In April 2018, the UK government published its industrial strategy in respect of artificial intelligence (AI), known as the AI Sector Deal. Their key commitments are to investment in research, industry and infrastructure. This includes building on existing data infrastructure and developing ways of creating legal certainty over the sharing and use of data.
The availability of large, reliable data sets is essential in order to train and develop machine learning algorithms and the resulting AI. Existing data protection legislation places limitations on organisations ability to share data freely. Further, whilst researchers and developers are generally keen to share data more freely to obtain large sets of training data, lawyers and financial directors wince at the potential legal and commercial ramifications of this.
As part of the government’s action to develop fair, equitable and secure data sharing frameworks, the government committed itself to “identify[ing] barriers to sharing data” and the AI Sector Deal invites industry to explore the different mechanisms available to share data in a “safe, secure and equitable” manner. This article explores key considerations when sharing data with third parties, whilst focusing on data trusts which the AI Sector Deal identified as a possible solution.
What is a data trust?
There are several informal definitions of a data trust, but no legal definition.
A popular definition is the plain-English definition adopted by the Open Data Institute (ODI). They define a data trust as a legal structure that provides independent stewardship of data. If that legal structure is a trust, as a plain-English approach suggests, the data trust is an independent entity with trustees who manage the trust’s data/ data rights (its asset) in accordance with the terms of the trust deed. The trust deed will be the rule book according to which the trust run, and should identify the trust’s purpose and beneficiary/ies, in whose best interests the trustees must act.
The word “trust” implies a safe and collaborative environment in which to share data, however a legal trust is a complicated structure and considerable legal duties are placed on trustees. You should take legal advice before seeking to set up a trust or agreeing to become a trustee.
In practice, it is possible to create a less onerous contractual framework, or a joint-venture relationship, achieving the same objective of sharing, pooling and exploiting data to train algorithms and develop AI.
Key legal considerations
Whatever data-sharing structure you adopt, we have set out below some key legal considerations to address before sharing data:
- Do you know where the data comes from?
- What will be your legal basis for processing the data?
- Are you allowed to access and/or share the data?
- Do you have data protection policies in place, as required under the General Data Protection Regulation? Do all the parties participating in the data-sharing relationship comply with data protection legislation?
- Have data subjects (e.g. customers or users) been notified of the sharing?
- Does the new organisation need to be registered with the ICO’s Data Protection Register?
Other considerations when sharing data, ranging from the parties’ financial contributions to their representation on a new entity’s board, are important but primarily commercial and beyond the scope of this article.
Increasing attention is being given to the trustworthiness of AI, and this starts with data.
The European Commission and the Information Commissioner’s Office are turning their attention to ensuring that organisations are accountable in respect of the data they use, as well as any resulting algorithms, AI or automated decisions. Consumer organisations are also lobbying for accountability and AI rights for consumers.
Whenever your are accessing or sharing third party data, you should carry out due diligence and ensure that all parties to the data-sharing project comply with applicable data protection legislation as set out above. However, in consideration of the growing trend towards regulation of data-centric organisations, you should also consider documenting your analysis of the trustworthiness of the data you are introducing into your algorithms. Although this is not a legal requirement to date, it increasingly appears to be best practice.
Whenever you are sharing data, whether in your usual course of business with subcontractors or as part of a formal data sharing agreement, you should be clear on each party’s obligations and a written agreement should be put in place.
If you would like advice on putting a data trust in place, or any other data sharing agreement, please do not hesitate to contact our specialised IT and Data Protection teams who will be able to advise you on the most appropriate legal framework to meet your objectives.