Skip to main content

Securing data sharing

Eline N. Lincklaen Arriens

Views, thoughts, and opinions expressed in the text belong solely to the author, and do not represent the views of the Support Centre for Data Sharing or the European Commission.

Data sharing brings a certain fear to people’s minds that shadows any and all advantages around the concept. The biggest of these fears is security.1 More specifically, and particularly when personal data is being shared, regarding the uncertainty around who has access to it, what they will do with it and - in the worst-case scenarios - the possibility of the data being accidentally shared with organisations it wasn’t intended for,2 or stolen by hackers.

The good news is that fears regarding security can be addressed, or at least alleviated, with the implementation of solid data sharing agreements between the involved parties and an overarching framework of law and regulation and the enforcement thereof. Even better, this is already a growing topic of discussion! Businesses, organisations and governmental bodies that are considering sharing data with other institutions are already thinking about the legal implications of sharing their data, and how to ensure that the data is shared securely.

Currently, there is no unified approach in the legal agreements and legal frameworks for data sharing. Though there are already existing, successful legal agreements (see our practice examples for inspiration)3, they often include broad data sharing scenarios, are unnecessarily long and complex, and are subject to interpretation. But fear not, there have been significant steps in recent months to create a robust and secure data sharing infrastructure and solid legal specifications for companies, institutions and government bodies to use. For example, in July 2019 Microsoft published three data sharing agreements to function as a basis for other organisations to create similar documents.4

These agreements aim to make it easier for individuals and organisations to share data, to reduce negotiation time with the other party or parties, and to cut legal costs, enabling your lawyers to re-use standard terms and focus only on what is really specific to the matter at hand. One of Microsoft’s data sharing agreements is the “Data Use Agreement for Open AI Model Development (DUA-OAI).5 This template focuses specifically on sharing data to train an artificial intelligence (AI) model with data that could include personal data. The purpose of data sharing in this agreement is constrained to the specific use case of training an AI. Microsoft published this template in the context of a broader initiative for removing barriers to data innovation, meaning that it is a template that can be used by different parties (i.e. not intended only for use in contracts with Microsoft).  

Another example is Ctrl-Shift’s research in helping organisations realise the opportunity in personal data sharing and navigate through pitfalls, exemplified in their Personal Data Mobility Sandbox project whose results were published in June 2019.6 The project was an experiment completed in partnership with a series of mostly UK-based organisations that focused on implementing one data sharing model. In this model, data is shared from an “exporting organisation” to a Data Facilitator, and then out to an “importer”.7  

Work still needs to be done to eradicate fears around security, especially when personal data sharing is involved. Nevertheless, given the major developments from this year alone, I’m optimistic. There are several initiatives around the world - such as MaaS Madrid, the Nordic Institute for Interoperability Solutions, and JoinData - that have a solid legal agreement and framework in place. In addition, there are several institutions researching the current data sharing frameworks and agreements and looking at what’s next, including recommendations and how to ensure that data is shared securely - such as Ctrl-Shift’s Personal Data Mobility Sandbox project and Data Pitch’s research.  

Do you know of other developments around the infrastructure or legal agreements around data sharing? Share it with us in the forum or in the comments below