Introducing Data Trusts: what are they and what are the legal considerations?

September 26, 2019

What is a Data Trust?

Data trusts were explored in academia as a concept in 2004  as a way of dealing with data protection law and increasing protection for internet users. More recently, there were recommendations to develop the concept of a data trust in the paper “Growing the Artificial Intelligence Industry in the UK” by Professor Dame Wendy Hall and Jérôme Pesenti. This has led to data trusts being further explored and brought to wider public attention by the Open Data Institute (“ODI”) in early 2019. 

The ODI has defined a data trust as “a legal structure that provides independent stewardship of data” . Although “steward” is not a legal term, it represents the person(s) who oversees and looks after the data trust. 

Essentially, data trusts seek to enable the sharing of large data sets whilst ensuring that there is adherence to some pre-prescribed levels of data ethics, governance and privacy. A data trust is thus both a legal and technical construct which encourages ethical data sharing and transparent governance procedures, whilst also putting measures in place to protect privacy. 

Data trusts have the potential for versatile use depending on the level of protections put in place. They address situations where there is a hesitation to share data within an industry and sharing that data could enable innovation. For example, data trusts have already been considered in the context of three pilots which analysed whether data trusts would enable information to be shared to combat food waste, help prevent illegal wildlife trade, and increase transport and energy efficiency in a city environment . 

The aims of a data trust

A data trust is a legal and technical tool to enable data to be shared among multiple parties (as opposed from just party A to party B). It creates an acceptable method for sharing, where the parties would not have otherwise shared the data. 

It aims to deal with real world barriers to data sharing by increasing control, trust and reassurance. These barriers may arise because the data contains personal data, company sensitive information or may have political ramifications. The data could then be used to develop artificial intelligence tools, provide training data for machine learning and generally forward the use of ‘big data’ sets in academic research, industry research and product development.

A data trust also aims to create a model or framework that is both repeatable and sustainable. It creates a space where data could be continually updated and additional parties (who comply with the entry requirements) could gain access to it.

The legal structure for the chosen model will depend on: the nature of the data; the steward; the provider and the data users. It will also depend on commercial and financial considerations such as: how the stewards will be rewarded for their time; whether the data provider is being paid; whether data users have to pay to access the data and the various financial models required by the parties. All of these considerations are key to considering what type of data trust model is appropriate for any data trust. 

The Legal Considerations

The key legal consideration when forming a data trust is to decide upon the model to use. In most cases, either a contractual framework or corporate model will be the most appropriate. The descriptions below provide a brief overview of the methods that have so far been explored .

  • The Equitable Trust Model – In a broad sense, a data trust takes the idea of an equitable trust and applies that to data. It is a popular idea because those who look after the assets in the trust are not the ones who benefit, but have legal obligations of oversight. However, an equitable trust normally applies to money or land, both of which are legally recognised as being capable of being possessions. However, there are no proprietary rights in information . Thus there is a need either for the laws around data ownership to change, which could have huge and wide reaching ramifications, or to use the legal tools that are available, which remove the equitable trust as a viable option. In addition, this model may not be appropriate because trustees are required to act in the beneficiaries’ best interests. However, a data trust may be for the benefit of the data providers, the data users or some other wider public good. 
  • Contractual Framework Model – traditionally, where parties shared data with each other, they could do so under a data sharing agreement. It is possible to set up an agreement for multiple parties including the rules which govern the data sharing. There is even the possibility of creating a framework of repeatable clauses. However, a contractual model may not always be the answer, especially where the data providers and parties accessing the data may continually be changing. Enforcing such an arrangement may require a contract to create any rights over third parties, which cannot be done under UK contract law . Dealing with such a situation may become administratively burdensome. Further, the contractual model does not necessarily create an independent third party who can take the role of the steward, leaving governance measures to the contractual parties to enforce through the courts or via some form of alternative dispute resolution.  
  • Corporate Model – This model is the broadest and most flexible model for a data trust. Depending on the financial arrangements reached by the parties, they can chose to use an unincorporated company, a company limited by shares, a company limited by guarantee, a partnership, a limited liability partnership or a charitable company. It essentially involves using a company as a special purpose vehicle, where the directors would act as the stewards. Its members could also represent the parties involved. For this reason, it is unlikely that a partnership or unincorporated company would be appropriate because it is not its own separate legal person. One of the drawbacks of this approach is reconciling how directors’ duties conflict with that of the data trust. 
  • Public Model – This is currently a hypothetical model. A public regulator could set a standard for a data trust and all the rules applicable. It would be responsible for enforcing breaches and the chosen model would be overseen by a third-party public body. This would provide public assurance but would require government support and a substantial period of time to set it up. 
  • Community Interest Company Model – A community interest company focuses on non-charitable social enterprise but does not have to operate exclusively for the company’s social purpose . In short, this is a hybrid model between a company and a charity with its own sector regulator. This is an attractive model because it already has a regulator in place but whether the CIC regulator would consider that a data trust would be capable of being a CIC is yet to be seen. 

The key to setting up a data trust is creating the right framework for the client’s requirements. This would need to be supported by bespoke documentation including: a stakeholder/membership agreement; articles of association (when using a company model); data provision agreements; and data use agreements. In addition, where personal data is shared, further clauses will be required to ensure that it is compliant with data protection legislation .  

Deciding when to use a data trust

Whether a data trust is an appropriate solution will depend on the aspirations of the parties. They may want to share large data sets where the data cannot be shared in an open access way. The parties may also aspire to certain standards of ethics and governance and want to put measures in place to ensure that this is dealt with. Conversely, the parties may use a data trust as a way to deal with reputational and commercial worries where they would prefer an arm’s length arrangement with the other parties involved. A data trust has the potential to be an additional and flexible option where previous models have simply not created the right environment to share certain data sets before. 

The technical solutions available to parties will also need to be considered. Whilst the legal model can be relatively flexible, the technical software implementing and facilitating the data sharing needs to be capable of reflecting the legal terms in reality. 

Final thoughts

This article is a quick description of a data trust and what legal framework should be considered from the outset. I would urge anyone considering using this model to consider the extent of the research available. In particular, this article has not covered topics such as: providing data to the trust; dealing with personal data in a data trust; competition law concerns; intellectual property considerations and ending the data trust. All of these topics require legal support when setting up any data trust. 

emily barwell solicitor

Emily Barwell is a solicitor in the Science and Technology team at BPE Solicitors LLP. She was involved with the legal research around the initial reports in early 2019 and the team, led by Rob Bryan, continues to be involved in developing data trusts. She is presenting on the legal considerations of a Data Trust at the SCL Annual Conference 2019.