Unlocking the value of data - Independent Expert Group: final report

2 Policy Statement, Principles & Recommendations

We recommend the following policy statement for adoption by the Scottish Government, to guide the use of public sector personal data by the private sector.

2.1 Recommended Policy Statement

We consider that when public sector personal data is used by the private sector, this should be done in a way which delivers public benefit and is in the public interest.

This requires consideration of matters including:

• the potential benefits and consequences of data use for the public;
• people’s rights (in particular the right to privacy); and
• any value (and also any costs and harm) that is expected to be generated by the data use (viewing value in the broadest economic, social and/or environmental terms), including how these benefits and value will be shared with the public.

In order to achieve the vision comprised by the Statement, we have formulated the following Guiding Principles and Recommendations to steer and underpin the decision-making and governance by relevant stakeholders in the Scottish public sector on permitting access to the personal data they hold by private sector organisations.

2.2 Guiding Principles

We have devised seven high-level Guiding Principles which we present here with some context and explanation.

An initial and early version of these Principles was made public in August 2022 for comment. We have refined these principles based on feedback from a number of sources in the intervening months, including from attendees of the September 2022 public webinar, the Practitioner Forum in late 2022-23, the engagement workshops with expert stakeholders and the general public run by DemSoc, also in late 2022-23, and elsewhere.

Practitioner Forum input has been particularly important in understanding how viable these principles would be in terms of implementation in current systems. We acknowledge that the Principles have not been further 'tested' or 'validated' at this point, and given the current status of systems, some may be more aspirational than practical for the time being. Other Principles do, however, reflect and reinforce existing practices and approaches to data access and governance in the Scottish public sector. In any case, while the Principles can be viewed as a guide rather than as 'set in stone', their spirit should not be compromised in any future implementation.

In finalising the set of Principles, we removed two principles which were among the original set. One of the two, 'Precaution' was considered to be covered already in other Principles, notably #2 Public interest and public benefit and #3 Do no harm. The other removed principle, 'Right to opt out', was discussed at length among the IEG and Practitioner Forum stakeholders. Concerns were raised about the lack of feasibility of a right to opt out - who would enforce and regulate this right? Existing technical data systems in Scotland and data sharing practices have not been designed around such opt out. Concerns were also raised about the possibility of datasets being biased or unrepresentative if people were able to opt out, which may have detrimental impacts on research and subsequent development based on those data. Some members of the IEG remained in favour of retaining the right to opt out as a principle (based on their and others' research among other topics e.g. Kuntsman & Miyake, 2022; Daly, Devitt & Mann, 2019; see also Hartman et al., 2020). However, as there was no longer a consensus or agreement on this point among the IEG, the Principle was removed. Nevertheless, we do consider that facilitating people's control and autonomy over their own personal data is a key issue for further exploration beyond the lifetime of the IEG.

Another point on which there was no consensus was as regards intellectual property (IP) and benefit-sharing, with some IEG members advocating for the Scottish public sector to co-own IP rights over the outputs created by the private sector using public sector personal data, while other IEG members considered that this would be unworkable in practice and detrimental to economic value being produced. Accordingly, we have advocated for appropriate benefit-sharing models to be adopted, without specifying further what these should be in terms of IP ownership.

The final set of Guiding Principles are as follows:

1. Public engagement and involvement

Public confidence and trustworthy data use are of paramount importance. All decisionmaking about and governance of private sector use of public sector personal data should actively seek to support the dual aims of public confidence and trust.

Decision-making and governance by public sector data controllers need to support this principle by incorporating forms of evidence and expertise such as:

• Findings from high quality, diverse and proportionate public engagement and public involvement in developing the process of how decisions are made about use of personal data, including those who are seldom heard, and bodies representing communities of interest;
• External expertise in, for example, data science, law, ethics, public administration and business, equality, diversity and inclusion;
• Established Scottish, UK and international evidence on what is considered to constitute public benefit, public interest and public value.

The public and experts need to be involved and consulted throughout the data lifecycle (from data creation to data destruction) as data creation, access and use is a dynamic process. The use of evidence, expertise and public engagement should therefore be ongoing and reviewed throughout the data lifecycle.

Consultation with publics can also ensure and demonstrate that use of personal data is fair (see ICO guidance) and allow potential risks and harms to be identified and managed. Such consultation should be ongoing.

In seeking to animate this principle, we view the Data and Intelligence Network Pilot Public Engagement Panel as a promising initiative which may facilitate meaningful public engagement and involvement in decision-making and governance about public sector data use and access in Scotland. The pilot is scheduled to deliver a final report later this year. Furthermore, this work has built on the Scottish Government's Digital Ethics Group, which published their report Building Trust in the Digital Era: Achieving Scotland's Aspirations as an Ethical Digital Nation in 2022.

We acknowledge that public and expert engagement and involvement has resource implications for Scottish public sector bodies. In light of this, the Scottish Government should provide adequate resources to facilitate this engagement and involvement. If there is a limiting of such resources, then issues around the proportionality of public involvement will need to be addressed.

Less resource-intensive methods of achieving this for the Scottish public sector could include the involvement of lay representatives on decision-making panels, such as the Public Benefit and Privacy Panel (PBPP) model mentioned below; and adhering to best practice standards on engagement and participation by those in private sector organisations wishing to use public sector data.

In sum, ultimately, the precise approach will need to be considered on a case-by-case basis. However, taking into account our work over the last 15 months, alongside the evidence provided by publics and experts, there is an indication that meaningful public involvement and engagement is the cornerstone of acceptable data access and use.

2. Public interest and public benefit

All access to public sector personal data must be done in the public interest and must also (intend to) produce public benefit and public value.

As is discussed at length later in this report, both concepts – public interest and public benefit – are deeply contextual, and indeed closely linked. What is 'good' as a benefit or is 'in the public interest' depends on the values or objectives of society. For example, the Scottish Government's Digital Strategy from 2021 sets out the aim that Scotland should be an Ethical Digital Nation.

In our work we have considered a wide variety of different ways that these somewhat elusive terms can be understood in order to provide a starting point for future discussions on private sector use of public sector personal data in Scotland.

We consider that recent work undertaken by the National Data Guardian (NDG) (2022, p. 3) to help define 'public benefit' as a '"net good" accruing to the public' could be drawn on in Scotland by public sector data controllers and panels assessing whether a proposed data use produces public benefit (see Section 3.7.1 on Public Benefit below for full details).

When seeking to define the public interest, it has further been proposed that: 'actions taken in the public interest can be broadly described as those that promote objectives valued by society' (Harvey & Laurie, 2021). We suggest that data access and use that is in the public interest should not only deliver demonstrable public benefit, but should also take place in such a way that takes account of:

• the need to engage and involve publics;
• the recognition that the public interest may change over time and therefore requires review; and
• transparency and accountability.

These are features that permeate our Guiding Principles.

Taken together, this suggests that a 'bottom-up' approach may be preferred, whereby the public interest and public benefit are terms that are co-constructed with publics, in specific contexts, rather than 'defined' by the IEG or a similar entity (i.e. a top-down approach). This is reflected in our Recommendations that invite greater involvement of the Scottish public in the UVOD Programme henceforth.

Value should be produced for the people of Scotland. This value should not solely be financial or economic in character, and should also be social and environmental: so economic value is not the only type of value. However if economic value is produced by the private sector using public sector personal data, this value must be shared with the people of Scotland, for instance through appropriate benefit-sharing mechanisms. Regard should also be taken of the social, environmental and economic costs as well as value which may be produced. In the case of the environment, we follow the Digital Ethics Expert Group Report (2022, p. 25) in advocating for a 'Green Digital Scotland' as part of Scotland's ambition to become an Ethical Digital Nation which 'addresses the environmental impacts of its digital usage', in particular the power consumption and carbon emissions produced by storing and processing digital data.

If the only benefit of a specific data use is the generation of profit by a commercial organisation, it is unlikely that use can be deemed to be in the public interest or to deliver public benefit, in line with the NDG guidance mentioned above. However, the NDG (2022, p. 9) does recognise that 'the generation of proportionate commercial profit may be acceptable to the public if the use also delivers a public benefit, such as improved services or improved NHS knowledge and insights'. It is important that such improvements/benefits should not just be alluded to, but carefully outlined along with the pathways that will be used for such benefits to return to the public and e.g. the NHS. For example, will they be 'sold back' to the NHS? This knowledge may impact on whether a use of personal data would be in the public interest or not.

Data controllers and other decision-makers in the Scottish public sector are responsible for making decisions about whether and how to permit access to (personal) data held by the public sector. However, they need support in making these decisions in ethical, accountable and consistent ways. To do this, input from the public is necessary, especially in the form of ongoing consultation and engagement with publics on their views on public benefit, public interest and data use.

In addition, there should be some representation of the public in decision-making and governance, which might draw from the pre-existing PBPP model in Scottish health, as they include 'lay' members i.e. members of the general public, as well as subject-matter experts. Another option would be to have panels only made up of lay members of the public making or contributing to the making of decisions, as suggested in the ONS-ADR UK report considered below. In any case, members of the public involved in panels need to be compensated for their time and receive other support for their contributions and attendance.

To ensure decision-making and governance is consistent, certain tests and questions could guide panels assessing requests for personal data in order to establish whether public benefit and public interest is proven/shown.

We further recommend more detailed tests and guidance around public benefit and public interest be devised on the basis of these principles, insights from charity law and the NDG guidance from England, and further expert and public input in Scotland.

A reasonable rationale for public benefit, public interest and value must be demonstrated, made transparent and revisited over time including before access to data is granted and after data has been accessed and used. General and unsupported claims to public benefit, interest and value should not be accepted.

We also urge data controllers, panels and others involved in decision-making and governance to ensure that an open, transparent and accessible review is undertaken of instances where personal data has been used once the project or initiative is complete. Here, relevant decision-makers should discern whether the claimed public benefit was indeed created by the private sector organisation accessing the data. Learning gleaned from such reviews should be fed back into decision making and governance to drive improvement over time.

A common situation when a private sector organisation wishes to access public sector personal data will often involve the production of commercial benefit, overlapping with public benefit also being produced. When addressing such situations where commercial benefit as well as public benefit will be produced, this should be proportionate to the public benefit produced. The public benefit evaluation process should ask the applicant to provide a transparent assessment of how the commercial interests are proportionately balanced with the benefits to the public. This process should be as open, accessible and transparent as possible, in the spirit of open government and open data.

We do acknowledge situations in which the public benefit may be harmed if private sector organisations cannot use public sector personal data. In such situations, the public benefit may be better served by permitting this use. However, harm to public benefit from not allowing the use of personal data would need to be evidenced. If such harm includes companies being dissuaded from setting up in Scotland or from hiring more staff in Scotland, this would need to be demonstrated with evidence.

To ensure accountability, those making decisions about data access should give reasons for their decisions, and these should be made publicly available if possible. Private sector organisations accessing data must also be accountable to both the public sector data sources and to the public at large. One way of facilitating this is through transparency, one of our later principles.

3. Do no harm

Allowing access to personal data by companies should seek to produce no harm. If something harmful occurs, this should be addressed immediately.

Some uses of personal data may involve risks of harm being produced. These risks need to be acknowledged, addressed, mitigated and reduced to acceptable levels before private sector organisations can access (and can continue to access) public sector personal data, to the satisfaction of data controllers and others involved in decision-making and governance, such as panels.

Data protection law (Recital 4 of the UK GDPR) states that the processing of personal data should be designed to serve 'mankind' [sic] and recognises the need to consider it 'in relation to its function in society' and to balance the protection of personal data against other human rights, in accordance with the principle of proportionality.

This principle is also in line with good data protection implementation and compliance, especially as regards data security and personal data breach obligations.

Harm should be viewed in a broad sense. While it will include direct misuse and non-securing of personal data (which would also likely be infringements of data protection law) it may also include uses that are not illegal as such. Non-illegal conduct might include conduct that would cause reputational damage to the Scottish public sector. In the same way that we adopt a broad view of what 'value' is, we also adopt a broad view to what 'harm' is and can include physical, emotional, financial, economic harm, to people, the environment and the economy in Scotland and the world at large. Harm may also involve only private commercial benefit being produced from the use of public sector personal data, although in such a situation, the 'public benefit and public interest' principle (#2) will also not be fulfilled either.

As with public benefit and public interest, the concept of 'harm' should involve input from publics about what they consider to be harmful. This input and dialogue on harm must be ongoing. Feedback from DemSoc workshops with the public identified participants had quite expansive definitions of what constitutes 'harm'.

There may also be different risks associated with the kind of personal data for which access is being sought: is it fully identifiable personal data? Pseudonymised data? Aggregate data? Synthetic data? How is it being accessed? In a TRE? etc. These should also be taken into account on a case-by-case basis.

Private sector organisations could be required to carry out a data protection impact assessment (DPIA) and equality impact assessment (EQIA) before being able to access data. DPIAs are part of a risk-based approach to personal data use, and are required by law to be completed 'for processing that is likely to result in a high risk to individuals', but the ICO recommends that they are completed also 'for any other major project which requires the processing of personal data'. If not currently the practice, we recommend that DPIAs are completed for all requests by the private sector to access public sector personal data.

EQIAs facilitate the understanding of the potential impact of a policy or activity on equality by 'ensuring that the policy does not discriminate unlawfully; considering how the policy might better advance equality of opportunity; and considering whether the policy will affect good relations between different groups' (Equality and Human Rights Commission, 2016, p. 10). In Scotland, EQIAs are a specific legal requirement for public sector public bodies under the Scottish Specific Public Sector Equality Duties. Any public sector organisation in Scotland with a policy of sharing personal data with the private sector must conduct an EQIA of that policy (whether new, revised or existing policies).

There are already systems in place to manage risk, especially in the health sphere, such as the privacy and public benefit panels, public interest assessment, use of TREs, use of less risky data e.g. deidentified data, approved researcher processes, and contractual conditions on access, among others. These should continue to be used, and, where they provide examples of best practice, consideration should also be given to expanding these into areas where they are not currently used. This may be where such systems will help to balance the interests in data use (including with private sector organisations), and the need to protect privacy and other rights and avoid harm.

There may be certain uses and circumstances of public sector personal data by certain private sector organisations for certain purposes where the risk of harm is so high that the public sector data controller should not permit access. Such scenarios might be termed 'red lines' and include e.g. access by insurance, credit rating and marketing companies. Again, we also consider it unlikely that such uses would meet the public benefit principle.

Once data access has been granted, risks should be monitored on an ongoing basis by all relevant parties, including the data controller and the private sector organisation using the personal data. This tracking will have resource implications for public sector data controllers which need to be met by the Scottish Government.

4. Transparency

Transparency is linked to public benefit, public interest, and public engagement as the value of personal data access by private sector organisations needs to be open to scrutiny by society at large, throughout the data and project lifecycles. There must be transparency about, for example: I. Which public sector personal data is being accessed from which public body?

II. Which private sector organisation is accessing the data?

III. When?

IV. For what purpose?

V. What are the specific public benefits, public interest and value of the purpose/s?

VI. What does the private sector organisation do or make with that data?

VII. How are benefits of/value generated by those outputs shared with the Scottish public sector AND the people of Scotland?

VIII. How are decisions made by the public sector to grant access to personal data? IX. How is access managed and what controls are in place (e.g. TREs, panel reviews, approved researchers etc)?

X. To what extent the use of data actually did produce the public benefits in practice and was value was shared back with the people of Scotland?

This Principle complements and augments various pre-existing transparency and data reporting requirements, including from data protection law, freedom of information law, Information Asset Registers, and Caldicott Requests (in the NHS). However, transparency is not just about providing information, but rather about ensuring that this is useful, easy to find, and intelligible to people.

The highest levels of transparency and public communication should be implemented by the Scottish public sector. This means that claims by private sector organisations about the need for commercial confidentiality over matters which would impede the measures of transparency listed above must be critically appraised by public sector organisations and accepted only where deemed necessary and in accordance with public benefit and public interest. Private sector organisations accessing public sector personal data should bear obligations to provide this information, especially at the end of a project, to the public sector, which should be made publicly available.

Appropriate resources and procedures need to be put in place within the Scottish public sector to facilitate this transparency. The aforementioned information must also be publicly communicated. This might involve different communications aimed at different groups e.g. for researchers, for regulators, for the general public. Some of this communication could take place via a publicly available data use register for the public sector in Scotland, which could be run by Research Data Scotland.

5. Law, ethics and best practice

Any access to personal data must be permitted only in line with the highest legal and ethical standards, including best practices internationally in areas including: privacy; data protection; equality and human rights; and data ethics.

It is clear that any access to personal data must only be permitted in line with the law, notably data protection law and equality and human rights law. However we have seen at times that this does not always happen so it is worth reiterating here. The law only goes so far, and public sector organisations and private sector organisations must also adhere to ethical approaches and best practices. Ethics and best practice are evolving, and should be informed by local, national and international expertise, and may also be informed by public engagement, especially on what publics consider to be ethical. What is ethical is likely to be linked to notions of public benefit, public interest, harm, and risk. This will ensure Scotland is an Ethical Digital Nation, in line with the Digital Strategy.

If best practice is not currently implemented in Scotland, this should be aimed for by public sector organisations in terms of how they govern and manage the personal data they hold. As mentioned earlier, our work relates to the legal standards as they are at the time of writing. If the UK Government is successful in implementing the Data Protection and Digital Information Bill into law, this will likely lower data protection standards in UK law compared to those implemented from the EU GDPR. Such a situation may entail a more important role for best practices. What constitutes best practices in this area should be part of the ongoing dialogue with, among others, experts in relevant areas in Scotland and internationally.

6. Enabling conditions

Enabling conditions need to be in place within Scotland’s public sector if personal data is to be made available for access by the private sector. For example:

1. Public sector organisations (PSOs) need to be aware of what personal datasets they hold and publish information about them publicly.

2. PSOs should identify and address inequalities in current public sector datasets, notably the extent to which data can be disaggregated by protected characteristics.

3. PSOs need to ensure the security and quality of the datasets they hold.

4. PSOs need to have staff with adequate skills and training in place on data, digital and information governance literacy.

5. PSOs need to have adequate resources to support the provision of access to personal data they hold to the private sector.

Public sector bodies are funded to deliver public services and not necessarily to support private sector requests including for personal data access. This may involve additional effort and resources from the public sector organisation, for which the public sector organisation is not resourced, especially in times of fiscal restraint such as the current one.

Personal data is also primarily collected by the public sector in order to provide public services, so the data available can include administrative data collected as part of that service delivery. This may mean that not all potential datasets generated are easily usable by other actors, such as the private sector and other researchers, since these are not 'research ready'. The lessons learned to date across local government indicate many potential datasets would require considerable cleansing and additional methodological detail (e.g., robust metadata) to enable wider re-use, if such use was deemed appropriate (Tetley-Brown & Klein, 2021). If datasets are to be made more accessible this may require further resources for the public sector organisation. If the Scottish Government views this as desirable, it should ensure that it provides adequate resources to this end.

One concern raised by IEG and Practitioner Forum members is that there are inequalities present in Scottish public sector personal datasets. In particular, concerns were raised about the extent to which data can be disaggregated by the protected characteristics under the Equality Act 2010 (see section 3.2.2 below). Mitigating these inequalities is key to ensuring Scotland is leading with law, ethics and best practice in this area. Datasets should be checked for relevant inequalities, since otherwise permitting further access and use of that data could further embed and further reinforce those inequalities. The work carried out under the new Equality Evidence Strategy (see section 3.3.6 below) will help to achieve this.

We acknowledge that work is already being carried out at both the Scottish and UK Government levels in the context of, for instance, data maturity, transformation and standards (including cataloguing, 'findability' and consistent application of metadata for data sources). We include this principle to support and augment that work, which should be done in concert with other policy initiatives such as UVOD.

7. Regular review

These principles should be subject to routine review and ongoing monitoring through deliberation with the general public, public sector, private sector and third sector stakeholders, academic and other experts, in Scotland and elsewhere, to reflect developments in evidence, technology and practice.

In making regular review a principle, we aim to highlight the ways in which many policy initiatives, including involving expert groups, can be viewed as a 'one off' event to set policy at a particular point in time for the foreseeable future. In a topic as dynamic as data, that approach is not appropriate as many factors change, even over short periods of time. Therefore we seek to have regular review enshrined as a principle to raise its importance and its crucial role in this particular context. This needs to be supplemented too by ongoing monitoring, possibly by an independent oversight agency or independent commissioner such as that suggested in the D&IN Ethics Framework ('a Data Ethics Guardian or Commissioner for Scotland').

2.3 Recommendations

Drawing from the Principles and context, we have devised the following recommendations, grouped under the following themes of 'Engage', 'Enable'' and 'Ensure'.

Engage

1

Heading

Engage in ongoing meaningful public and practitioner involvement and review throughout the data lifecycle

Recommendation

The Scottish Government should provide adequate resources to facilitate the implementation of these Principles including supporting ongoing meaningful public and practitioner involvement and engagement.

The Scottish Government should devise an ongoing programme of engagement with different stakeholders and the general public, including before these principles and guidance can be operationalised.

The Scottish Government should ensure that the use of evidence, expertise and public engagement is also ongoing and reviewed throughout the data lifecycle, through all the stages from data creation to data destruction.

The Scottish Government should regularly review the principles we have devised and their implementation through deliberation with different stakeholder groups and this should reflect developments in Scotland and internationally in evidence, technology and practice.

Considerations

The Research Data Scotland Public Engagement Fund is a step in the right direction to fulfil this recommendation.

This review and monitoring may involve the Scottish Government setting up a new independent oversight agency or commissioner to perform these tasks and hear complaints about processes. This aligns with the suggestion in the D&IN Ethics Framework to appoint a 'Data Ethics Guardian or Commissioner for Scotland'.

2

Heading

Engage with expert stakeholder groups including:

• The private sector
• The third sector
• Academics

Recommendation

The Scottish Government should ensure deeper engagement and consultation with private sector organisations to understand the challenges and benefits of public sector personal data access.

The Scottish Government should ensure deeper engagement and consultation with third sector organisations.

Considerations

Some stakeholders pointed to the Scottish Government Data Strategy for Health and Social Care consultation process as receiving good engagement and feedback from the private sector, which may form a model for future private sector engagement.

Better formats for engaging with the private sector are needed, which may involve a smaller commitment of time and resources than conventional consultations and expert groups request.

The Scottish Government should consider what would be more effective ways to engage with industry and at what point in the policy and consultation cycle.

The Scottish Government needs to recognise the pressure that such organisations operate under and consider whether some kind of resource support could be provided to facilities the involvement of these groups and individuals in the policy and consultation cycle.

Recommendation

The Scottish Government should also ensure deeper engagement with academics, from a wide range of disciplines (including data science, social sciences, humanities, law, ethics, public administration and business, health, equality, diversity and inclusion) and institutions in Scotland and elsewhere.

The Scottish Government and Scottish public sector data controllers should engage in an ongoing dialogue about these issues with experts in relevant areas in Scotland and internationally.

Considerations

This engagement with academics and institutions should facilitate the identification and use of established Scottish, UK and international evidence on what is considered to constitute public benefit, public interest and public value and other topics.

The Scottish Government should consider implementing the Council for the Orientation of Development and Ethics (CODE) model as a way of engaging independent experts throughout a project lifecycle.

3

Heading

Engage the general public

Recommendation

The Scottish Government should ensure that the general public is involved in decision-making about aspects of private sector access to public sector personal data, including in the co-creation of notions of public benefit, public interest and harm.

Considerations

The diversity of the public should be acknowledged and the views of those who are seldom heard and bodies representing communities of interest should be included. The National Standards for Community Engagement can help facilitate this.

We also follow Erikainen and Cunningham-Burley's (2021, pp. 18-19) recommendations that this should:

• 'involve the use of deliberative and dialogue based public engagement methods'
• 'identify where, to what extent, and at what levels, publics wish to be involved in decision making about private sector use of public sector data'
• 'identify the best and most acceptable oversight, governance, and safeguard mechanisms that should be implemented to govern private sector uses of public sector data in ways that ensure that data is protected, and that public benefit is realised'; and
• 'ensure that all cases of private sector use of public sector data have stringent oversight, governance, and safeguard mechanisms that publics find acceptable and trustworthy'.

Recommendation

The Scottish Government should ensure (adopting Erikaninen and Cunningham-Burley's recommendation) that publics be involved in the development of effective benefit-sharing models for private sector partnerships, including profit sharing and reinvestment of profits into the public sector.

The Scottish Government should ensure (following Erikaninen and Cunningham-Burley's (2021, p. 19) recommendation) that 'all cases of private sector use of public sector data are transparent and clearly communicated to publics, and implement educational campaigns that inform publics about private sector use of public sector data more generally'.

Considerations

We further recommend adopting Berti Suman and Switzer's (2022, p. 39) recommendation:

'Be aware of how framings from government as well as other dominant actors (such as market actors) can erode or undermine 'true' public benefit and engage the public via processes of public engagement on the assessment of public benefit and in the co-creation of the notion of value.'

In doing so, the Scottish Government should 'seek to build social licence as a fundamental resource to ensure that private data sharing with businesses operates as a trigger for public good' (Berti Suman & Switzer, 2022, p. 39).

We recommend that the Data and Intelligence Network and Research Data Scotland be the most appropriate facilities to take forward such public engagement activities including for the UVOD programme.

Enable

4

Heading

Enable early adoption of Guiding Principles in targeted policy areas

Recommendation

The Scottish Government, Public Health Scotland and other data controllers and decision-makers in the Scottish public sector should review their operations and implement the Guiding Principles.

Considerations

This implementation should occur firstly through a series of use cases/pilot projects which could be targeted at high value datasets such as health, planning and transport personal data.

5

Heading

Enable awareness of the data held

Recommendation

The Scottish Government should provide a clear and publicly accessible overview of what personal data is held by the Scottish public sector and how it may be available for access by others (other public sector organisations, private sector organisations, third sector organisations, academic researchers etc).

Considerations

Such an overview should also be provided in an accessible way to the general public, as well as to more expert audiences such as researchers. Research Data Scotland is developing a metadata catalogue for data in Scotland available for research which aims to help researchers discover data which is already available and give directions about how to access it, although this is still at an early stage of development.

In doing this, the Scottish Government and Research Data Scotland should consider implementing Earl et al.'s (2021, p. 22) recommendation:

'From earliest phases, develop ways to market the value and utility of the data sharing infrastructure to immediate stakeholders and users (i.e., researchers, private sector innovators) and be transparent about the risk and opportunities. Ways of doing this include involving stakeholders in the designs of the infrastructure or creating a typology of data and datasets that may be of value.'

6

Heading

Enable a streamlined approach to data access

Recommendation

The Scottish Government should implement a clear and streamlined process for accessing public sector personal data in Scotland which enables parity of access.

In implementing the findings from our work, the Scottish Government should ensure that a situation does not result in which the private sector can access public sector personal data more easily or swiftly than other public sector, third sector or other actors.

Considerations

This should take account of the needs of different types of users, e.g. private sector organisations, public sector organisations, third sector and academia. This recommendation complements the recommendation of the Life Sciences in Scotland Industry Leadership Group Digital & Data Subgroup in 2021 to implement a 'Once for Scotland' national data architecture and governance system for health and social care data. This also complements the vision from the Review of the Information Governance Landscape across Health and Social Care in Scotland (2022) for 'Streamlined Information Governance in Scotland, to enable the realisation of benefits from digital and data-driven health and care innovation' and the recommendations to establish a National IG Direction for Health and Care and 'de-clutter the IG landscape'.

Recommendation

The Scottish Government should consider implementing fast-tracked data access processes for truly emergency situations such as future pandemics.

Considerations

We recommend that the Scottish Government considers Earl et al.'s (2021, p. 22) recommendation to:

'Develop a central resource or agency, such as a data permit authority, that helps aggregate, combine, and link data and has the autonomy to decide which permissions to grant, as well as the resources needed to provide quality data. Make the process of this as transparent as possible.'

Research Data Scotland's scope could be expanded to encompass such a role.

Fast-tracked data access processes in emergencies should build upon the work of the Data & Intelligence Network including its Ethics Framework.

7

Heading

Enable shared standards and protocols and enable high standards and best practices

Recommendation

We support Earl et al.'s (2021, pp. 21-22) recommendation that: there should be a: '[f]ocus on creating shared data standards and protocols across agencies and local and national contexts - a public agency could be dedicated to this role. These data standards should create confidence in the quality of the data as well as the consistency of the data sets.'

The Scottish Government and Scottish public sector data controllers and others involved in decision-making should ensure that private sector access to public sector personal data is only permitted in line with the highest legal and ethical standards, including international best practice.

Considerations

Doing this could also ensure that Berti Suman and Switzer's (2022, p. 39) recommendation to '[i]mplement effective strategies that tackle the identified constraints for promoting Government to Business (G2B) data sharing, for example the absence of common principles on the matter' is fulfilled.

Ethics and best practice will be evolving, and should be informed by local, national and international expertise, and may also be informed by public engagement, especially on what publics consider to be ethical.

We also support Earl et al.'s (2021, p. 22) recommendation to '[s]hare ethical standards and best practices internationally' via the development and maintenance of 'an international community of practice'.

Recommendation

In line with the Scottish Minister's Duty within the Scottish Specific Equality Duties, the Scottish Government should ensure that Scottish public bodies understand their responsibility to Equality Impact Assess their approach to data sharing. This must include consideration of how to identify and mitigate data gaps for protected characteristic groups. Onward use of data which contains such gaps risks creating, maintaining or widening inequalities.

Considerations

Best practice can also be constituted by the 'creative and fruitful collaboration schemes and initiatives existing between research centres, civic organisations and private actors (at times also engaging the public sector) to share personal data, taking for example certain citizen science activities and the reality of data cooperatives and of creative common licensing schemes' (Berti Suman & Switzer, 2022).

The Scottish Government should ensure any equalities data gaps are addressed as part of the implementation of the new Equality Evidence Strategy 2023-2025 and the Equality Data Improvement Programme.

8

Heading

Enable existing intermediaries and join up

Recommendation

The Scottish Government should build on pre-existing bodies including Research Data Scotland, the Safe Havens and Scottish universities to facilitate access to public sector personal data by private sector organisations.

The Scottish Government should adopt more joined-up policy and initiatives in this area.

The Scottish Government should resource Research Data Scotland to provide a consultancy service for public sector data controllers to advise on access requests by the private sector, informed by these principles with an advisory board of multistakeholder experts and public representatives.

Considerations

These existing actors should be utilised, supported with sufficient and appropriate resources, and their expertise should be built upon and processes and procedures refined to take account of the principles and other recommendations. These are successful operating models and bodies for facilitating secure access by commercial entities to public data. Accordingly, we recommend they are built upon and resourced for other public sector organisations to learn from them.

There is a lot of complementary activity underway within and across the Scottish Government itself, and that the UVOD Programme going forward would benefit from a clear linkage and demarcation to these initiatives.

Informed by the advisory board, RDS should formulate draft standard contracts/templates which could be used by data controllers to facilitate these data access requests.

9

Heading

Enable collaborative research in this area including the collation of further evidence on blockages and proof of concept research

Recommendation

The Scottish Government should implement an ongoing programme of research in this area undertaken in partnership between public sector bodies, third sector, universities and research funders.

The Scottish Government should seek further evidence that existing decision-making mechanisms regarding private sector access to public sector personal data are causing negative outcomes or blockages before they ought to be altered.

Considerations

The Scottish Government should inquire with multiple stakeholder groups to establish whether such blockages exist, especially outside of health/pandemic situations, and whether the blockages are detrimental to public benefit being produced and the public interest. The Scottish Government should engage with a wide range of stakeholders, including but not limited to the private sector, on this point, to ensure a balanced picture of what is in the public interest.

This further evidence should include independent economic analyses of potential public sector personal data use by the private sector and what expected social, economic and environmental value would be created, and what expected social, economic and environmental costs might be. Theoretical assumptions underpinning such analyses must be made clear by the researchers and the likelihood of this value being created in current and near future political and economic circumstances in Scotland should be elucidated.

Recommendation

The Scottish Government should commission more research, and seek evidence and views about whether and how Scottish public sector bodies could facilitate access to personal data for proof of concept research and/or access to synthetic data taking account of barriers such as quality and standardisation.

Considerations

This research and evidence activity may be best led by Research Data Scotland.

10

Heading

Enable user-centred approaches

Recommendation

The Scottish Government should consider other forms of data sharing design and infrastructure which centre individuals more, facilitating their control and autonomy over their personal data, and which will be context-specific.

Considerations

These could include personal data stores that are controlled by the individuals whose data is stored there. Data cooperatives are another model which may combine control and consent of individuals with facilitating data use. Another potential model is that of data trusts. A further approach could be an opt out function, whereby individuals are able to opt out of their personal data which has already been collected by the public sector being used by the private sector. In considering these models and approaches, the Scottish Government must pay due regard to the diversity of the public in Scotland and the specific needs some people may have, e.g. who speak English as a second language, or who have disabilities. The Scottish Government should commission further research on these models, including feasibility for implementation, alongside current mechanisms such as Research Data Scotland. The Scottish Government should also support a meaningful dialogue and co-creation with the public from the early stages in the designs of the data sharing infrastructures, as recommended by Earl et al. (2021).

11

Heading

Enable further investigation into technological opportunities

Recommendation

The Scottish Government should seek and support more input at the technical architecture level to better understand the technology that could support the implementation of the principles, such as on overseen and traceable data access and usage

Ensure

12

Heading

Ensure action plans, resources and conditions are in place

Recommendation

The Scottish Government should develop action plans for the next phases of the UVOD programme based on these principles and recommendations.

The Scottish Government must ensure that the enabling conditions as outlined in Principle #6 are in place in Scotland's public sector and that the resources are provided to facilitate these conditions.

13

Heading

Ensure reasonable public benefit rationale provided by those seeking data access, informed by publics and reviewed and verified over time

Recommendation

The Scottish Government should ensure that data controllers and others involved in decision-making over data access in the Scottish public sector require that private sector organisations provide a reasonable rationale for public benefit, public interest and value. This rationale should include information that assists decision makers to consider the impacts of data access including vis-a-vis data protection and equality.

Considerations

This should be demonstrated, made transparent and revisited over time including before access to data is granted and after data has been accessed and used.

We recommend the adoption of Erikaninen and Cunningham-Burley's (2021, pp. 19-20) recommendations:

• 'Ensure that all cases of private sector use of public sector data are centrally motivated by and have a demonstrable potential to deliver public benefit, and provide convincing evidence and justifications for how public benefit will be realised.'
• 'Ensure that all cases of private sector use of public sector data have an in-built benefit-sharing system based on these benefit-sharing models.'

We also recommend the adoption of Berti Suman and Switzer's (2022, p. 4) recommendations:

• 'Start with pilot sharing in those fields where studies demonstrate that ordinary people are supportive of health and social care data being used for public benefit but make sure that public benefit outweigh private profits and interests.'

Recommendation

In interpreting the definitions of public benefit and public interest, the Scottish Government should ensure that there should be appropriate mechanisms for publics to give input into what they consider these to be. The public should also co-create notions of value and harm. These should form the basis of tests for public benefit and public interest, on the basis of the Guiding Principles, insights from charity law and the NDG guidance, and further expert input.

Considerations

• 'Emphasise principles of commutative and distributive justice in considering benefit-sharing arising from the use of publicly held personal data.'
• Respect key principles such as that of proportionality, transparency, accountability, and respect for ethical values and norms in designing frameworks for public sector personal data (benefit) sharing. Value co-creation should also be promoted in the construction of benefits.'

The D&IN Pilot Public Engagement Panel and Research Data Scotland may be the appropriate organisations to implement this recommendation.

Recommendation

The Scottish Government should ensure that data controllers and others involved in decision-making review instances where personal data has been used once the project or initiative is complete, to discern whether the claimed public benefit or public interest was indeed delivered by the private sector organisation accessing the data.

Considerations

Learning gleaned from such reviews by data controllers and others of whether public benefit and interest were indeed delivered by the private sector should be fed back into decision making and governance to drive improvement over time.

14

Heading

Ensure Data Protection (DPIAs) and Equality Impact Assessments (EQIAs)

Recommendation

The Scottish Government should require private sector organisations seeking access to public sector personal data to carry out a data protection impact assessment (DPIA) and Equality Impact Assessment (EQIA) before being able to access the data.

15

Heading

Ensure red lines on access for certain purposes

Recommendation

The Scottish Government should implement certain 'red lines' or prohibitions on private sector access to public sector personal data.

Considerations

These should include no access by insurance, credit rating and marketing companies, and no use which is purely or mostly commercial compared to that which produces public benefit.

16

Heading

Ensure transparency from public sector in data access provisions and from private sector about their access to this data

Recommendation

The Scottish Government should ensure that there is transparency and public communication about the access to public sector personal data by the private sector.

The Scottish Government should ensure that private sector organisations bear obligations to be transparent and provide information to the public and to the Scottish public sector data controllers about their access and use of public sector personal data.

Considerations

Research Data Scotland should maintain a publicly available data use register for the public sector in Scotland where this material vis-a-vis transparency could be communicated.

17

Heading

Ensure oversight is appropriately resourced

Recommendation

The Scottish Government should ensure public sector data controllers and others involved in decision-making and governance are properly resourced to achieve the objectives in the previous principles.

18

Heading

Ensure collaboration and further input around benefit-sharing

Recommendation

The Scottish Government should ensure that private sector access only happens in collaboration with the Scottish public sector and appropriate and convincing benefit-sharing built into the use of the data should take place with the Scottish public sector and people of Scotland.

Recommendation

The Scottish Government should seek more input on appropriate models of benefit-sharing for public sector personal data use by the private sector, building on the Berti Suman and Switzer (2022) literature review.

Considerations

This additional input on benefit-sharing models should include a systematic search and request for case studies of good practice, successes and challenges. This should be informed by benefit-sharing arrangements in the biodiversity context 'where benefit-sharing is firmly embedded as both a principle and an outcome of access to certain forms of information' (Berti Suman & Switzer, 2022).

19

Heading

Ensure the public can trust the companies accessing the data

Recommendation

The Scottish Government should ensure that only private sector organisations which comply with agreed standards of corporate behaviour are permitted access to public sector personal data in order to maintain public trust.

Considerations

Agreed standards of corporate behaviour would comprise private sector organisations complying with legislation and fulfilling financial and regulatory obligations such as tax.

2.4 Conclusion

Here we have set out our findings on private sector access to public sector personal data in Scotland, in the form of three specific outputs: a Policy Statement, Guiding Principles and Recommendations, accompanied by justifications, context and considerations. It is now up to the Scottish Government to consider these findings and, we hope, implement them in practice. Some Recommendations require further work, evidence gathering and research to be done, and some require ongoing programmes of engagement with different stakeholder groups and the emerging literature and practice in Scotland and internationally.

Achieving these outcomes will require a strong commitment from the Scottish Government, Scottish public sector, stakeholders in all sectors and the general public to ensure that the highest standards are followed and developed in an ongoing feedback process. This will require requisite resources to be allocated to support this along with political will. However, for Scotland to achieve its goal of being an Ethical Digital Nation, and ensuring personal data is used for public benefit purposes by the private sector, such a commitment and resources are necessary. In doing so, Scotland will also benefit by becoming a globally leading nation in ethical, appropriate and fruitful data practices.

In terms of practical and immediate next steps and future work, the Scottish Government now plans to undertake an iterative planning approach to the next stages of the UVOD programme. We, the IEG, consider that developing a decision-making and governance framework for public sector data controllers when considering access requests by private sector organisations is an important next step for the UVOD programme and we acknowledge that we have not provided one. Its development should also engage independent experts, the public and other stakeholders. The Scottish Government should make a commitment to continuing this work in the next stage of the UVOD programme.

In operationalising and implementing the Policy Statement, Guiding Principles and Recommendations, we consider that certain use cases or pilots should be identified by the Scottish Government, Research Data Scotland and other relevant stakeholders, as per Recommendation #4 above, to trial the Statement and Principles and see what might work for a broader implementation throughout the Scottish public sector.