Bringing together privacy and openness: the ODI shares draft personal data principles

Since publication, these principles have evolved into one of the guides that we use in our work. The latest version is available for anyone to use. If you want help in using the principles then contact us at [email protected]

If we create trust among people in how their personal data is used and shared, we can use data better to benefit everyone. ODI Policy Lead Ellen Broad sets out high-level personal data design principles to shape the control and use of personal data

null Shining a light on how personal data can be safely collected, used and shared in ways that benefit everyone. CC BY 2.0, uploaded by James Wheeler.

The UK Government has launched a public consultation on how data sharing in government could be improved, to help deliver key services for citizens. We’ve summarised the consultation to help people understand what is being proposed and encourage wider debate.

The launch of the consultation comes in the midst of global discussions about how our personal data is collected, used and shared by organisations. Improving how we use personal data is going to be key to building a stronger data infrastructure and services that benefit citizens and society.

At the same time, we all need to safeguard the security and privacy of our personal data if we are to have trust in how organisations handle it. Both privacy and openness create trust. If we can create trust among people in how their personal data is used and shared, we can use data better to benefit everyone.

The debate to date: control and use of our personal data

Organisations are taking different approaches to improve how our personal data is used. Governments are updating data protection legislation. Some organisations are exploring data broker solutions, where intermediaries manage and sell access and use to personal data. Other organisations are testing out design and technology-based approaches to give us better direct control over how our data is collected and used. We’ll dig into these in more detail over the coming months.

The ODI has been discussing the choices we make about data through blogs and within the team. We’re beginning to map out the mechanisms that organisations could use to help people understand and take part in how data about them is collected, used and shared.

We believe that we need to think about the full spectrum of data that is closed, shared and open when we debate personal data.

Design principles for managing personal data

We have begun devising our own high-level principles to shape how we approach policies, research and tools for the use and control of personal data over the coming year. Key to our approach is privacy and openness as mutually reinforcing concepts for any use of personal data.

We will be testing and improving these principles in both our response to the UK Government’s data sharing consultation and the rest of the work that we do.

  1. We all benefit from strong data infrastructure
    We need data infrastructure that is accessible and usable to deliver services for citizens, support new businesses and discoveries, and drive economic growth. A data infrastructure consists of data assets, the organisations that operate and maintain them, and guides for data use and management. How our personal data is managed and used as part of our data infrastructure should reflect its benefits for citizens and society.

  2. We need to design data infrastructure for privacy and for openness
    Data that needs to be secure must be kept secure. But we should also ensure that where there are potential benefits to people and society from using data, we grasp those benefits. Organisations that collect and use personal data should maximise its potential benefits by publishing a version of it as anonymised, aggregate open data.

  3. Organisations should be open about what data is being collected and used
    It should be clear to people what personal data is being collected about them and why – whether the data will be used to help deliver a service for them, be linked with other information about them, be shared with other organisations or be used for research purposes. Organisations that use personal data should therefore be open about how they use it. When they use it to make a decision, they should be open about how that decision was made. They should publish open data about the way personal data is being used.

  4. People should be able to understand and control how their data is shared
    It should be clear from the language of an organisation’s data policies and permissions, and the design of its services, that we can choose how our data is collected and used, and that our consent is essential if the data will be processed any further. Where people lack data literacy then assistance should be available to help them understand the terms and implications of sharing their data. We should be able to shape subsequent use of our data. We should have the ability to grant access to our data to others, and remove that access should we choose to do so.

  5. Organisations should be open about the way data is shared
    Organisations that share personal data with others should be clear on: what data they share; with whom; for what purpose; under what conditions; and for what return (eg financial). Public statements of these sorts should be able to point to the statements issued by the recipient organisations about how that data is used.

  6. Organisations should be open about the way data is secured
    Organisations that store personal data should be open about the way it is secured, to the extent that is possible without increasing the risk of security breaches. They should publish information about the security audits that are carried out, any data breaches that take place, and their responses to those breaches. Organisations should also be open to receiving and responding to information about flaws in their security.

  7. Anyone who collects and uses personal data should be accountable for its misuse
    Accountability for data misuse should begin with those who are collecting personal data. For example, storage or use of personal data might be deemed to be unlawful unless a data usage policy has been openly published by the collecting organisation. There should be meaningful penalties for breaches of the security of personal data.

Since publication, these principles have evolved into one of the guides that we use in our work. The latest version is available for anyone to use. If you want help in using the principles then contact us at [email protected]

Ellen Broad is a Policy Lead at the ODI. Follow @ellenbroad on Twitter.

If you have ideas or experience in open data that you'd like to share, pitch us a blog or tweet us at @ODIHQ.