Today we launch Exploring legal mechanisms for data stewardship, in partnership with the AI Council, which explores one aspect (the legal scaffolding) of how to build a rights-based, participatory approach to the design of more trustworthy data systems – ones that people and society can benefit from, and that people feel work in their interests.
The second aspect, involving people in decisions around data, will come in a second report, Exploring participatory mechanisms for data stewardship. It builds on the view that, at its core, good data governance should be rights-enabling and rights-preserving, and must involve in meaningful ways the people whose data is used or about which data decisions are taken (the ‘data subjects’).
What is data stewardship?
Through exploring different perspectives to data stewardship, in the expert conversations, research and analysis of approaches to data governance that informed these reports, we’ve developed a working definition:
‘The responsible use, collection and management of data in a participatory and rights-preserving way.’
We start with legal frameworks and regulatory regimes, as the bedrock that sustains a framework of responsibilities and rights, and which enable data truly to be used for public good – a vision articulated by Secretary of State for the UK Government department the Department for Culture, Media and Sport (DCMS) Oliver Dowden in his recent Financial Times article.
Data stewardship distinguishes governance – the structural conditions that enable data to be used in trustworthy ways – from a narrowly compliance-based approach. That is not to say that compliance doesn’t matter: data stewardship is not a mechanism to avoid the rule of law when it comes to the use of data. Equally, the argument that data can engender public benefit should not be used as an ‘escape clause’ for those who develop, deploy and use data to avoid compliance or other moral requirements.
That’s why, when exploring new legal mechanisms, we highlight the role that alternative data governance mechanisms can play in enabling people to shape the beneficial uses of their data, building on the valuable foundations established by regulatory frameworks such as the GDPR.
Thinking about participatory mechanisms for data stewardship, we will set out a framework and a ‘ladder of participation’ enabling people to gain increasing levels of control and agency over their data. In that report, we urge developers and designers to embrace the range of creative options available to them to place people at the centre of good data governance.
Data stewardship should, therefore, be understood as a framework of rights and responsibilities. Stewardship itself is an ethic that embodies responsibility, not just to one’s own self or organisation, but to others, and the uses we’ve highlighted are intended to mobilise that sense of responsibility.
This ethos is shared by a range of actors in the data governance ecosystem in the UK, and beyond.
The Royal Society uses stewardship to describe a body mandated to ensure responsible use. The Mozilla Foundation uses it as a term to describe the act of empowering agents in relation to their own data. Researchers, including those based at the Open Data Institute, describe it as embodying a ‘fiduciary relationship’ of trust between data stewards and data beneficiaries.
Others refer to data stewardship as the standards and behaviours expected of industry organisations in governing data, beyond what is expected of them in law – as embodying responsible approaches to data governance.
What is not data stewardship, in Ada’s view?
There are practices in the use and management of data that cannot, in the Ada Lovelace Institute’s view, be regarded as ‘data stewardship’. Responsible data stewardship should not be equated in all circumstances with data sharing, as sometimes the most responsible data practice can be a decision not to share data. Because some unethical and untrustworthy uses of data exist and undermine public confidence, data use, data access, open data and data sharing cannot be considered as equivalent with data stewardship.
The Annual Track survey commissioned by the Information Commissioners’ Office, for instance, reveals that levels of trust in social media companies’ use of data is low, with only 16% of people reporting high levels of trust; and revealing that those who have heard about or experienced a data breach are more likely to have lower levels of trust and confidence. Online retailers and mobile, telecoms and utility companies are less trusted, while other organisations, including the NHS, fare comparatively well.
Exploring data stewardship by articulating what it is not helps us to understand why it’s important. Use, application and context, and who it is that shares and uses the data are all highly relevant factors. That is why we put responsibility at the heart of data use, while recognising the value it can have to society. As the pandemic has revealed, there is both very real support for, and very real need for the effective use of data, particularly across the NHS.
While we agree with Secretary of State Oliver Dowden that data can engender great benefit and good, we don’t find it helpful to characterise concerns about privacy and rights as a ‘threat’. Listening to societal concerns and finding mechanisms to address and work with them will enable us to both govern data legally, ethically and responsibly, and engender greater public confidence and trust in data use.
Practices that have undermined confidence – and run counter to the behaviours and values of data stewardship – include the widespread misuse of personal data, exemplified by repeated high-profile data breaches and sharing scandals. Concentration of power and market dominance based on extractive data practices from a few technological players also play a part in entrenching public concern about data use and impeding data sharing and access in the public interest.
The lack of transparency and scrutiny around public-private partnerships in the UK add additional layers of concerns when it comes to how data is used. Public and societal concerns during the pandemic have been stimulated by the Government’s consideration of digital contact tracing and vaccine passports, as the findings from our rapid online deliberation illustrate. Public confidence, particularly in a crisis, is key to engendering the most effective use of data.
Some of these concerns arise from the fact that what data subjects might consider to be ‘good’ is different to how those using the data (‘’data controllers’ or data processors’) may define it, particularly if individuals have no say in that definition. There is a need to disambiguate data for the public good, as academics such as Sarah Cheung have argued.
The digital environment mediating data, which surrounds us, has given rise to models that ‘nudge’ towards uninformed consent at the great expense of individual or societal data rights. Few people are able to understand and review critically the terms and conditions that pop up online when sharing data through platforms, or the data monetisation models that dress up data commodification with the language of empowerment – ‘empowering’ people to sell their own data (again, with limited ability to choose alternatives, whether that is paid access a particular technology service, or opting for a privacy-enhancing alternative).
These are all practices that engender harm to individual people, or do not serve wider public good. An uncritical lens that characterises these issues as a one-dimensional ‘threat’ does a disservice to the complexity of the issues engendered by data, and the ways that coercive practices that commodify, extract and mine data without people’s understanding, knowledge and consent can disempower data subjects or owners.
Data stewardship, as we understand it, aims to put data back into the hands of people and society – where it belongs. As with any language, its usage and practice are not fixed, but we have found that – as components in a working definition – responsibility, participation and rights preservation take us a long way to helping to articulate what stewardship is, and can be.
Read more in Exploring legal mechanisms for data stewardship, a joint publication with the AI Council.
Image credit: gremlin
A joint publication with the AI Council, which explores three legal mechanisms that could help facilitate responsible data stewardship
The executive summary for a joint publication with the AI Council, which explores three legal mechanisms for responsible data stewardship
Chapter one from Exploring legal mechanisms for data stewardship – a joint publication with the AI Council
Chapter two from Exploring legal mechanisms for data stewardship – a joint publication with the AI Council