Private sector access to public sector personal data: exploring data value and benefit-sharing

Introduction

Background to the study

The aim of this review is to enable the Scottish Government to explore the issues relevant to the access of public sector personal data (as defined by General Data Protection Regulation, GDPR) with or by the private sector in publicly trusted ways, to unlock the public benefitof this data.

This literature review will specifically enable the Scottish Government to establish whether there are models of costs/benefits/data value/approaches to benefit-sharing or the use of intellectual property rights or royalties regarding the use of public sector personal data with or by the private sector both in the UK and internationally.

This literature review is the final in a series of three. The literature review, 'Unlocking the Value of Scotland's Data: Public Engagement Around the Access of Public Sector Data with or by Private Sector Organisations', undertaken by Dr Sonja Erikainen and Professor Sarah Cunningham (University of Edinburgh) aimed to explore the question: (w)hat public engagement has been undertaken regarding the use of public sector data by or with the private sector? The review made a number of key findings;

• There is widespread conditional acceptance of private sector use of public sector data especially among informed publics. Public benefit is the primary driver of acceptability and commercial gain or private profit the primary driver of unacceptability. The definition and scope of 'public benefit' is open and contested, but publics want to see evidence that public benefit of some kind is the primary driver of public sector data access, that it can actually be achieved, and that it outweighs any possible private benefits.
• Publics want to see the development of equitable benefit-sharing models for collaborations or partnerships between private and public sector organisations, as they expect benefits – including profits – to be returned to publics and reinvested into the public sector.
• Public trust and distrust are key factors around private sector access to public sector data. Publics are more trusting of private sector uses of public sector data when public sector organisations retain control over the data during collaborations with the private sector.
• Publics expect to see stringent oversight, governance, and safeguard arrangements around private sector use of public sector data, especially concerning an oversight or governance body, transparency and accountability processes, and arrangements for data security and safety, consent, and confidentiality.
• Publics want there to be public involvement or engagement processes and activities around private sector use of public sector data.
• There is no singular 'public perspective' on private sector use of public sector data, but rather, while overarching patterns can be identified, publics are plural, and individuals' views are shaped by a diverse range of intersecting demographic and attitudinal variables.

An additional review, 'Public Sector Personal Data Sharing', undertaken by Morgan Currie, Steven Earl, Victoria Gorton and Matjaz Vidmar, was tasked to review pathways for public sector organisations sharing a particular type of data, called personal data, to private organisations. It made the following recommendations;

1. Focus on creating shared data standards and protocols across agencies and local and national contexts - a public agency could be dedicated to this role. These data standards should create confidence in the quality of the data as well as the consistency of the data sets.

2. Develop a clear way to define and demonstrate public interest and public value. This includes involving the public meaningfully from early stages in the designs of the data sharing infrastructures and models to generate public licence.

3. From earliest phases, develop ways to market the value and utility of the data sharing infrastructure to immediate stakeholders and users (i.e. researchers, private sector innovators) and be transparent about the risk and opportunities. Ways of doing this include involving stakeholders in the designs of the infrastructure or creating a typology of data and datasets that may be of value.

4. Develop a central resource or agency, such as a data permit authority, that helps aggregate, combine and link data and has the autonomy to decide which permissions to grant, as well as the resources needed to provide quality data. Make the process of this as transparent as possible.

5. Share ethical standards and best practices internationally. Develop and maintain an international community of practice that explores the "Futures of GDPR". Many countries and regions developing data-sharing approaches will have similar needs for support and learnings, which they could do from each other.

Our literature review follows on from the previous two reviews outlined above. In this adapted systematic literature review, we aimed to address a number of core questions, develop a thematic analysis when doing so, and provide recommendations to guide the (benefit) sharing of public sector personal data;

• Are there any models of costs and/or benefits regarding the use of public sector personal data with or by the private sector?
• Are there any models of valuing data regarding the use of public sector personal data with or by the private sector?
• Are there any models for benefit-sharing in respect of the use of public sector personal data with or by the private sector?
• Are there any models in respect of the use of intellectual property rights or royalties regarding the use of public sector personal data with or by the private sector?

Our literature review focused on both the UK and internationally, but was limited to literature available in English, published after 2007 and until mid-September 2022. In conducting our literature review, we relied upon the following key definitions;

Key Definitions

Personal data

According to Article 4 of the GDPR, personal data 'means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.' S 3(2) of the DPA 2018 defines personal data as meaning, 'any information relating to an identified or identifiable living individual.'

Public sector private information

As defined by the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act of 2018.

Business to Government data sharing (B2G)

Business to Government data sharing is the scenario in which a company or other private organisation makes available its data to the public sector. This incidentally is addressed in some of the resources reviewed.

Government to Business data sharing (G2B)

Government to Business data sharing is the scenario in which the public sector shares its data with a company or other private organisation. This is the focus of our review.

The two categories of B2G and G2B are informed by recent conceptualizations from academic and grey literature (e.g. Aidinlis 2022 and Martens and Duch-Brown 2020).