Reaping the Benefits from Safe Data Sharing

By Marcus Grazette, Europe Policy Lead at Privitar

We’re seeing a clear policy trend towards enabling data-driven innovation recognizing that pening data up for reuse and sharing is key to getting value from data. Data sharing and reuse can be internal (e.g. within an organization) or external (e.g. with researchers).

The Value of Data, a joint report by the Bennett Institute, ODI and Nuffield Foundation, stated that “value comes from data being brought together, and that requires organizations to let others use the data they hold.” However, data sharing and reuse raises challenges for ensuring trust, privacy and complying with data protection law.

Organizations often struggle with this in the context of their data analytics projects. Using data for analytics can provide business insights, help with product development, increase efficiency and more. This blog analyzes recent policy developments and charts a route to data, helping organizations to reap the benefits of safe data sharing.

Setting the Course

Over the last year, lawmakers in the UK and EU have demonstrated their clear ambition to make data more available for reuse. We’ve seen a number of new initiatives to promote, or require, safe data sharing.

Starting with the UK, we’re tracking:

• National government proposals for changes to the UK data protection regime. The Department for Culture, Media and Sport (DCMS) published a wide ranging consultation in September, alongside new national strategies on data (published December 2020) and AI (September 2021). All three documents focus on the need to enable innovation by boosting access to data.
• The ICO consultations, including on their updated guidance on anonymization and PETs and on their data protection in AI framework. Both align to the overarching objective of opening up data, and aim to help organizations to maintain legal compliance.
• Contributions from deliberative bodies. Recent notable reports by the CDEI (PETs adoption guide), the Ada Lovelace Institute (new data governance models) and the ODI (data institutions) are shaping thinking and approaches to data sharing and reuse. These complement government and regulatory initiatives by considering issues like ethics, industry best practice and public perceptions.

The European Commission has also been active. We’ve seen progress on:

• The European Commission’s proposed Data Governance Act. This aims to increase the sharing and reuse of personal and non-personal data, overcoming the barriers posed by a lack of trust and conflicting economic incentives in particular. The Data Governance Act includes a framework for data institutions.
• New guidance on anonymization and pseudonymization. The European Data Protection Board’s work plan for 2021/22 includes publishing new guidelines on anonymization and pseudonymization. We’re keen to read the guidance from the ICO and EDPB side by side. 

Organizations holding data are often unsure about what data they can share, for what purposes, with who and under what conditions. This lack of confidence is a key barrier to data sharing. The initiatives listed above help to create a clear framework and to provide guidance on difficult topics, including on anonymization, to build confidence.

From Policy to Practice

How can organizations use that framework and guidance to deliver data sharing in practice? Effective data sharing requires data to be findable, in other words data consumers can easily see what data is available to them, and requires robust governance processes to ensure that data consumers only access data that is safe to use.

We’re seeing three main approaches to these challenges in practice:

1. Data exchanges. A data exchange is a mechanism for making data assets visible to potential data consumers. It allows the consumer to browse data assets and to see some basic information about the data (e.g. type of data, number of records, and so on). The Health Data Research Innovation Gateway is a good example of a public-facing data exchange. Organizations can use internal data exchanges to facilitate data sharing between teams.
2. Data institutions. A data institution facilitates data sharing and access. It might curate and link data, apply appropriate protections including privacy protections, and manage usage rights (contracts, licenses, etc). Data institutions will often combine data from multiple sources. For example, there is a £5.3m project to build a Civic Data Cooperative in Liverpool. This is run by a consortium of local research bodies under the Liverpool Health Partners banner. The aim is to facilitate data sharing between NHS and local government organizations responsible for delivering care. Metro mayor Steve Rotherham has described it as a radical new approach to public health.
3. Technology. We’re also seeing significant interest in technical solutions to enable data access. These include privacy enhancing technologies, federated models, Trusted Research Environments and OpenSAFELY, a project launched to enable access to COVID-19 data for research.

We’re following all three approaches closely and have incorporated them into our new data provisioning platform.

Watch Privitar’s webinar exploring the current EU data privacy landscape, and learn how modern data provisioning helps you to navigate it and deliver safe data to fuel innovation.