Survey about views on data management models
Context and background
Under General Data Protection Regulation (GDPR), individuals have new legal rights with regard to personal data (e.g. rights of access, control and portability). Whilst it remains unclear how these rights are to be technically realised and sustained at scale in everyday social practice, GDPR provides a legal imperative for the development of new services to support personal data access, mobility and management.
In parallel, the UK government has identified public trust in data and data mobility as critical enabling factors to the success of the UK’s national data strategy (DCMS 2018). These developments take place against the backdrop of widespread concern about data mining and growing cross-societal consensus regarding the need for responsible data practices (as articulated by, for example, doteveryone, the Ada Lovelace Institute, the government’s new Centre for Data Ethics and Innovation. In this context, experiments with different approaches to data management have started to take form, including data trusts. A data trust is defined as a legal structure that provides independent third party stewardship of data that could take many different forms (ODI 2018).
What we did: survey
We undertook a survey of public views on data handling and management models, including various kinds of data trusts. In May 2019, a total of 2,169 respondents living within the UK completed our online survey from a Qualtrics panel.. Our nationally representative survey provides a timely snapshot of public opinion on data trusts, personal data stores and other approaches to data management, and of what the public sees as important criteria for data handling and management models that manage personal data access and sharing.
In the survey, we examined what participants thought about eight models for managing personal data. Each model was based upon approaches to data management that were being considered in various forms at the time of administering the survey, including personal data stores, data trusts and data co-operatives. The models were:
|Personal Data Store||You are given a secure place to collect, store and manage the data about you which has been collected by other services. This is called a personal data store, or PDS. You have access to this data, and you can decide who else can access this data, how they can use it and under what circumstances. The purpose of the PDS is to give you personal control over your data, which you can manage in a secure way.|
|Independent Responsible Party ||You are given a way to nominate an independent responsible party to oversee collection, storage and access of your personal data. They have legal responsibilities to look after your data. In line with your wishes, the nominated party can make decisions on your behalf about who accesses your data, what they can do with it and under what circumstances. You have a say over what happens to your data, but you are not personally responsible for looking after it.|
|Responsible independent organisations||Responsible independent organisations manage your data in different contexts (eg one for health data, one for finance data, etc). These organisations make decisions about who can access your data, what they can do with it and under what circumstances. They have legal responsibilities to manage access to your data in ways that represent the interests of all parties involved.|
|Data Co-operative||You become a member of a data co-operative that manages the collection and storage of its members’ data and is accountable to its members. As a member, you can put yourself forward to sit on a board of representatives and make decisions about who has access to members’ data, how it is used and under what circumstances. Or you can vote for other co-operative members to do these things. The purpose of the data co-operative is that your data is managed collectively, by the people whose data is in the co-operative.|
|Public Data Commons||You access data online about your area and community using an open data platform that is accessible to all citizens under commons law. This is called a public data commons. The data commons collects, stores and manages access to open data which can be used for various purposes. Everyone can access and use this data, in line with the commons’ rules of engagement. The purpose of the public data commons is to make data accessible so everyone can benefit from it.|
|Data ID Card||You have the ability to choose whether to opt out of online data collection, storage and use – this is called managing your data preferences. Your data preferences are stored on a data ID card. You can use this card to log onto online sites. The card automatically opts you out of data collection, storage and use according to your preferences and whenever this is possible. The purpose of the data ID card is to give people the option of opting out of having their data collected.|
What we found
Our main findings are:
- Respondents generally preferred approaches that give individuals significant control over their personal data (average ranking = 7.7/10) and include oversight from regulatory bodies (average ranking = 7.6/10).
- A consistent finding is that respondents dislike the status quo, in which commercial organisations control personal data in return for the digital services they provide (average ranking = 4.9).
- When credible alternatives are available (such as models overseen by a Public Data Commons, a Data Co-operative, a Responsible Independent Organisation or an Independent Responsible Party), respondents preferred all of these approaches to data management to the status quo.
- These findings were consistent across different methods used in the survey: asking respondents to rank models on a scale, choose a preferred model from a randomly generated pair; choose a preferred scenario, made up of various attributes, from a randomly generated pair.
- A consistent finding is that respondents dislike the status quo, in which commercial organisations control personal data in return for the digital services they provide (average ranking = 4.9/10).
- Respondents generally preferred approaches that give individuals control over their personal data (average ranking = 7.7/10), that include oversight from regulatory bodies (average ranking = 7.6/10) or that enable opting out from data gathering (average ranking = 7.5/10).
- When a range of credible alternatives are available—for example, a public data commons, a data co-operative, oversight by a responsible independent organisation or party—respondents preferred all of these approaches to data management to the status quo.
- These findings were consistent across different methods used in the survey: asking respondents to rank models on a scale, choose a preferred model from a randomly generated pair; and choose a preferred scenario from a pair made up of randomly generated features.
- Existing knowledge about issues relating to data was a significant predictor of preferences in relation to four models. More knowledgeable respondents preferred approaches that offered more control and/or oversight over personal data by a regulatory public body than less knowledgeable respondents who rated the status quo higher. While this effect was significant, it was relatively small (about a half point difference on a 10-point scale). In other words, this mattered, but not a great deal.
- Age had a significant impact on evaluations of the status quo. Younger respondents rated the status quo higher than those who were older than 34.
- Apart from these two findings, there were no other clear differences in data management model evaluations by demographic subgroups within the sample.
- Our findings suggest that new approaches to data management are urgently needed, because there is a strong desire from the public for an alternative to the status quo. These new approaches need to give individuals control over their personal data and include oversight from regulatory bodies.