UK: Data Trusts And Frameworks Are Gaining Traction And On The Cusp Of Widespread Adoption

Last Updated: 4 September 2019
Article by Richard Kemp

This piece looks at data trusts and data trust frameworks.

Richard Kemp, Kemp IT Law1

Data trusts are gaining traction as an innovative way to facilitate trusted data sharing. The idea came to public attention in the October 2017 Hall/Pesenti 'Growing the UK AI Industry' report,2 which described data trusts as:

"a set of relationships underpinned by a repeatable framework, compliant with parties' obligations, to share data in a fair, safe and equitable way".

Passing the baton to the Open Data Institute3 ('ODI'), the Report's top recommendation was that:

"Government and industry should deliver a programme to develop Data Trusts – proven and trusted frameworks and agreements – to ensure exchanges are secure and mutually beneficial".

Although incubated in AI, data trusts have broader potential across the field of data science and, more generally, in helping organisations manage data sharing responsibilities around GDPR/personal data,4 non-personal data,5 cloud/information security and governance as well as AI deployment/ethics. The ODI found in research in April 2019:

"that there is huge demand from private, public and third sector organisations in countries around the world to explore data trusts. Whilst organisations have different ideas about what data trusts could do, they are nevertheless enthusiastic and eager to find ways of sharing data whilst retaining trust, and still deriving benefits for themselves and others."6

In July 2019, the ICO endorsed this view in their draft data sharing code of practice consultation:

"There is a great deal of interest, both in the UK and internationally, in the concept of 'data trusts'. ... In essence they are a new model to enable access to data by new technologies (such as artificial intelligence), while protecting other interests and retaining trust, and following a "privacy by design" approach. They have potential for use in data sharing".7

Towards a definition of data trust

The ODI has done the heavy lifting around what a data trust is. It found8 the term interpreted variously as a 'repeatable framework of terms and mechanisms', 'mutual organisation', 'legal structure', 'store of data' and 'public oversight of data access', before coming down in favour of 'a legal structure that provides independent stewardship of data'.9 In addition to aligning to the ODI's principles for good data infrastructure, the ODI set out six characteristics that it believes a data trust should have:

  • a clear purpose;
  • a legal structure 'including trustors, trustees with fiduciary duties and beneficiaries';
  • rights and duties over stewarded data;
  • a defined decision making process;
  • a description of how benefits are shared; and
  • sustainable funding.

In the commercial arena – likely to be where many data trusts will operate – there are two initial issues with the ODI's suggested definition. First, advocating a legal structure implies a separate legal entity, which in turn imposes formalities10 that may not be necessary in all use cases, particularly where a similar result may more simply be obtained through an ecosystem of clearly defined contract terms that each participant expressly accepts.

Second, as commercial lawyers, we're taught to steer clear of fiduciary duties where we can. This is because fiduciary duties are onerous11 and challenging to calibrate precisely, and because the remedies for breach of fiduciary duty are more extensive than for breach of contract.12 This is not to downplay data stewards' responsibilities in any way, but to repeat that clearly expressed contractual rights and duties can achieve a similar (or better) result. They can also be more easily negotiated and risk insured.

The answer may be to accept that 'data trust, the framework' (what the Hall/Pesenti report described as a set of contractual relationships underpinned by a repeatable, legally compliant framework) can live alongside 'data trust, the entity' (proposed by the ODI) and that each may have a role to play in particular use cases.

What does a data trust framework ('DTF') look like?

Essentially, we'd see a DTF as a legal framework and a set of common operating rules, technical specifications and interfaces (APIs) applying for the DTF's particular purposes and agreed between all the participants of the IT ecosystem concerned. Together, the legal and operating rules, specs and interfaces enable and manage all 'lifecycle' activities for the data concerned (acquisition, flow, storage, use, sharing, consumption and deletion) within the ecosystem.

The DTF is underpinned by a standardised approach to data categorization, data management and data governance. Data is categorized by a set of commonly defined terms to describe all use cases – each data processing and data sharing activity within the ecosystem. Data management takes the key step of recognising data as business assets (or liabilities) and their value (or risk) to ecosystem participants. Looking at data through the 'asset/value' lens in this way enables impact to be assessed and appropriate decisions taken on personal data (should it be hashed or anonymized? what are the AI ethics risks? what does the DPIA say?) and other data in the ecosystem. Data governance frames issues, decisions and responsibilities for the Board/senior stakeholders.

Standardising the approach to data categorization, management and governance enables DTFs to be built from componentry using ISO/IEC and other internationally agreed technical standards. For example, the ISO/IEC has published:

  • ISO/IEC 19944 (on data categories, flows and use for cloud services and devices);
  • ISO/IEC 29134 (on privacy impact assessment guidelines) and 29151 (code of practice for PII/personal data). The ISO/IEC has also established JTC 1/SC 42 on AI and this has a number of AI standards in the pipeline; and
  • IS0/IEC 38505-1 on data governance for the organisation.

Combining an approach based on technical standards with design sprints and usability workshops means that a particular DTF can be constructed quickly, that DTF can be modified for other use cases efficiently, and that different DTFs can work together.

Examples of data trusts and DTFs

Although DTFs look set to proliferate in the months ahead, currently they are relatively few and far between. A few examples include:

Silicon Valley Regional Data Trust.13 SVRDT aggregates and uses:

"data from different educational organisations in California and seeks to enable the use of data currently siloed in different organisations for purposes including policy, research and case management."14

Trūata. Trūata, which counts MasterCard and IBM as foundational partners:

"enables its clients to derive the maximum value from their data assets while complying with the highest data protection standards. Offering its clients a service to independently anonymise data, enabling them to conduct privacy-enhanced analytics to drive business growth, uphold customer trust and protect brand reputation."15

SITA BagTrust. SITA, the leading IT provider to the air transport industry, offers a range of services that 'track baggage like a parcel'. SITA is planning to launch BagTrust as a new feature of its baggage services for its airlines customers. BagTrust will enable the airline to manage its GDPR policy by setting preferences for data sharing and deciding which airport partner will have access to which pieces of data. The range of preferences is to be based on rules published by SITA that SITA has developed using its domain expertise. This 'published rules' approach is preferred to specific contract terms to foster greater transparency and trust.16

HMG data trust pilot. In January 2019, the UK government announced17 it was investing £700,000 in a "world-first 'data trust' programme to be piloted in the UK", with three initiatives including WILDLABS Tech Hub to tackle illegal wildlife poaching18 and WRAP to address food waste.19

Data law and compliance issues are proliferating around personal data/GDPR, non-personal data, AI deployment/ethics, cloud/information security and data governance. Data volumes are growing by 30% to 40% each year. As a tool to help manage data sharing issues and in the face of this exponential growth, data trusts and DTFs appear to be on the cusp of widespread adoption with great potential as a practical and workable way forward. We will be hearing a lot more about them in the months ahead.


[1] With acknowledgement and many thanks to Tuli Faas, Legal Director, Strategy & Business Support, SITA, in relation to SITA BagTrust.

[2] 'Growing the Artificial Intelligence Industry in the UK' by Professor Dame Wendy Hall and Jéröme Pesenti, 15 October 2017 –

[3] The ODI was founded in 201 by Sir Tim Berners Less and Sir Nigel Shadbolt to advocate open data –

[4] Regulation 2016/679 of 27 April 2016 –

[5] Regulation 2018/1807 of 14 November 2018 on a 'framework for the free flow of non-personal data in the EU', effective 29 May 2019 –

[6] 'Huge appetite for data trusts, according to new ODI research', 15 April 2019 –

[7] 'Data sharing code of practice – draft code for consultation', ICO, 16 July 2019, page 85 (consultation period to 9 September 2019) –

[8] 'What is a data trust? ODI Policy Adviser Jack Hardinges unpicks how the term 'data trust' is used in the UK and beyond, and how it might be used in the context of increasing data access while protecting trust', 15 July 2018 –

[9] 'Defining a data trust', 19 October 2018 –

[10] These may arise internally within the entity (between the entity and its trustees or directors, for example) and between the entity and third parties (around capacity, contracting, rights, duties and liabilities, etc.)

[11] See for example Millett LJ in the leading case of Bristol & West Building Society v Mothew (t/a Stapley & Co) [1998] Ch 1 at 18: "A fiduciary is someone who has undertaken to act for or on behalf of another in a particular matter in circumstances which give rise to a relationship of trust and confidence. The distinguishing obligation of a fiduciary is the obligation of loyalty. The principal is entitled to the single-minded loyalty of his fiduciary. This core liability has several facets. A fiduciary must act in good faith; he must not make a profit out of his trust; he must not place himself in a position where his duty and his interest may conflict; he may not act for his own benefit or the benefit of a third person without the informed consent of his principal. This is not intended to be an exhaustive list, but it is sufficient to indicate the nature of fiduciary obligations. They are the defining characteristics of the fiduciary." See

[12] Equitable remedies for breach of fiduciary duty include rescission (setting aside the tainted transaction), account of profits and other equitable compensation (generally entitling a bigger recovery than damages for breach of contract) and proprietary remedies (constructive trusts, tracing and recovering tainted proceeds, which may extend to third parties).


[14] Quoted in the ODI document at endnote 9 above.



[17] See 'Government launches data trust programme – Digital secretary Jeremy Wright sets out plans for scheme using data sharing to tackle global challenges such as illegal wildlife trade and food waste', Lisa Evenstad, Computer Weekly, 31 January 2019 – and 'Digital revolution to use the power of data to combat illegal wildlife trade and reduce food waste',, 31 January 2019 –



The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions