What are data trusts and how do they work?
Could a new framework for storing and processing data rebuild consumer confidence?
Data, data, data. The news is full of tales of data breaches, and those with an eye on such matters will be aware of the sprawling mass of personal data available for miniscule sums on the dark web. But many aspects of modern life simply require data collection and analysis.
As a society we have to balance this modern fact of life with the need for scrutiny, control and regulation of those who collect, manage and utilise data. In the EU and UK we now have GDPR, which governs some aspects of this minefield, but there are other approaches too. Data trusts are emerging as potentially a key factor in both helping build public confidence and providing those who gather, store and use data with a range of checks and balances.
What are data trusts?
It’s the word ‘trust’ and the existence of trustees that are key to understanding what data trusts are and how they function. Jack Hardinges, Policy Advisor at the Open Data Institute (ODI), explains: “The ODI defines a data trust as ‘a legal structure that provides independent stewardship of data’.
“Groups of people or organisations that collect and hold data permit an independent institution to make decisions about how that data is used and shared for an agreed purpose. The trustees of the data trust take on those responsibilities and associated liabilities. They must ensure these decisions support the purpose of the data trust.”
That’s a strong, succinct definition of data trusts, but as with many things, there is some devil in the detail. For example, there is no accepted legal definition of a data trust, which means firms can say they are setting one up without really doing what a data trust should do according to the ODI’s definition.
This can be a problem. Hardinges points out: “The term ‘data trust’ is being used by some organisations to refer to any data sharing approach, which is making the term less useful.”
Safeguarding consumers’ data and building understanding
To help lay down some guidelines, artificial intelligence firm Element AI and the Mozilla Foundation have joined together to build data trusts. The partnership will fund and support policy and legal research as well as consider the technical and design components necessary to make data trusts a practical reality.
Philip Dawson, Policy Lead at Element AI tells us: “In a data trust, individuals would be empowered to pool the rights they hold over their personal data into the legal framework of a trust.” Where data is clearly the property of individuals rather than corporations, trustees have a duty of care towards those individuals. Dawson points out: “This is an important improvement beyond the current approach to data governance, for example, where platforms' primary obligation is towards their shareholders.”
In order for this to happen, consumers need to know their data is going into a data trust, and that’s one of the fundamental problems for this fledgling area. Dawson admits this was an area that requires “further development”.
“It could be part of the registration process for different services such as registering for a public health care or an industry association,” he says
Hardinges digs deeper into the question of creating and maintaining trust, telling us that data trusts will need to earn people’s confidence, acting transparently and having clear legal accountability. Publishing a range of information such as detailed information on trustees, decision making processes and approved requests to access the data will be key to all of this. He also suggests other means will emerge such as “auditing, certification or kite marks, professionalising ‘trusteeship’ or the role of data stewards, and specialised insurance products”.
Is all this workable?
Data trusts seem like a superb idea. Putting the individual first, investing safeguarding their data in the hands of trustees and backing good practice and policy up with the rule of law so that organisations get to use data in ethical, legal ways with consent does seem to be a goal worth shooting for.
But it’s early days and significant hurdles remain. Large, powerful organisations with a primary interest in monetising data, already have – and even own – vast amounts of data. Is it already too late for data trusts to be viable? Hardinges told us this is precisely what the Open Data Institute is investigating. Both Hardinges and Dawson also emphasise the challenges of operating in different international legal jurisdictions. But with traditional legislation also struggling to get to grips with this issue – think about Privacy Shield and Safe Harbour, for example – perhaps data trusts could offer a new way forward.