The second reading of the Data (Use and Access) Bill in the House of Lords on 19th November revealed significant alignment with several key priorities we've highlighted in our recent work on unlocking the potential of smart data schemes and digital verification services. However, as the Bill enters the committee stages, we’d like to see greater consideration for making data available to citizens (as well as shareable between organisations) and more emphasis on making data AI-ready.
Smart data
In a debate more than three hours long, covering the wide range of measures included in the Bill, Lord Knight of Weymouth echoed our calls for cross-sector data standards and alignment with international interoperability standards. He questioned whether we need "some kind of authority to drive that". We think it’s essential to assign a single authority to oversee and manage the development of smart data standards across different sectors, ensuring an agreed understanding of data attributes used by multiple industries.
Having one authority for certain standards would streamline implementation, enable quicker rollout across sectors, and improve interoperability. Shared standards, especially for common attributes of customer data, would facilitate smoother data exchange between industries, fostering innovation and reducing complexity. For example, most verticals should use the same standards to define a customer's or person's attributes, making sharing such data between sectors easier.
Lord Vaux, in his remarks, made the point that we need to accelerate the rollout of smart data. He argued that the Bill “Consists mainly of a series of powers to regulate rather than any firm steps, which is a little disappointing. The only current live example of smart data that we have is open banking, which a number of noble Lords have referred to—maybe, one day, we will see a pensions dashboard; who knows? However, open banking has been rather slower to take off than had been hoped.”
Lord Vaux also called for a review of Open Banking to assess the reasons for this long delivery timeline, urging lessons to be learned. We agree that there are lessons to learn. However, we’d encourage the government to look outside the UK and conduct comprehensive research on international data access initiatives, such as the European Data Spaces, to learn from insights on governance, incentives, and public-private collaboration. The ODI has already started some of this work, and we’ll publish our initial insights in a forthcoming blog.
In countries including Estonia, Australia and Singapore, more comprehensive smart data schemes are well advanced, providing a rich potential corpus of learning. We think that the UK can accelerate the adoption of smart data in many more sectors by incorporating international best practices and creating funding and incentive structures that support automation, data intermediaries, and public-private partnerships to scale smart data schemes effectively.
Trust and empowerment
Lord Stevenson was one of several peers to raise the issue of trust, saying that “there is a long way to go if this legislation is to earn public confidence and if our data protection regime is to work not just for the tech monopolies but for small businesses, consumers, workers and democracy.” Lord Holmes called for a concerted effort to upskill and raise awareness in the general public, saying “We need to enable and empower all our citizens to be able to say, full-throatedly, “Our data; our decisions; our human-led digital futures”.
We agree and think that a key element of this empowerment will be extending the smart data clauses to also include B2C (business-to-consumer) standards, allowing consumers to pull data directly into personal data storage that they manage - or directly download this data themselves. Smart data should not simply be about ‘permissioning’ businesses to share consumer data between them but also about consumers accessing the data themselves. In fact, data access should be as straightforward for individuals as for businesses. Indeed, when individuals can access this data (through applications they trust), it allows them to have a dashboard of their data, potentially helping to make the ‘pensions dashboard’ application mentioned in the debate by Lord Vaux a reality.
Another part of the Data (Use and Access) Bill concerns the trust framework for certifying Digital Verification Services (DVS). We would like to see the rights of consumers to manage and download data about them integrated with the DVS framework, which in turn would help consumers verify their identity and access data easily. This would support the goals of transparency, control, and utility in personal data use and has the potential to deliver many economic and social benefits, including the capability to predict and alert potential health issues or help users discover new UK-based products and services based on their interests and needs.
AI ready data
There were many references to AI throughout the debate but no specific calls for AI-ready, reusable data, particularly for smart data schemes. We would like to see this addressed at the committee stages. Data exchanged and accessed under smart data schemes - and indeed in the National Data Library (which is not covered in the scope of the Bill but was mentioned by Baroness Jones in her summing up of the debate) must be AI-ready and reusable, embedding
context through technologies like Enterprise Knowledge Graphs (EKGs). EKGs are already industry best practices used, for instance, to improve the correctness of answers given by Gemini in Google searches. This is important because AI requires data that is meaningful and contextual - Data-centric AI. Standardising context with knowledge graphs (e.g., defining that “T: 32” represents temperature in Celsius) ensures that data is interpretable and useful for AI applications. This would enhance the value and applicability of data across sectors.
Digital identity and trust
We were pleased to hear Viscount Colville's emphasis on international interoperability and his agreement with our position that the Digital Verification Service (DVS) trust framework needs explicit alignment with international standards bodies. He said, “The DVS will be useful only if it can be used across national boundaries. Interoperability must be crucial in a digital world without frontiers. I suggest that an international standards body should be included in the bill…The most obvious would be W3C, the World Wide Web Consortium, which is the standards body for web technology….. I know that the Government want the Secretary of State to have flexibility in drawing up this framework, but the inclusion of an international standards body in the Bill would ensure that the Minister has them in the forefront of their mind when drawing up this much-needed framework.”
We agree that developing the DVS trust framework using open, international standards and ensuring consultation with international standards bodies such as W3C, IEEE, IETF and ISO will help promote global interoperability. Building the DVS trust framework in this way will improve compatibility with digital identity solutions outside the UK, enabling citizens to verify their identities across borders and enhancing data accessibility in the global market.
AI assurance and automated decision-making
Several peers raised important points about AI assurance and algorithmic transparency that echo our recommendations. Lord Holmes of Richmond called for personalised explanations of automated decisions, particularly in recruitment contexts, while Lord Thomas of Cwmgiedd rightly noted the need for individuals to understand why automated decisions are made. These interventions align with our work on data-centric AI and the need for greater transparency in AI systems.
Data protection and privacy
Baroness Kidron explicitly acknowledged the ODI among leading organisations raising concerns about data protection and privacy safeguards in the Bill. These concerns, also voiced by Lord Thomas of Cwmgiedd and others, align with our recommendations about robust privacy frameworks and user control. The debate demonstrated particular attention to automated decision-making and the need for meaningful human oversight - themes we've consistently discussed.
Cookies didn’t pop-up
Perhaps surprisingly, given how much they pop-up in all of our experiences of the web, there was no discussion around browser-managed cookie-consent, a topic that was addressed in the former Data Protection and Digital Identity Bill, and that was omitted from the Data (Use and Access) Bill. This is something that ordinary web users tend to care about and which is a heated topic of debate in the EU—where the question of reforming GDPR will face the next Commission - as well as in the UK where the question about future data adequacy between ourselves and the bloc is a significant issue.
The ODI believe that the more general topic of privacy signals is a key point of discussion for this Bill as it progresses. It would be welcome to see more of this technical discussion at the Committee stages, if time and interest allow.
What’s next?
As the Bill moves into the Committee stages, we're encouraged to see parliamentarians engaging with many of the key issues we've identified. The focus on international standards, cross-sector coordination, and privacy protection suggests a growing consensus around the need for a comprehensive, well-structured approach to data governance.
We particularly welcome the attention paid to international alignment and standards - a key recommendation in our recent analysis. As we continue to engage with the legislative process, we'll work to ensure these crucial elements remain central to the discussion.
