Data trusts: legal and governance considerations

Sharing data brings economic and social benefits, but most data is locked in inaccessible systems. Organisations which co-operate and share data will gain significant advantages but they face a challenge in finding ways to share that data in a fair, safe and equitable way.

What is a data trust?

Data trusts enable you to extract more value from your data and give you the chance to access other people’s data to improve your way of working and create new opportunities.

A data trust is a legal structure that provides independent stewardship of data. The data trust’s purpose can be narrow or wide, depending on the aims of the stakeholders. It can be societal or environmental, for the public good or for the generation of profit, or any combination of these and other factors.

The data trust will hold, or be able to grant access to, data sets from multiple sources. The data trust acts as the custodian or steward of that data, in a similar way to other legal structures that are used to look after and make decisions about assets – for example land trusts, stewardship vehicles or community interest companies that steward land on behalf of local communities and other stakeholders.

Done well, data trusts help unlock data in a safe environment.

Governance considerations

A data trust can take the form of a multi-party collaboration agreement, or can be established as a distinct corporate entity. Whatever legal form the data trust takes, the arrangement will involve one party authorising another to make decisions about data on its behalf both for its benefit and, potentially, the benefit of a wider group of stakeholders.

To encourage stakeholder engagement, the data trust will need robust governance. Its decision-making will need to be transparent to its stakeholders, and both stakeholders and the data trust will need to be accountable for their actions.

The data trust or its governing body (the ‘data steward’) will undertake to steward the data appropriately. Stewardship ensures compliance with the EU’s General Data Protection Regulation (GDPR) and other regulatory requirements and standards. It also has an ethical dimension related to how the data can most appropriately be used or not used given the terms of reference and ethical standards established as part of the data trust’s governance model.

Data trust rules

The rules of the data trust sit beneath, and underpin, the data trust’s purpose. These will set out the way in which the data trust will function so as to achieve its purpose in more detail. This does not need to be a public document but more transparency about the data trust’s operations creates more confidence in its functioning.

The rules will cover the data trust’s basic operations, including:

• the nature of the data that will be collected, in broad terms;
• who the data will be shared with, and
• what use they can make of that data.

Data provision and usage agreements

Complementing these overarching rules will be contracts between the data trust and its stakeholders, specifically data providers and data users. These contracts will need to be consistent with the rules established for the operation of the data trust, and may incorporate those rules.

Instead of bilateral contracts between the data trust and data providers or data users, it is also possible to regulate data provision and data use arrangements through a multi-party code or contract between all the data providers and users. Hallmarks of such an arrangement include:

• most prospective data provision and data use arrangements are readily identifiable and can be addressed within the multi-party arrangement;
• data users and data providers are willing or compelled by regulation to accede to the multi-party arrangement;
• a governance model has been developed to administer the multi-party code or contract and to manage proposed modifications to it.

But in most cases the data trust will develop a suite of bilateral data provision and data use template agreements between the data trust and approved data providers and data users.

It may be that a number of different contractual models will need to be developed to address different scenarios, particularly to address the varying nature of the data being shared. There may be no ‘one size fits all’ form of data provision agreement or data use agreement, but an approach which is as standardised as possible can be taken in order to drive efficiency.