Data Trusts: Supporting Trustworthy Data Use

Sharing data can bring a range of benefits for individuals, organisations and society. It can help tailor products or services, make business processes more efficient, and improve public services from healthcare to transport and more. However, while digital technologies have great potential to boost economic growth and enhance our wellbeing, as our daily activities – at home, at work, or in public – become increasingly digitally-mediated, these novel patterns of data use can leave us vulnerable in new ways. 

Existing laws already provide a variety of data rights that seek to prevent individuals being harmed by data misuse, but exercising these rights can demand considerable knowledge, time, and energy. Changing patterns of data use also create pressure points in current governance approaches as legislative frameworks struggle to cope with a data environment where data can be used and re-used in different – and unanticipated – ways. Achieving the promise of the digital economy will require robust new data governance institutions that allow data sharing – helping develop new data-enabled products and services – while protecting our rights and freedoms.

Broadly-speaking, two types of rights need to be taken into account when considering the suitability of different data sharing structures:

• Personal data rights: in some jurisdictions, citizens have rights to restrict processing and use of their personal data, alongside rights to move data between service providers, delete data, or access information held about them;
• Intellectual Property rights: depending on the level of sophistication of the tools or methods involved, data processing activities can give rise to IP rights over the insights drawn from data.

In addition to these rights-based concerns, data use is also affected by a variety of legal and ethical obligations. Access to data may need to be restricted to take into account an ethical obligation to prevent unintended harms (such as poachers having access to endangered animals’ movement data); legal obligations (such as statutory obligations pertaining to national security); or commercial concerns (for example, around competitive positioning or market insights).

In seeking to manage these concerns, a variety of legal tools to support data sharing already exists, based on contractual, cooperative or corporate structures. These may seek different goals, including: promotion of individual or organisational interest; pursuit of shared public policy or ‘social good’ aims; safeguarding against vulnerabilities arising from data use; or promoting enfranchisement.

Within these four considerations are embedded tensions, for example, between individual rights and those of wider society. These tensions and trade-offs need to be actively managed in designing data governance systems, recognising that resolution of these is not likely to be possible, and the choice of data access agreement plays an important role in achieving different outcomes.

Different frameworks for managing data access have different strengths and weaknesses and are differently suited to different purposes. The right data governance framework for a data sharing activity is dependent on who is participating, what their objectives are and what the nature of the data is, and the choice of data access agreement is shaped by the values and aims of those creating it. 

While today’s data governance frameworks are able to support a range of data sharing activities, recent years have shown their limitations when seeking to prevent the vulnerabilities that stem from daily digital interactions, or when supporting groups to promote data use for a collective purpose.  For example, reliance on consent as the basis for data sharing through contracts presupposes time, resources, and the ability to negotiate conditions for data use that most do not have. Data trusts offer a way of filling some of these gaps in the governance environment.

What Distinguishes Data Trusts From Other Types Of Data Institutions?

Data trusts are mechanisms for individuals to pool the data rights created by current legislation into an organisation – a trust – in which trustees make decisions about data use on their behalf. Bound by a fiduciary obligation of undivided loyalty, data trustees would exercise the data rights conferred by existing regulations (such as the EU’s General Data Protection Regulation) on behalf of the trust’s beneficiaries. Acting as an independent intermediary between data subjects and data collectors, the data trustee would leverage the bargaining power associated with the aggregation of data or rights in the trust to negotiate terms of data use in accordance with the trust’s terms.

Complementing the regulatory regimes that already exist in many countries, these new data institutions seek to manage the vulnerabilities that arise from shifting patterns of data use. Data trusts distinguish themselves from current data governance institutions – such as data co-ops and public databanks – not only through the level of legal safeguards they are able to provide through the framework of trust law, but also because they are uniquely capable of any combination of the aims above, depending on the focus of each particular data trust.

The core characteristics of a data trust include:

• Independent stewardship: Almost any right can be held on trust, and an emerging body of case law – for example, around managing rights relating to cryptocurrencies – illustrates how this concept is applied in the digital realm. In exercising data rights held in trust, trustees have a fiduciary responsibility to the beneficiary. These require that trustees act with undivided loyalty in pursuing the best interests of the trust’s beneficiaries and create safeguards that help ensure trustees operate independently of other interests when managing the trust;
• Institutional safeguards: Trust law has some well-established processes for holding trustees to account, with the overseeing Court offering a route to remedial action against a trustee considered to be in breach of the terms of a trust. In the event of a claim, it is for the trustees to demonstrate that they have sought to promote the beneficiaries’ interest with appropriate degrees of impartiality, prudence, transparency and undivided loyalty;
• Collective action: The ability to pool rights in a trust, coupled with the flexibility of trust law in managing a range of different types of right, is core to the ability of data trusts to act as powerful intermediaries in negotiating data use. Instead of being faced with the choice of either agreeing to lengthy terms and conditions or being unable to access digital services, individuals would task a data trustee with negotiating more favourable terms of data use on their behalf. That trustee could set out to promote data use for certain purposes, or restrict its use for others, using the power associated with the aggregation of rights in the trust to increase their influence in negotiating terms of use.

In the same way as 19^th Century ‘land societies’ empowered people to get the right to vote by pooling resources (to acquire a piece of freehold land), data trusts could help empower otherwise disenfranchised groups. With access to the bargaining power associated with the aggregation of data rights in the trust, the trustee would be better-placed to negotiate terms of data use – and respond to undesirable uses of data – than any lone individual.

Next Steps And Link To Financial Institutions

Some forms of data trust-like ‘data stewardship’ already exist. Prominent examples are associated with financial institutions. In Germany, for example, Sparkassen are financial institutions that display some of the traits associated with data trusts – they create space for members to engage in a form of collective governance within a framework of fiduciary duties that ensure the institution acts in their best interests. In the US, there is a history of credit unions that are governed by their members, some of which are now looking to data trusts as a new potential area of activity. 

How might we imagine data trusts emerging in finance today?

A scenario might help us think through this question: A bank wishing to offer new products and services to its customers, or otherwise increase customer engagement, might seek to empower its customers to benefit from insights derived from their data. In a bid to demonstrate how seriously the bank takes its ethical responsibilities when it comes to personal data, it might seek to sponsor the creation of a data trust that works on behalf of its customers – independently of interference from the bank itself (both legal independence and actual absence of conflict of interest is key). This data trust could be flagged as enabling the bank’s clients to ‘take the reins’ of their data. All the data that would normally be collected directly by the bank would only be collected on the basis of terms and conditions negotiated by the data trustee on behalf of the trust’s beneficiaries. The trustee could also negotiate similar terms (or negotiate to revise terms of existing individual agreements) with other corporate entities (supermarkets, for instance).

In such a scenario, customers might choose to engage with the trust either to secure direct value – better banking services – or with the aim of changing how data collected about them is used.  

This scenario points to the range of issues that must be addressed to advance the debate on data trusts – from clarifying what value they offer to different stakeholders, to identifying what data rights can be held in trust in different jurisdictions, to understanding business models and forms of participatory governance.

For more information on data trusts as a legal structure: https://doi.org/10.1093/idpl/ipz014

For more information on the difference between data trusts, data coops etc: https://datatrusts.uk/blogs/selectingdatastructures

Jessica Montgomery
Jessica is currently Executive Director of the Accelerate Programme for Scientific Discovery, a new initiative developing AI tools and collaborations to tackle scientific challenges. She is also Director of the Data Trusts Initiative, a project tackling the actions needed to create trustworthy data governance frameworks. Her interests in AI and its consequences for science and society stem from her policy career, in which she worked with parliamentarians, leading researchers and civil society organisations to bring scientific evidence to bear on major policy issues. At the Royal Society, Jessica established and led a wide-ranging programme of policy development, public dialogue and international engagement that explored the frontiers of AI technologies and their implications for society. She worked with senior researchers, policymakers, civil society and industry to identify emerging policy needs and develop policy frameworks to enable safe and rapid deployment of these technologies. In her prior role as a Senior Clerk at the House of Commons, Jessica advised MPs on parliamentary procedure and practice. While advising a number of select committees – including Transport; Business, Innovation, and Skills; Regulatory Reform; and Science and Technology – Jessica managed inquiries into a range of science and policy issues, bringing evidence into the heart of political decision-making.

Sylvie Delacroix
Professor Delacroix focuses on the intersection between law and ethics, with a particular interest in data and machine Ethics. Her current research focuses on the design of computer systems meant for morally-loaded contexts. She is also considering the potential inherent in ‘bottom-up’ Data Trusts as a mechanism to address power imbalances between data-subjects and data-controllers: see https://datatrusts.uk for an overview. Professor Delacroix has served on the Public Policy Commission on the use of algorithms in the justice system (Law Society of England and Wales) and the Data Trusts Policy group (under the auspices of the UK AI Council). She is also a Fellow of the Alan Turing Institute and a Mozilla Fellow.