Data Sharing, Trust Frameworks, and Standards

Following the United Kingdom's departure from the European Union, UK GDPR came into force on 1 January 2021, incorporating the EU GDPR's substantive requirements into UK domestic law alongside the Data Protection Act 2018. The two instruments work together: the Data Protection Act provides the UK-specific provisions that the EU GDPR permitted member states to determine domestically.

The Information Commissioner's Office (ICO) is the UK's independent supervisory authority for data protection law. It has the power to issue fines of up to GBP 17.5 million or 4% of global annual turnover (whichever is higher) for serious infringements of UK GDPR. Since 2018, the ICO has fined organisations including British Airways (GBP 20 million, 2020), Marriott International (GBP 18.4 million, 2020), and TSB (GBP 49 million, 2023 for operational resilience breaches).

The UK National Data Strategy (2020) positioned data as national infrastructure, comparable to roads and energy networks. The strategy identified that the UK's ability to generate value from data depended on improving data quality in public sector organisations, establishing trusted data sharing frameworks, and developing smart data schemes that enable consumers to access and share their own data held by regulated organisations.

UK GDPR Article 6 specifies six lawful bases for processing personal data. Every instance of personal data processing must rely on at least one lawful basis. The choice of lawful basis is not discretionary and cannot be changed retrospectively: if an organisation relies on consent, it cannot later claim legitimate interests for the same processing activity if consent is withdrawn.

The six bases are: consent (the data subject has given freely given, specific, informed, unambiguous consent); contract(processing is necessary for a contract with the data subject); legal obligation (processing is necessary to comply with a legal duty); vital interests (processing is necessary to protect someone's life); public task (processing is necessary for a public authority carrying out an official function); and legitimate interests (processing is necessary for the controller's legitimate interests, balanced against the data subject's rights).

For public sector organisations processing data under their statutory functions, the public task basis is typically most appropriate. For research organisations processing NHS data, a specific research exemption under Article 89 may apply. For commercial organisations, legitimate interests is the most flexible basis but requires a Legitimate Interests Assessment (LIA) documenting that the interests are genuine, the processing is necessary, and the data subject's rights do not override those interests.

The ICO guidance identifies consent as the most demanding basis to maintain: consent must be freely given (cannot be a condition of service), specific, informed, and easily withdrawable. For data sharing arrangements between organisations, consent is rarely the appropriate basis because it requires ongoing management of consent records and creates operational fragility.

Collective data governance models address a problem that individual data protection law does not: how should groups of people or organisations govern data that has collective value, such as patient health data, urban mobility data, or agricultural sensor data?

A data trust is a legal structure in which a trustee holds stewardship rights over data on behalf of data subjects. The trustee is independent of the data holder and has a legal duty of care to the beneficiaries (data subjects). UK Biobank is the most prominent UK example: an independent body governs access to 500,000 participants' health and genetic data for research, with an access committee that evaluates requests against defined criteria.

A data cooperative is owned and governed by its members. Members pool their data collectively, with governance decisions made democratically. MIDATA in Switzerland enables members to control and selectively share their health and financial data with services of their choice. Data cooperatives give members negotiating power they would not have individually.

A data commons is data made openly available under defined governance conditions, typically for public benefit. The UK's Ordnance Survey OpenData provides geographic data as a commons. The Open Data Institute (ODI, founded by Tim Berners-Lee in 2012) promotes data commons through its open data standards and certification scheme.

Smart data schemes are regulatory frameworks that require organisations holding customer data to share that data with third parties at the customer's instruction. They extend the GDPR right to data portability into specific, interoperable standards.

Open Banking is the UK's most mature smart data scheme. The Competition and Markets Authority ordered the nine largest UK banks to implement it in 2016. By 2024, over 7 million UK consumers used Open Banking-enabled services, sharing their bank account data with budgeting apps, mortgage brokers, and credit reference services via standardised APIs. The scheme is regulated by the Open Banking Implementation Entity (OBIE).

The Data (Use and Access) Act 2025 extended the smart data framework beyond banking to energy (smart meter data sharing), telecommunications (call records and usage data), and mortgage data. Each sector scheme specifies the data standards, security requirements, and consumer consent mechanisms that participants must implement.

Smart data schemes create value by reducing information asymmetries: a consumer who can share their energy usage data with multiple providers gets more competitive quotes; a consumer who can share their full bank transaction history with a mortgage broker gets a faster, more accurate affordability assessment.

Privacy-Enhancing Technologies (PETs) are a set of techniques that enable data analysis while minimising the exposure of raw personal data. The UK ICO and the US National Institute of Standards and Technology (NIST) have both published guidance on PETs as a privacy-by-design mechanism.

Federated learning trains a machine learning model across multiple data holders without aggregating the data centrally. Each participant trains a local model on their own data and shares only model parameters (gradients) with a central aggregator. Google uses federated learning to train the Gboard keyboard prediction model on users' devices without any text leaving the device.

Differential privacy adds calibrated statistical noise to query results, making it mathematically impossible to determine whether any specific individual's data contributed to a result. Apple uses differential privacy for its usage analytics. The UK Statistics Authority uses differential privacy techniques for small-area census data releases to prevent re-identification.

Secure multi-party computation allows multiple parties to jointly compute a function over their combined data without any party learning the other's input data. Data clean rooms (used by Google, Meta, and AWS) apply this principle to advertising measurement: two parties can compute the overlap of their customer lists without either party seeing the other's list.

OpenSAFELY combined federated analysis with output checking: researchers' code ran at the data source, and outputs were manually checked for re-identification risk before release. This human-in-the-loop output checking is an additional safeguard for high-risk datasets.