Draft principles for unlocking the value of Scotland’s public sector personal data for public benefit
Guest blog by Angela Daly, Professor of Law and Technology at the University of Dundee, and Chair of the Independent Expert Group for Unlocking the Value of Scotland’s Public Sector Personal Data.
Members of the Independent Expert Group on Unlocking the Value of Public Data for Public Benefit, have been working over the summer on a draft set of principles to guide decision-making by data controllers in the Scottish public sector. I want to thank my fellow IEG members for their contributions to these draft principles.
We still have more work to do on the principles, but we wanted to share a draft of the work-in-progress publicly, and hear what others think about the direction of our work. We will discuss the draft principles more in a webinar on 1 September 2022 and hope you can join us then. You can also send feedback directly to me, the Chair, at ADaly001@dundee.ac.uk
We realise there is some ‘jargon’ and vague and broad terms in the principles. We will think about how we can simplify and clarify our language in the next version of the principles. We also have to do some work on how public sector bodies in Scotland can implement these principles in practice and are keen to hear views on that too.
1. Public engagement and involvement
Decision-making and governance about access to public sector personal datasets needs to involve the public and listen to what the public, as well as experts (in, for example, data science, law, ethics, public administration and business, equality, diversity and inclusion), in Scotland and elsewhere consider to be public benefit and public interest. Decision-making and governance should take into account the diversity of the public in Scotland. The public and experts need to be involved and consulted throughout the data lifecycle as data creation and use is a dynamic process.
2. Public interest and public benefit
All access to public sector personal datasets must be done in the public interest and must also produce public benefit.
3. Do no harm
Allowing access to personal data by companies should not produce any harm, whether intended or inadvertent. If something harmful occurs, using that data should cease immediately.
Where it is not yet clear that access to a dataset would be in the public interest and have public benefit, the public sector organisation must adhere to a precautionary principle and not provide this access, until clarity is achieved.
There must be transparency about:
- Which public sector personal datasets are disclosed and by which public body?
- To whom?
- For what purpose?
- What are the specific public benefits of the purpose/s?
- What does the private sector organisation do or make with that data?
- How are benefits of those outputs shared with the Scottish public sector AND the people of Scotland?
- How decisions are made by the public sector to grant access to personal data.
- Whether the use of data actually did produce the public benefits in practice.
6. Law, ethics and best practice
Any access to personal datasets must be permitted only in line with the highest legal and ethical standards, including best practices internationally in privacy, data protection and anti-discrimination law, and data ethics.
7. Right to opt out
Individuals should have the right to be informed that their data is being accessed by private sector organisations and the right to opt out of their personal data being shared.
8. Enabling conditions
Enabling conditions need to be in place within Scotland’s public sector to unlock personal datasets.
- Public sector organisations (PSOs) need to be aware of what personal datasets they hold and publish information about them publicly.
- PSOs may also consider whether to proactively collect personal data about people in Scotland to create new datasets whose existence would be in the public interest.
- PSOs need to ensure the security and quality of the datasets they hold.
- PSOs need to have staff with adequate skills and training in place on data literacy.
9. Regular review
These principles should be subject to routine review through deliberation with the general public, public sector, private sector and third sector stakeholders, academic and other experts, to reflect developments in evidence, technology and practice.