abalobi collects and stores data on behalf of the fishers and shares data with third parties only if the fishers consent to it. They also help fishers visualise the data they collect and use it to their benefit. Alternatively, existing institutions such as cooperatives and unions can also be empowered to transition to becoming stewards of the data relating to their members. Given the scale of their membership base, their trust within the community and financial sustainability, pivoting existing community organisations to data stewards can be very promising. PescaData, an initiative of COBI, is another example of this.

Our work set out to test the feasibility of data trusts for climate action and identify the potential contexts where they could work. Given certain base conditions, data trusts serve as a wonderful tool for participatory data governance that provides users with agency over their data whilst making data available for public good, in a democratic, rights-respecting manner.  The type of support and development by the Data Trusts Initiative is crucial in bringing data trusts to life, and is the first step in understanding which contexts data trusts can affect change, and where other approaches to data stewardship may have more success in combating the climate crisis.

New institutions of data governance, such as data co-operatives and data trusts provide an important framework for enabling data stewardship to be better aligned with community or public interest (by contrast, for example, to corporate structures oriented towards prioritising shareholder interests). However, even with trusts or co-ops, for interest alignment to actually take place, there is a need for ongoing and in-depth participatory practice.

This can often present data stewards with a number of challenges:

1. What kind of engagement model to adopt? For example, should members of a data trust vote directly on proposals? Or should key decisions be made by a board with member representatives?

2. How to maximise meaningful discussion on complicated issues? For example, deciding whether or not certain datasets should be linked and shared might involve a range of technical, legal and practical considerations, and often appears to require significant background knowledge.

3. How to create open and inclusive participation? Engaging in governance takes time and resources: if it happens on an opt-in basis, there is a risk that those who get involved in making decisions about data will be un-representative of the communities affected by those decisions.

4. How to maintain a connection with authentic community voices? Staff responsible for participation are often concerned that people who get engaged become ‘co-opted’ over time, aligned with the interests of the organisation or its leaders, rather than effectively representing community interests and insights into the governance process. This is sometimes described as a problem of ‘professional participants’ and introduces questions about how to regularly renew engagement practice.

These challenges are not unique to data governance. In particular, they have received a lot of attention in the context of child and youth participation, where the concept of the ‘evolving capacity’ provides a useful framework for thinking about progressive opportunities to get involved and take on a share in decision making.

Critically, meeting these challenges involves thinking not about isolated opportunities for stakeholders to be involved in data governance, but about how to develop participation pathways that build capacity, connect different levels of decision making, and support more inclusive and diverse participation in decision making.

Mapping the pathways

Let us imagine, for example, a climate data co-operative (to borrow a hypothetical example from the Ada Lovelace Institute’s work) that pools energy use data from participants across the world, and considers requests to share access for climate-focussed research and development projects. What pathways could exist for different stakeholders to engage in co-operative governance?

In mapping the opportunities to build better participation pathways it can help to first look at the core decision making structures and work outwards. If ultimate responsibility rests with a board, then are there clear routes for different stakeholders to select, or be elected to, the board? Are places reserved for those whose data is being governed? Has thought been given to removing barriers to board participation, and to proactive outreach to recruit members from diverse backgrounds?

Then consider, how are board or operational decisions informed? If there are key operating principles, are they published and open for comment and regular review? Do staff have mechanisms to consult with community members when exploring key decisions? Are there certain decisions which are put to the community to advise on, or that are delegated for the community to make?

Then look for other engagement touchpoints. Are there existing feedback mechanisms where stakeholder voices may be heard? Are there any regular surveys or listening exercises? Do groups of stakeholders have self-organised discussion spaces that it would be appropriate to engage with? Are there stakeholders outside the co-operative who have views on what it does?

Having reached the outer edges of engagement, we can turn our focus around and look at two critical participation pathways. Firstly, is there a clear path through which views and interests communicated through ad-hoc, informal or light-touch participation opportunities are fed into the decisions that get made through more formal parts of the governance system? Second, are there pathways by which individuals can progress from light-touch engagement, to deeper forms of participation in governance - supported to develop their engagement and capacity along the way?

In thinking about any pathway, particular attention should be given to issues of accessibility and inclusion. Can the path be made intentionally more welcoming, and easier to travel for those who are commonly marginalised, or more directly affected, by data decision making?

Pathways in practice

To return to our hypothetical climate data co-operative example, we could imagine a user from a low-income community who is invited to participate in a short feedback survey. The survey reveals a particular concern amongst lower-income co-operative members about how data might be used, and so a small group of low-income members are invited to speak to the staff team about this, and are given support (and paid for their time) to do so. In gaining exposure to some of the decisions the co-operative has to make, they become interested in being more involved, but have low confidence in doing so. The co-operative organises an open governance training workshop along with a number of other similar organisations. With encouragement from an existing board champion, an individual from this group joins a voluntary working group, and later stands for election to the board. In time, they become a board champion supporting others to get involved in governance.

We could also imagine another individual who, feeling strongly about data-sharing with a firm that also has links to a fossil fuel company, starts a forum discussion on the topic. A community manager from the organisation spots the discussion, but highlights that the current principles of the co-op don’t prohibit this, and suggests that there are options to either campaign to change the principles, or to campaign for the third-party to drop its fossil fuel partnerships. The community manager provides signposting to resources around how to develop a campaign, and encourages debate on the issues, inviting expert inputs to the discussion. A summary of the discussion is featured in the organisation members newsletter. The discussions result in two small groups forming: one which proposes a change to the principles, and the other which develops an independent campaign to write to the third-party. While neither is immediately successful, the participants have followed pathways of participation that have built their advocacy skills and understanding of the issues. At least one of these paths has taken them beyond the boundaries of the organisation they originally engaged with.

The organisational journey

Developing effective pathways of participation also often involves a journey of development for organisations: even young institutions like Data Trusts and Co-operatives.

Harry Shiers’ Pathways to Participation (developed in the context of child and youth participation) builds on the ladder of participation, to look at how organisations develop their ability to share power and responsibility for decision making. Shiers’ pathway starts from listening, and moves through providing support for stakeholders to express their views, to taking those views into account, to involving stakeholders in decision-making processes, and ultimately to sharing power with stakeholders. At each point on this pathway, there may be openings (a willingness to listen or share decision-making for example), opportunities (a procedure or process that allows engagement to happen), and obligations (a requirement that locks-in engagement practice). Critically, reaching the point of sharing power does not mean that there is no longer a need to retain a focus on earlier stages such as supporting stakeholders in expressing their views. To mix our metaphors a little: it’s important not to pull up the ladder of participation behind as the organisation’s participation practice matures.

Embedding participation

Recent years have seen a significant rise in the number of citizen’s assemblies, deliberative dialogues and citizen’s juries looking at data issues. These have generally been one-off activities, designed to garner a representative citizens’ voice on particular data collection, management or sharing. While they can be valuable exercises, they have often been divorced from wider pathways of participation, creating temporary mini-publics that are not part of ongoing interaction. There are, however, promising signs of mini-publics being woven into ongoing practice: for example, with Camden’s Data Charter being used to review data decision making by a residents panel.

At Connected by Data, we’ve been starting to map out the ways in which different participation models and methods can be effectively applied to discussions about data. Our upcoming case database will show the way different projects have put together surveys, boards, dialogues, accountability processes, and other participation tools in order to help ensure the way data is governed can better reflect public expectations and views. In doing this, we’re drawing on a wealth of existing work that explores participatory practice in other settings, such as the Participatory Methods resources on participatory international development research, Organizing Engagement work on inclusive participatory practice in school and community settings, and Participedia methods section exploring a wide range of democratic innovations.

Participatory practice around data involves innovation in so far as it explores citizen voice in a relatively new domain, with novel configurations of technology and power to unpack, and technology can offer a range of new participatory tools. However, there are already some established pathways to start out on.

Ultimately, developing effective pathways of participation, and ensuring the voice of stakeholders can shape both big picture and day-to-day decision making around data involves both embedding a culture of participation, and developing the right toolbox of approaches to deploy.

Data trusts are an emerging and varied concept, and their operation will differ according to context. Commonly though, data trusts are proposed as a mechanism of data stewardship and a model of data governance with the potential to empower individuals and communities by authorising others (broadly referred to as ‘data intermediaries’) to act on their behalf. 

The 2020s may be the next era for seminal advances in longitudinal population studies and birth cohort studies, with new technology creating opportunities for data collection and access at an unprecedented scale. A data trust is one possible approach for data governance to capitalise on this new era, but the concept raises as many questions as answers at this early stage.

With funding from the Data Trusts Initiative, The Born in Scotland Data Trust aims to explore how data trusts might operate in the health research context, specifically in birth cohorts and longitudinal studies that aim to engage participants over their lifetime. Birth cohort studies and longitudinal population studies are a particularly interesting example for exploration because they often involve multiple, related participants; recruiting pregnant women and offering the possibility for children born into the study to become research participants themselves.

Governance considerations

A complex ethical and legal landscape for health research applies to longitudinal studies and birth cohort studies, and typically consent will govern the collection and storage of data and tissue samples from participants over decades. In this paradigm, the mother will consent on behalf of the child to be involved in the research study. In view of the long-term and potentially multi-generational commitment to involvement in health research, some of the goals of data trusts such as empowerment over uses of data and data rights, may offer promise for increasing involvement and engagement of parents and children in birth cohort studies and may help enable access to richer data for improved health outcomes in the future.

In collaboration with CI Professor Rebecca Reynolds at the University of Edinburgh, we will develop a pilot data trust as a governance model for the “Born in Scotland in the 2020s” birth cohort study (hereafter, ‘BIS’). BIS is a pilot study funded by the Medical Research Council to test the feasibility of establishing a large-scale ‘virtual’ pregnancy and birth cohort. Most BIS data will be ‘standard’ administrative, health care records and biological sample data, but the vision is to capture much broader data about participants allowing investigations into the impact of novel environmental exposures on pregnancy. The project will also follow the development of children born into the BIS study. The ambition is that the future cohort will include 100,000 participants and be representative of pregnant women living in Scotland.

Designing a data trust for birth cohort studies

We aim to co-design the data trust with BIS participants, who will be invited to draft the terms of the governing trust instrument to increase understanding of data rights and involvement in decision-making about data. As we are developing the trust model at the pilot stage of the BIS project, this offers a unique chance to try to develop a truly ‘bottom-up’ approach. We aim to recruit data ‘trustees’ from a range of backgrounds pertinent to BIS including research participants and research midwives (who are often involved in the process of recruiting participants).

Representation

Crucially, for this to be possible even in theory, significant public and participant involvement is necessary to build an understanding of data trusts amongst potential participants. Through our engagement activities, we seek to understand the perspectives of women involved in BIS around their participation in health research governance and the desirability of trust models, to start a dialogue and test feasibility for adoption in future research studies.

Working with CI Ann Hagell at the Association for Young People’s Health, we will also explore whether data trusts can help support young people to be more involved in the next generation of birth cohort studies. There is a need for modernised and creative approaches to children’s involvement in birth cohort studies, to increase engagement with young people who are typically underrepresented in public and participant involvement activities and research governance design and whose involvement can significantly enrich research and future health. We will explore the ways in which a data trust can be used to govern children’s data and data rights. Through a series of youth engagement exercises, we hope to hear from young people about their views on involvement and uses of data for health research.

A core component of the project will be examining the alignment (or non-alignment) across health research frameworks and data trust models. In an earlier phase of this project, PI Dr Jessica Bell, University of Warwick, and Professor Melissa Wake (‘GenV’, Murdoch Children’s Research Institute) hosted a bi-national, multi-stakeholder workshop, bringing together 30 participants from multi-disciplinary backgrounds including academics from legal, ethical, governance, medical and information technology backgrounds, representatives of youth advisory groups, stakeholders from different longitudinal cohort studies, and health research regulatory authorities.

Possible benefits identified included increased participation in data governance and engagement with participant concerns over time. Members of a youth advisory group expressed enthusiasm for increased participation and empowerment in birth cohort studies; as well as trustees representing their interests independently from family members and the research team and keeping them informed about the research and data rights. Other advantages included accountable decision-making about data use in the best interests of participants; potentially protecting against conflicts of interests, particularly where research involves commercial partnerships.

Concerns were however expressed around the complexity of the existing landscape, and questions were raised about the added value of data trusts in this context. Communicating the complexity of a data trust to different participants will be challenging and meaningful development of bottom-up data trusts will require clear and constructive co-design. Our workshop emphasised that to meaningfully evaluate the promise of data trusts for increasing participation in health research and the added value to existing models, there is a pressing need for pilot studies and worked up examples to cut through the hype and test the feasibility of data trusts in different contexts in the real world. To ensure we don’t simply reinvent the wheel, there are also valuable lessons to be learned from the experiences of large-scale research projects like UK Biobank Ltd, whose day to data decision-makers are themselves ‘trustees’ in law.

With the UK government explicitly referring to data intermediaries in their response to the ‘Data: a new direction’ consultation, it is clear that data intermediaries are set to be part of the UK data landscape. Through the BIS Data Trust, we look forward to exploring how data trusts, as an example of data intermediaries, might operate within the health research framework to better understand the challenges and opportunities for data trusts for health research in the future.

This blog underlines how social trusts are well designed for imagining and creating data trusts and how to implement data governance mechanisms into this legal framework. Our observations were made in the context of two pilot projects aimed at creating data trusts in Québec and will explore three features; a general interest purpose trust, flexibility within permanence, responsibility, accountability and trust.

A general interest purpose trust

A social trust’s sole raison d’être is to pursue and achieve its purpose. In the case of a social trust, this purpose must be for social utility. What is social utility? Social utility is a purpose of general interest, including cultural, philanthropic, educational or scientific. The Civil Code of Québec provides that the main purpose of a social trust cannot be to make a profit or to operate a business.¹ A social trust can operate a business, but it must be solely to support its mission, not to make a profit.

The purpose of the trust plays a pivotal role in the governance of data trusts and defines future use of data as well as the conditions to access and share data with third parties. Trustees are bound by this purpose, and all their actions or decisions must comply with it. Any access given to third parties, any valuation of data or any sharing of data will always be justified by a general interest purpose.

Thus, drafting the purpose is a crucial step in the creation of any trust. Various purposes may be delineated, but coherence must be sought. The following are a few examples of purposes that may be specified:

• To operate a secure platform [or by using another technological solution] to allow data sharing;

• To enable the sharing of data between [specify the organizations] in order to promote innovation or development in the social economy sector;

• To document and identify the determinants of social activities (consumption of specific goods, urban travel habits, etc.) in order to promote the development of the social economy;

• To use data and artificial intelligence to find innovative solutions to challenges met by social economy organizations.

Although the purpose can be solely decided by the settlor, we suggest involving as many stakeholders as possible in this process, as well as representatives of civil society to ensure diverse representation and to enhance trust.

Flexibility within permanence

When dealing with technological platforms, standards and norms, along with anonymization and analysis of data, we must necessarily consider flexibility within the governance model. In this regard as well, Québec’s trust offers some interesting features.

Social trust is a private instrument, meaning that no particular law or public body monitors its creation, existence or functioning. A few rules can be found in the Civil Code of Québec, but the greatest part of the governance design is left to the imagination and the will of the settlor. This means that many kinds of trust, social trusts and social data trusts can be created, every one of which has its particular role, features and bodies of governance.

Such specificity allows for important flexibility in technological innovation and its governing ethical principles. This legal architecture reflects the alliance of flexibility and permanence by incorporating specific and non-modifiable legal duties for trustees while providing for the evolution of norms, ethical principles and standards. In this regard, trustees bear one permanent and mandatory duty: to constantly evaluate and ensure that these norms, principles and standards are in compliance with the best practices and the highest standards in terms of privacy laws that are in place at the time. This mechanism allows trustees to be held to a higher accountability than those operating under the current law in force.

The suggested legal architecture that allows that harmonization between flexibility and permanence is composed of:

1. Laws The Civil Code of Québec defines the concept of trust and its core elements, while the Act Respecting the Protection of Personal Information in the Private Sector defines the difference between personal and non-personal information and the obligations of organizations collecting personal data relating to privacy.

2. Constituting Act The Constituting Act is a binding instrument that defines the purpose of the trust, trustees’ duties and powers and the general governance model. As for the purpose of the trust, only the court “may […] substitute, for the original purpose of the trust, a purpose as nearly like it as possible.”²

1. Charter of principles Adopting a charter that sets out the main principles of data governance and implements these principles is a crucial duty of trustees. A data governance charter of principles (or declaration of principles) is “an effective way to articulate and demonstrate adherence to a set of values or positions on data governance.”³

1. Management framework: Under the Charter, trustees must adopt a management framework with mechanisms for accessing, sharing and protecting data and handling requests for the withdrawal of personal information.

Responsibility, accountability and trust

Trust law represents the highest level of duties that can be imposed upon a person in detention of the properties of others. Trustees are bound by duties of prudence and diligence and must act honestly and faithfully in the best interest of the purpose of the trust.⁴

Furthermore, trust law provides for additional monitoring and control mechanisms that ensure responsibility and accountability. In our opinion, this accountability reinforces trust.⁵ We suggest that these mechanisms be implemented according to the following descriptions:

• Trustees are identifiable physical persons. One advantage of trust law is that it identifies a physical person as being bound by strong legal duties. However, since no public bodies monitor the creation and functioning of social trusts, public transparency with regard to the identity and nomination of trustees is crucial.

• Accountability of trustees and ‘auditability’ of decisions. A key aspect of social trusts is that they provide for the annual accounting of the actions and decisions of the trustees.⁶ Traditionally, accountability in a trust is primarily financial. However, accountability for other aspects is conceivable, such as documenting the various uses of the datasets, and assessing the quality of the data and/or the technological infrastructure that supports it. The governance model we designed includes various levels within the accountability process, and the creation of an ethical committee (the ¨Trust Protector¨) helps to implement this mechanism, at its highest level. Accountability to the public, in general, may also be provided through publicizing the various decisions and actions of trustees.

• Control over data. Trusts create an alternative legal regime to ownership. Indeed, no one has any right or ownership over data in trust. However,  the absence of ownership does not mean the absence of control. Trustees are able to make all decisions about accessing, hosting, protecting and sharing the data within parameters that are either predetermined (notably with regard to the purpose and key principles that are unchangeable, such as respect for the autonomy and privacy of individuals), or evolving (charter of data governance principles, more technical norms and standards).

• Implication of stakeholders in the governance of the trust. The flexibility of trust law allows for governance models that include the participation of stakeholders and/or the general public in the decision-making process and in any ‘auditability’ framework (through decisional committees or nomination of trustees, for example). This inclusion of diverse stakeholders allows for the establishment

-

You can learn more about how civil law jurisdictions can support data trusts, Dr. Anne-Sophie Hulin, Professor at University of Sherbrooke (Québec), explains the basic elements of Québec’s trust law and how it differs from common law trusts.

As a consequence, privacy, and the protection of personal data in continental Europe remain mostly formal entitlements with no practical purchase. If unmediated, city administrations’ craving for mobility data owned by the private sector can also translate into outright power grabs and privacy violations.

For example, in the United States, the Los Angeles Department of Transportation (LADOT) has deployed a protocol for mobility data called the “Mobility Data Specification” and has further created an Open Mobility Foundation with a group of stakeholders to manage the specification standard and advocate for its adoption beyond LA. The LADOT system has been challenged in court by both rideshare companies (initially led by Uber) and civil rights advocacy groups (led by the American Civil Liberties Union) on privacy grounds. The LA dispute reveals a clear need for data governance input in this process, and mobility data trusts as one example of an urban data trust could provide a solution.

Known power asymmetries between data controllers and data subjects show that individual data rights can be exercised best collectively. Urban Data Trusts position themselves as an intermediary between the city and its people offering access to mobility data and more efficient use of data privacy rights vs private companies who do not necessarily take into consideration the common good.

Here we explore the legal modalities of setting up data trusts in big urban centres with a focus on the Italian context.

Setting up a Data Trust in Italy

1. Two Legal Pathways

In Italy, a trust is a fairly used legal tool. There are two ways of establishing it: under foreign law (trust interno), and under an Italian doctrinal construction not yet passed as law but already in use (contratto di affidamento fiduciario).

a. Italian Trusts under Foreign Law

Unlike other civil law countries that encounter difficulties in adopting the common law instrument of the trust in their jurisdictions, Italy allows for the possibility of setting up trusts governed by foreign law. After becoming a signatory of The Hague Convention of July 1st of 1985 on the Law applicable to Trusts and on their recognition, Italy recognizes foreign trusts. Although said convention did not explicitly mandate the recognition of foreign trusts in countries that do not have that category (see Article 13 of the Convention), Italy went further in transposing international law. It allowed for the internal recognition of trusts whose significant elements are based in Italy but whose applicable law is not Italian. Thus, English law has been frequently used to create trusts in Italy. This legal specificity could possibly be used for establishing also a data trust. The well-spread use of trusts established under foreign law in Italy along with accumulated case law on the matter could help ensure legal certainty.

b. Trust-like legal instruments in Italy (Contratto di affidamento fiduciario)

Scholars have gone further in theorizing the common law of the trust for Italian purposes: under a contratto di affidamento fiduciario in a trusteeship agreement, “settlor” and “trustee” can agree on a programme which the “trustee” undertakes to implement by using one or more assets for the benefit of one or more “beneficiaries” for a period not exceeding 90 years. Uses of this type of a legal arrangement so far resemble the traditional uses of Anglo-American trusts in family matters. The advantage of using this legal route for setting up a data trust is that it could meet with more trust amongst the general public and perhaps better integrate into the rest of the Italian civil law system.

Holding (personal data) rights on trust in Italy

Italian doctrine supports the idea that a trust could have as its object (also) movable, fungible or non-fungible assets, receivables, financial instruments, stocks, assets and rights of all kinds. While the possibility of holding personal data rights on trust is not specifically foreseen by Italian law, importantly, a case of foreign trust has been examined by the Court of Milan,¹ where intellectual property rights were held on trust and so was the right to privacy of the author.

without further discussing the implications of holding such rights on trust (Tribunale Milano Sez. spec. Impresa, 29/08/2018, (ud. 21/12/2017, dep. 29/08/2018), n.8768).

 The General Data Protection Regulation (GDPR) that applies in Italy complicates the conferral or mandatability of personal data rights to a data trust. Conferral is not explicitly allowed nor excluded by the GDPR whereas under Article 80 of the Regulation mandatability is foreseen only for the so-called procedural or justiciable data rights (Art. 77-79 and 82 GDPR). Whereas the GDPR can be construed restrictively to preclude mandatability of other rights except for the ones specified, it could also be argued otherwise.

A wider interpretation of mandatability is supported by two instances of the Italian law supplementing the implementation of the GDPR.

• The GDPR allows Member States to introduce specific provisions in relation to employment data (Article 88). The Italian data protection act expands data access for institutes of workers’ protection and social assistance “in relation to types of data specifically identified with consent by the interested party himself/herself” (Article 116).

• The same law enables data subjects to exercise their personal data rights posthumously, so long as they have made explicit their intentions while alive.

These examples imply both the discretion of national legislators to set the boundaries of mandatability and the GDPR’s intent to enable mandatability.

Urban Data Trusts under Italian Constitutional Law

Finally, it needs to be said that the Italian Constitution presents a uniquely favourable framework for the development of urban data trusts in Europe. In Italy, metropolitan cities are explicitly mentioned in the Constitution. In conferring administrative powers to the Italian municipalities, Article 118.4 of the Italian Constitution favours the autonomous initiatives of citizens in the general interest of the city. The provision, also known as ‘horizontal subsidiarity,’ indicates that the entirety of decentralised organs of the state, including the municipal tier, are required to cooperate in the devolution of powers ‘all the way down’.

Making use of Article 118.4 of the Italian Constitution, numerous cities have opened the possibility to citizens to present projects and conclude pacts with the administration. Bologna spearheaded the process with a municipal ordinance about the collaboration between citizens and administration for the care and regeneration of urban commons which was later replicated and adapted in over 100 other Italian towns and cities. Based on such pacts, the municipality usually offers to cover some of the costs, provide experts and public space, and help with the promotion of the initiatives. Based on the municipal ordinance, in Bologna a pact for digital literacy has been signed between the administration and a social and cultural centre. The pact aims to develop some digital literacy activities to be offered to Bologna residents. The administration has committed to providing its media channel for promotion, offering training activities, and contributing financially.

In short, our survey of several European civil law jurisdictions revealed that the overall legal backdrop in Italy favours the establishment of a (mobility) urban data trust in an Italian city where the local administration may facilitate bottom-up uptake.

Our emerging ‘MUMU’ data society - one that enables ‘Many Users to use data for Many Uses’ - will require an array of different, specialist institutions and infrastructure enablers. Data Trusts contribute legal mechanisms to this infrastructure, which can help empower individuals to ‘take the reins’ of their personal data.

One particularly important - and sensitive - challenge is how Data Trusts interact with individuals’ personal data. Under the concept of ‘bottom up’ data trusts, data trustees exercise individuals’ legal rights on their behalf, including negotiating others’ access to, and use of, this data for them. Individuals would be able to switch data from one Trust to another. Achieving this vision in practice requires navigating questions about data access, management of consent and privacy, and how individuals might move between trusts.

At Mydex Community Interest Company, data is stored, in each individuals’ own personal data store. This PDS remains fully under the control of the individual: each PDS is individually encrypted with each individual holding their own private key to their own data store. Individuals can then use this data for multiple purposes of their own - they are empowered with agency and autonomy - including being able to share their data with those Data Trusts they wish to support at the same as sharing data with those organisations who provide services to them. This enables many uses and many users, not lock ins and limits.

 At first sight, data trusts and PDSs may look incompatible. But they could prove complementary, with PDSs providing infrastructure for Trusts to work much more efficiently and effectively.

The following diagrams illustrate the way person-centric data sharing works.

Services holding different types of data about an individual deposit verified copies of this data in the individual’s personal data store. This data remains under the individual’s control in their PDS, and kept up to date and accurate via a secure API link (two systems talking to each other over the internet safely and securely).

When the citizen needs to provide some of these data points to a different service provider they simply say ‘Yes’, and the data can flow accordingly - enabling them to bring their data with them to new service relationships.

Managing access to data in this way is of the core capabilities of any PDS infrastructure provider. It includes managing sometimes complex interoperability issues (e.g. software systems and formats that don’t ‘talk’ to each other) and keeping the data up-to-date and accurate (via API links with data originators). 

With complex webs of data access, understanding what users have consented to becomes a challenge. An underpinning personal data store infrastructure provides individuals with their own consent management dashboards, by which they can see and manage all consents and permissions for data access and sharing to all service providers and Data Trusts that they have data relationships with.

The ability to outsource these data storage, access and sharing challenges to a specialist operator could significantly cut costs and complexity for individual Data Trust operators. It would also avoid a huge amount of duplicated effort across multiple different Data Trusts which, without such infrastructure, would all have to build their own infrastructure for themselves.

Over time, as more data is collected in individual’s personal data stores, they will already hold an increasing proportion of the data that Data Trusts need: data that is already there and waiting to be shared. Different bundles of this data could be shared with different Data Trusts, according to their different speciality focus areas.

This also points to another challenge that practitioners must consider when building their data trust infrastructure: that of privacy protection. A Data Trust focused on, say, health issues, might be responsible for making decisions about the use of large amounts of highly sensitive personally identifiable data. This brings with it several important considerations. For example, individuals may be reluctant to share data if it is personally identifiable, especially if it could be accessed by third parties, even if it is only for research purposes. PDS infrastructure and decentralized data storage providers can solve this problem by enabling the sharing of data in a pre-anonymised form. For instance, Mydex CIC has already built a platform called Inclued which enables exactly this: the sharing of ‘profiles’ of people devoid of personal identifiers.

One of the first pilot projects funded by the Data Trusts Initiative, the Brixham Data Trust, a coastal community data trust - who aim to develop a dynamic local data ecosystem to inform, engage, and test the use of real datasets within a 3km radius of the town centre - is trialling incorporating Personal Data Stores into the infrastructure of the data trust to test this approach and look forward to sharing the project findings later in the year.

We know that technology has an important part to play in helping create data trusts, but what does that mean in practice? With both our understanding of how to operationalise data trusts and our technical capabilities changing at pace, part of the challenge today is to really pin down how the technologies we have map onto the functions that data trusts need to deliver. 

Data trusts vary in their nature – their purpose, focus, and stakeholders – and in their data strategies. While the focus of data trusts is management of the rights associated with data, the different types of data that trusts interact with and how these different data types are structured will affect their data management strategy. These differences affect how practitioners can go about building and maintaining a data trust, and the technologies that might be useful for them. However, looking across the lifecycle of a data trust, we can draw some lessons about what types of technology are useful, and what questions practitioners should ask when developing their technology strategy.

We can think about five stages of the data trust lifecycle: recruiting and enrolling members; populating the trust with data; making data accessible; maintaining trust; and sustainability.

To start, we need to think about who is part of the data trust, and where the data for the trust is coming from. Here, there are fundamental questions about why people should engage with a data trust. Usually, people or organisations are looking for some type of value to be created by the trust, by changing how their data is managed or used. That value can take many different forms, but – unless all participants in the trust are engaging altruistically – at its core a data trust will need a mechanism for returning value to its members. Practitioners will need to understand what type of value is meaningful to the members of their trust: this could be money; better services; influence, control or certainty around data use; tokens; or some other reward. The form of value that the trust is trying to create will influence the technologies it will need.

There is also a technical element to managing member recruitment or enrolment. Data trusts are often driven by an interest in serving a particular community, so those managing a trust need to think about how to link the technologies being used to the interests and dynamics of that community, and to community-building efforts.

Secondly, practitioners need to think about how to populate a data trust with data: where is data coming from, and how will it get ‘into’ the trust? Answers to these questions will again vary with context. For example, in healthcare, a lot of the data we’re interested in comes from health records. We can’t easily move those around between organisations or systems; they need to stay in one place. That means we need to think about how we access the information they hold – and use this data alongside other information sources – without bringing everything together in one place.

Again, these questions point to a foundational decision in setting up a data trust: will the trust be involved in the business of managing data itself, or will it be managing access to data? The choice of operating model here will affect the trust’s technical architecture: does it need to bring data together, will a federated structure work, or does the trust create space to bring users to the data? In healthcare, we frequently use trusted research environments or secure facilities where researchers can access sensitive data, without holding that data themselves.

Broadly-speaking, those setting up a trust will have two technology options when thinking about populating the trust with data. If data is moveable, then centralising it (creating one giant data repository) might be possible; if data needs to remain under the control of the organisation or individual that currently holds it, then a federated data infrastructure will be necessary. Across both of these options, practitioners will need to grapple with the technicalities of data harmonisation. When trying to bring data into the trust, we need to think about whether the different data sources being brought together are in the same format, or whether further work is needed to make sense of it.

The third stage in the lifecycle is about making data accessible. An objective of many data trusts is to increase data use, creating value through that use. Technical interventions may be necessary to achieve that goal. For example, to make data accessible to external organisations or parties that might want to use it, there will need to be descriptions of what data the trust manages, with what access conditions, and in what formats. This requires metadata descriptions.

In the next stage of the trust’s lifecycle, those managing a trust need to think about how they will keep contributors engaged and confident in the trust’s operations – essentially how the trust will maintain trust. There are various aspects to ‘trust’ that will be important, and different technologies can be useful in creating a system that delivers on those different aspects. Privacy preserving technologies can help manage concerns about what types of insight can be derived from data, and to demonstrate compliance with policy or regulatory requirements around personal data; immutable audit trails might be needed to prove who has accessed what data, and with whose approval, and distributed ledger technologies can help provide these; transparency is also an important element of trust – can the data trust demonstrate it has acted in accordance with its commitments – and technical systems will need to be designed for such transparency.

Last, but by no means least, is sustainability. Creating a data trust is all very well, but what is the model that will sustain it? From where will revenue come to support a potentially complex technical infrastructure and the people needed to maintain and operate that infrastructure? This also relates to the questions at the start of this post about value: who is expecting to receive what type of value from the trust, and how will the trust return that value to them?

In our Civic Data Identity Platform project, we’ve been working through some of these questions in the context of health data. We’ve been particularly interested in blockchain as an underlying technology that allows you to deal with the process of signing up, recruiting, and returning value to people. These technologies allow us to analyse how information and revenue flows across the data trust value chain, and how that affects the services that can be provided to members.

Through this work, and building on discussions from the Data Trusts Initiative, we can start to see a checklist of questions that data trust practitioners can use to develop their technology strategy:

• What type of value is the trust creating and for who?

• How will members of the trust be recruited? What technical system is needed to enrol new members and manage their information?

• Where is the data of interest to the trust currently held?

• Is the trust holding data itself or managing data access? How does this affect the value it seeks to create?

• How will data get ‘into’ the trust? Will it be held by other organisations, and accessed by the trust, or held centrally by the trust?

• Is the data being brought together in the same format, or is further work needed to curate it?

• What do the trust’s users expect? How will the trust maintain trustworthiness?

We’ll be launching the full results of our work with the Civic Data Identity Project on 28 March. You can find out more here, and read more about the Data Trusts Initiative’s emerging operational framework for data trusts here.

More research needed?

In our first Working Paper, we identified areas where further action was needed to clarify core data trust concepts and to understand what suite of practical actions could help deliver trustworthy data stewardship. This data trusts research agenda asked: how do data trusts fit in the wider data governance landscape? What institutional safeguards are needed surrounding data trusts? Which interventions will ensure data trusts are inclusive and representative?  Which business models can help ensure the continued sustainability of a data trust? And which use cases can help clarify how data trusts would work in practice?

Picking up this agenda, our Data Trusts Initiative-funded research projects have been investigating a variety of issues at the interface of theory and practice, including:

• What do recent use cases tell us about operational strategies for data trusts?

• How can legal mechanisms associated with data trusts enhance participation in healthcare research?

• How might data trusts operate in the urban context?

• How can data trusts support civic engagement and environmental stewardship in local communities?

• How can data trusts be created in civil law jurisdictions?

• Does the General Data Protection Regulation (GDPR) allow individuals to mandate their data rights to a trust (or other data intermediary)?

• What combination of technical and legal infrastructure can give individuals more control over data about them?

Moving from research to practice

Insights from these studies are deepening our understandings of the issues and challenges in moving from theory to practice. Taking the data trust pillars that were the basis of our research agenda – community dialogue, technical systems, legal mechanisms, business models, and use cases – as a starting point, they point to an emerging framework for operationalising data trusts. With the aim of helping create a pathway to real-world implementation, we’ve started mapping these insights into the operational framework set out below.

With research, policy, and practice in this domain moving at pace, those developing data trusts are often operating across multiple levels – and across multiple pillars – simultaneously. At an ecosystem level, data trusts practitioners are grappling with foundational questions about the nature of the demand for data trusts, what functions these trusts should deliver, and how the operational environment shapes their form and function. When considering what approach a data trust should take in this environment, different operational strategies might be possible, and a data trust will need to negotiate how to map those strategies onto trust-level objectives. At a practical level, those operational strategies translate to a range of different design choices, which will affect how a data trust works and how its beneficiaries interact with the trust.

The intersection of practice and policy

These projects are also increasing our understanding of the enablers that contribute to an amenable environment for data trust pilot projects. We’ve talked previously about the policy enablers that can support the development of data trusts on this blog before. Adding to these, our research projects highlight the importance of interventions that:

• nurture demand for alternative forms of data stewardship; and

• ensure data trusts remain trustworthy through appropriate safeguards or accountability structures.

If data trusts are to be truly bottom-up, they need to be accessible to all in society. This means not only building a public dialogue about data and its use and increasing data literacy efforts, but also making the purpose, language and operational of data trusts open and inclusive. Understanding what data trusts are and what benefits they bring needs to be easier, and there need to be ways of bringing communities together to agree how data trusts should serve their interests.

This clarity can provide a foundation for a wider set of interventions that ensure data trusts remain trustworthy. Those interventions might include common definitions about what a data trust – in comparison to other types of data stewardship – does; standards or certification mechanisms to ensure underpinning technologies are fit for purpose;  strategies that ensure sufficient longevity of data trusts; or testbeds that allow practitioners to explore ways of innovating and failing safely.

Supporting data trusts pioneers

Many of the issues surrounding data trusts today can only be resolved in application. Examples, case studies, and pilot projects are needed to work through different strategies, building on this operational framework and creating a pathway to real-world data trusts.

The Data Trusts Initiative is delighted to announce our first set of funded pilot projects. Over the next year we’ll be working with the Brixham Data Trust and the Born in Scotland Data Trust to set up community-focused data stewardship activities. You can read more about their work on our website, and we’ll be posting further insights or updates to our operational framework as these projects progress.

In September 2021, the UK Government published a consultation on proposals to reform the UK’s data protection regime. With the aim of creating “an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data”, the consultation is seeking views on which strategies can encourage data-enabled innovation across sectors, while maintaining high data protection standards. Reflecting growing interest in their role as data stewards, data intermediaries – and the role of government in supporting them – feature prominently in the areas considered by the consultation.

This focus on data intermediaries as a solution to current data sharing challenges aligns with policy developments we’ve seen across the world (and explored previously on this blog). The EU’s Data Governance Act has been developing a framework for governing data intermediaries, putting in place safeguards to ensure that they remain a neutral platform for data sharing, that participants have mechanisms to hold intermediaries to account if they fail in their services, and that they meet minimum standards for access and participation. India’s Committee of Experts on Non-Personal Data has been exploring how data intermediaries could provide a tool for communities to exert their data rights, and whether government should be able to mandate data sharing. And a series of consultations in Canada have investigated what interventions could strengthen existing data rights or increase the enforcement powers of regulatory authorities.

Data trusts are a form of data intermediary. Drawing from recent work by the Centre for Data Ethics and Innovation, the UK Government describes their role as providing “fiduciary data stewardship on behalf of data subjects”. This builds on research by the Ada Lovelace Institute and AI Council, which considered that “the distinctive elements of this model are the role of the trustee, who bears a fiduciary duty in exercising data rights (or the beneficial interest in those rights) on behalf of the beneficiaries, and the role of the overseeing court in providing additional safeguards.” In line with recent papers by the Global Partnership on AI, at the Data Trusts Initiative we see data trusts as playing a particular role in empowering individuals and communities to set the terms of data use by engaging a trustee to act on their behalf.

Even amongst data intermediaries, the data trusts community is nascent. A recent survey by the Open Data Institute and Aapti Institute found that 80% of data trusts projects were less than 5 years old or yet to be operational. As research and practice in this area evolve, there remain a lot of areas where our understanding of how to operationalise data trusts are in flux. This time last year, the Data Trusts Initiative published our first Working Paper investigating where further insights were needed to move data trusts from theory to practice. This highlighted a number of core areas where further insights where needed – about where data trusts fit in the wider governance landscape; what safeguards can help ensure accountability; which interventions can increase accessibility; and what business models can ensure sustainability. The research projects we’re supporting are investigating these areas in further detail.

While the community is making progress in understanding these issues, lots remains uncertain. In an environment where knowledge and practice are in flux, and the role of government is not clear, what action can policymakers take?

One approach to answering that question is to look for ‘no regrets’ steps – policy interventions that can be made now in the context of high uncertainty, because they deliver benefits across multiple future pathways for the development of data intermediaries.

Recent insights from our research projects, and work by our partners in the community including the Global Partnership for AI, Open Data Institute, and Aapti Institute, point to three areas where government intervention could support the development of data trusts on a ‘no regrets’ basis:

• Creating an enabling environment;

• Securing the legislative foundations; and

• Developing safeguards for innovation.

Creating an enabling environment. Data trusts – and other data intermediaries – are one component of a wider data sharing ecosystem. Their success will rely on enablers from that ecosystem – enablers that boost individual, organisational and societal ‘data readiness’. Individuals will need data literacy skills to help make sense of the ways in which their data are used, and to assess the value propositions of different data intermediaries. Organisations, meanwhile, will need sufficient data maturity to be able to make use of potentially valuable data they hold. This wider environment is shaped by policy levers – in education and skills; data standards and sharing policies; and support for businesses and civil society – that government can use to create an enabling environment for data intermediaries.

Securing the legislative foundations. Data rights and the ability to implement a regime of strong fiduciary duties are a prerequisite for data trusts (explored in more detail by the Aapti Institute here). While the UK’s current data rights regime does make provision for a range of data rights, we repeatedly see questions about the extent of those rights, the ways individuals can exercise them, and what types of fiduciary duty can be supported by different legal mechanisms. When reviewing the UK’s data protection regime, there is an opportunity for Government to bolster the legislative foundations that will enable data trusts, by clarifying the scope of current data rights and enhancing enabling rights, such as portability. For example, action now to clarify which data rights can be mandated to a data trustee (and under which conditions) would help resolve some of the uncertainties that data trust pioneers are navigating.

Developing safeguards for innovation. Central to the next phase of developing data trusts will be innovation in operational strategies, as practitioners figure out ‘what works’ in terms of defining, implementing and sustaining these new forms of data stewardship. This process may test the boundaries of current regulatory regimes; it may also highlight a range of new failure modes for data stewardship, or create new vulnerabilities or forms of exploitation. An important area for attention is the development of safeguards that can support innovation while managing risk to individuals, and while allowing unsuccessful projects to fail safely. This may require regulatory testbeds, forms of assurance or codes of conduct, or interventions that ensure no section of society is left behind from the benefits of data trusts (or disproportionately exposed to risks).

As the community matures – and specific regulatory needs become clearer, either in relation to data trusts themselves or their application in specific sectors – the data trust policy agenda will expand. In the meantime, these ‘no regrets’ steps offer a route for Government to start building the data trust policy environment now, taking an adaptive approach to policy and regulation as the pathway for developing this form of data intermediary becomes clearer.