The second reading of the Data (Use and Access) Bill is scheduled for 19 November, and there's an opportunity to shape how smart data schemes (found in Part 1 of the Bill) and data governance rules could transform our digital economy. Building on our initial response to the Bill, here's what we think needs attention as Parliament examines the legislation.
Cross-sector coordination is crucial
While the Bill enables new smart data schemes, we must ensure they can work together effectively. Think of it like railway gauges – trains couldn't move between networks if every railway company used different track widths. Similarly, an insurance company asking for patient data via a fitness app, or a utility company integrating energy usage data with smart home devices, will struggle if firms use different data standards. That's why we recommend a central authority to develop standards across different sectors. This isn't about creating more bureaucracy; it's about ensuring that access to data is seamless between sectors and services, benefiting both consumers and businesses.
We want to see an extension of smart data to include B2C standards, making personal data available for citizens to download or place in personal data stores that they control. Data access for individuals should be as straightforward as it is for businesses. There’s no reason not to empower people when we do organisations. It means potentially helping them get an aggregate view of data about them. It might even help alert people to health issues or discover new products and services based on their interests and needs.
Learning from open banking's success
We've seen how open banking has transformed financial services, with over 4,800 skilled jobs created in 2022-23 alone. This success wasn't accidental – it came from having mandated independent bodies working cross-sector and with public and private sector partners to implement the scheme. We need similar intermediary bodies for the new smart data schemes, with proper funding from the start, who can build data infrastructure in the national interest. This independence is crucial for maintaining public confidence and ensuring the schemes are governed in the best interests of everyone, not just major players.
The ODI - as members of the Smart Data Council - is interested in making this work for as many sectors and people as possible. Allowing consumers and businesses to safely share information about them with regulated and authorised third parties while boosting growth benefits us all.
We’re recommending that the Bill:
- Establishes a single authority to develop and manage smart data standards across sectors, including shared attributes for common data.
- Includes a provision to incorporate open data standards and practices within smart data schemes.
- Specifies that interface bodies (or as we call them, “intermediaries”) should align standards with international interoperability frameworks, and do so with direct input from international standards bodies including:
- W3C (World Wide Web Consortium): W3C is the standards body for Web technologies. Founded by Sir Tim Berners-Lee, the W3C is responsible for the development of a range of Web standards from HTML and CSS through to Verificable Credentials - which are used in the UK digital identity and attributes trust framework beta version, implementations of the European electronic Identification, Authentication and Trust Services and the Australian Trusted Digital Identity Framework.
- IETF (Internet Engineering Task Force): IETF is the standards body for Internet Protocols. Amongst other specifications, IETF is responsible for theHTTP standards.
- ISO (International Organization for Standardization): ISO is the go-to standards body for, amongst other things, security standards. The UK digital identity and attributes trust framework beta version already makes reference to several ISO standards for auditing and certification.
Looking beyond our borders
The UK has an opportunity to lead in smart data innovation, but we shouldn't reinvent the wheel. Many countries have developed and are implementing similar schemes, and there's much we can learn from their experiences. As mentioned, we recommend close consultation with international standards bodies and careful research into what works elsewhere, including in Australia, India, and Singapore. Closer to home—in Europe - we should look at what’s to be learned from the European Data Spaces. Fortunately, the International Data Spaces Association (IDSA) and its RADAR dashboard of use cases offer effective models for tracking and evaluating data-sharing initiatives.
Making data AI-ready
As artificial intelligence becomes more prevalent, we must ensure our data infrastructure is fit for purpose. Enterprise Knowledge Graphs and contextual data standards might sound technical, but they're essential tools for making data useful across different sectors. Think of it as ensuring that all our data ‘speaks’ the same language, making it easier for AI systems to understand and use it responsibly. Importantly, it would also mean that smart data is more valuable and applicable, a win-win. Here, you can find out more about our work on data-centric AI, including the need for greater data transparency and our recently published Taxonomy of Data for AI.
Giving citizens autonomy online
Data privacy and consent shouldn't be an afterthought. We're advocating for privacy signalling frameworks that give individuals real control over their data. These systems would allow people to set their privacy preferences once and have them continually communicated to and respected across different services – similar to how your phone's privacy settings work across different apps.
Dynamic consent has significant buy-in, including from the HRA and MHRA with the NHS. We think the Secretary of State has a role to play in developing an automated privacy framework in consultation with the ICO and international standards bodies, protecting privacy in varied contexts and providing all of us with reliable, consistent privacy management options. We also see a need for a ‘privacy manager’ role—a trusted expert who could help people make privacy decisions on their behalf, with clearly defined rights and responsibilities.
In the short term though we can see a role for Global Privacy Control and Advanced Data Protection Control privacy signals to be directly mandated — which fulfil part of the automated privacy framework functionality.
Keeping bodies accountable
While the Bill introduces interface bodies as key players in smart data schemes, we need stronger measures to ensure they keep our data safe. While sections 7-8 set out security requirements, we think it’s essential for smart data standards to go a step further. They should explicitly require companies to follow specified ISO standards for the databases that enable smart data access. This would give people greater confidence that their data is being handled securely and responsibly and would provide managers with the security that they’re following the rules they need to.
The future is citizen-centric
Interoperability is key to creating a seamless experience for individuals and businesses—imagine not having to update your address across countless services. It’s also a driving force behind frameworks like the Digital Identity and Attributes Trust Framework (introduced in beta form last year), designed to enable the secure sharing of individual attributes between services.
At the same time, growing public awareness of data privacy has fueled interest in decentralised solutions like Solid, now stewarded by the ODI, and other privacy-enhancing technologies (PETs). These tools empower individuals to control their data while allowing innovative services to flourish. By promoting user-centric models like those supported by Solid, the UK can build a more distributed data economy, foster competition, and tackle challenges such as declining third-party cookies—a Competition and Markets Authority priority area.
Looking ahead
The Data (Use and Access) Bill presents a real opportunity to build a data ecosystem that works for everyone. Getting the details right – particularly around standards, governance, and user control – will be crucial for its success. We'll watch the parliamentary debate closely and continue to advocate for measures that promote innovation while protecting individual rights. Watch this space.
