3. Cross-cutting policy tensions and objectives for data governance

Different types of consent models

Protection of privacy and personal data is a common concern in data governance. It raises questions for policy makers on how best to balance data openness and control of personal data, while maximising trust. In this context, consent has been recognised as a mechanism to allow individuals to control the collection and (re-use) of personal data about them. Consent generally requires organisations to provide clear information to individuals about what personal data about them are being collected and used, and for what purpose. These rules are specified in the data protection and privacy laws of most countries and in the OECD (2013[13]) Privacy Guidelines (see subsection 3.1.1 on transparency). Individuals are also to be given “reasonable means to extend or withdraw their consent over time” (OECD, 2015[21]). As such, consent can be seen as an effective tool to empower individuals with respect to openness and control decisions, thereby helping to maximise trust.

At the same time, individuals may often not read or comprehend information regarding use of their data (including from mandatory disclosures) due, for example, to information overload (OECD, 2022[7]). Furthermore, some businesses have used “dark commercial patterns”8 in privacy consent mechanisms such as cookie consent notices. These make it easier for individuals, for example, to opt into privacy-intrusive settings than to opt out. Often, this approach exploits behavioural and cognitive biases, effectively obstructing a deliberate consent decision (OECD, 2022[8]).

Additionally, data can be used and re-used, often in ways unforeseen at the time of collection. In this context, to retain flexibility in their compliance with privacy legislation, some organisations rely on one-time general or broad types of consent. These types of consent ostensibly provide some degree of control to individuals about the collection and use of data about them, without requiring consent for each specific instance of use. On the one hand, these types of consent seem to respect individuals’ rights without pre-empting the social benefits that may accrue when those data are used for additional, previously unspecified aims. On the other, data subjects may not realise the full implications of broad consent, particularly in the context of artificial intelligence (AI) and big data analytics.

Increasingly, as highlighted in subsection 3.2.1, individuals cannot be fully aware of how observed, derived, inferred and personal data could reveal information about them. Nor can they know how these data could be used and shared between data controllers and third parties. They also cannot anticipate to what extent their data will be used for purposes that may transgress their moral values.

Consent remains a useful tool, especially in some contexts and circumstances. However, uncertainty about its use and effectiveness has led to the proposition of new models in the scientific literature, including “adaptive” or “dynamic” forms of consent (OECD, 2022[22]; 2015[21]). In time-restricted consent models, for example, individuals consent to use of personal data about them only for a limited period. This enables them to consent to new projects or to alter their consent choices in real time as circumstances change, while having confidence these changing choices will be respected.

However, behavioural and cognitive limitations or the presence of dark commercial patterns can call into question when and to what extent individuals can meaningfully consent to the collection and use of their personal data. Therefore, measures based on consent and information disclosure are likely insufficient in isolation. They may thus need to be accompanied by other regulatory measures. These could include requirements for “privacy-by-design” or prohibition of certain harmful data practices, such as privacy-intrusive dark patterns or potentially exploitative data-driven personalisation practices (OECD, 2022[8]; forthcoming[23]).

Data portability

Data portability has become an essential tool for enhancing access to and sharing of data across digital services and platforms. It can help increase interoperability and data flows and thus enhance competition and innovation by reducing switching costs and lock-in effects (OECD, 2021[2]; 2021[17]). Most importantly, an increasing number of countries is considering data portability as a means to grant users better agency and control over “their” data. This, in turn, empowers users to play a more active role in the re-use of these data.

Data portability initiatives and arrangements differ significantly along five key dimensions (OECD, 2021[17]):

• sectoral scope, including whether they are sector-specific or horizontal and thus directed potentially at all data holders regardless of the sector

• beneficiaries, including whether only natural persons (individuals) or also legal persons (i.e. businesses) have a right to data portability

• the type of data subject to data portability arrangements, including whether data portability is limited to personal data and includes volunteered, observed or derived data

• legal obligations, especially the extent to which data portability is voluntary or mandatory and if the latter, how it is enforced

• modalities of data transfer, meaning the extent to which data transfers are limited to or include ad hoc (one-time) downloads of data in machine-readable formats (regarded as “data portability 1.0”), ad hoc direct transfers of data to another data holder (“data portability 2.0”), or real-time (continuous) data transfers between data holders that enables interoperability between their digital services (“data portability 3.0”).9

PETs as key technological measure

Privacy-enhancing technologies (PETs) are a prominent example of technological measures that can expand the sphere of control over data (OECD, forthcoming[24]). According to OECD (2002[25]), PETs “commonly refer to a wide range of technologies that help protect personal privacy [ranging] from tools that provide anonymity to those that allow a user to choose if, when and under what circumstances personal information is disclosed.” Typically, they are not stand-alone tools but can be viewed as new functionalities to manage data. OECD (forthcoming[24]) differentiates between the following four classes of PETs:

• Data accountability tools provide enhanced control to the sources over how data can be gathered, access and used, or else greater transparency and immutability into tracking data access and use. These include, for example, accountable software systems that manage the use and sharing of data by controlling and tracking how data are collected and processed, and when they are used. Such a design aims, in part, to grant access with limitations attached to the data. In other words, data remain within the sphere of control wherever they flow.

• Data obfuscation tools, like encrypted data processing and distributed analytics tools (see bullets below), reduce the need for sensitive information to leave a data source’s sphere of control, where the underlying data are kept and processed. Unlike other types of tools, however, obfuscation alters the data by adding “noise” or removing identifying details. Data obfuscation tools commonly include anonymisation and pseudonymisation techniques.12

• Federated and distributed analytics allows executing analytical tasks (e.g. training models) upon data that are not visible or accessible to those executing the tasks. In federated learning, a technique gaining increased attention, raw data are pre-processed at the data source. In this way, only the summary statistics/results are transferred to those executing the tasks. These results can then be combined with similar data from other sources for all of the data to be indirectly processed centrally. In distributed analytics, sensitive data never leave the custody of a data source but may be analysed by third parties who are members of a common network. Distributed analytics is increasingly applied in the health sector and was particularly important for accelerating the pace of global COVID-19 research (OECD, 2022[22]).

• Encrypted data processing tools allow running computations over encrypted data that are never disclosed. Unlike data obfuscation tools, the underlying data remain intact but hidden by encryption. Examples include homomorphic encryption through which a data processor can perform increasingly complex calculations over the encrypted data. It extracts an encrypted result that can only be unlocked with the original data source’s cryptographic key.

Developments in data analytics and AI have combined with the increasing volume and variety of available data sets and the capacity to link these different data sets. This has made it easier to infer and relate seemingly non-personal or anonymised data to an identified or identifiable entity (OECD, 2019[3]; forthcoming[24]).13 This, in turn, limits the use of some PETs as a single means of protection. Therefore, PETs-related initiatives need to be complemented by legally binding and enforceable obligations to protect the rights and interests of data subjects and other stakeholders as articulated in the OECD (2021[6]) EASD Recommendation.

Organisational measures

Organisational measures refer to institutional arrangements that may involve contractual arrangements (OECD, 2022[19]) (subsection 3.2.3). They are often used in combination with PETs to help manage and enhance control over data, enabling a more balanced approach to data openness. Organisational measures can vary greatly in their model and implementation.

Organisational measures play a key role where data are considered a collective resource of common interest and thus for the implementation of “data commons”.14 Data commons are formal or informal governance institutions to enable a viable and shared production and/or use of data that reflects the interests of stakeholders. They facilitate joint production or co-operation with suppliers, customers (consumers) or even potential competitors (co-opetition). Data commons have often led to open data arrangements. However, other arrangements that foresee restrictions on data access and sharing (conditioned data access and sharing arrangements) are increasingly in use as well.

Indeed, a wide range of approaches can be used to enable data commons to enhance individual and organisational control over data while unlocking the benefits of greater data use and sharing:

• Independent ethics review bodies (ERBs) are committees that review proposed research methods to ensure they are ethical. ERBs have been highlighted in some cases as critical trusted third parties, especially around access to and sharing and re-use of personal data. For example, in the scientific community, the evaluation of applications for access to publicly funded personal data for research can depend on ERBs. The OECD Global Science Forum concluded that ERBs can increase trust between parties with an interest in the use of personal data for research purposes, particularly in situations where consent for research use is impractical or impossible (OECD, 2016[5]).15

• Data sandboxes are isolated environments through which data are accessed and analysed. Analytic results are only exported, if at all, when they are non-sensitive. Data sandboxes typically require execution of the analytical code at the same physical location as the data. These sandboxes can be realised through technical means of various complexity. One example is isolated virtual machines that cannot be connected to an external network or federated learning solutions. It is also possible to maintain a physical presence within the facilities where data are located (OECD, 2019[3]).

• Data intermediaries: The OECD (2021[6]) EASD Recommendation defines data intermediaries as “service providers that facilitate data access and sharing under commercial or non-commercial agreements between data holders, data producers and/or users.” As the Recommendation notes, data intermediaries can be data holders. By defining common legal and technical standards, data intermediaries facilitate data access and sharing (e.g. data spaces).However, they can also be trusted third parties (e.g. data trusts) that essentially act on behalf of other stakeholders, including data holders, data producers and/or users.

  • Data spaces have been proposed as a decentralised type of data intermediary. At a technical level, data spaces rely on common standards for accessing, linking, processing, using and sharing data between different endpoints where the data are located. Data spaces have been proposed as a solution, especially with respect to “industrial” or “non-personal” data. For example, Gaia-X is a European initiative that aims to develop a software framework for data governance. It would be implemented by cloud service providers based on common rules to enhance transparency, controllability, portability and interoperability across data and services.16 This government-backed standard aims to establish an ecosystem in which data are made available, collated and shared in a trustworthy environment. In such an environment, generators of data maintain full control and visibility on the context and purpose for which other actors access data.

  • Data trusts are a more centralised type of data intermediary. Data trusts are institutional arrangements whereby a trusted third party (an informed person or organisation) takes on a fiduciary duty to steward/govern data use or sharing on behalf of its members in relation to third parties. This is intended as a means to increase access and sharing of the data, while safeguarding the rights and interests of the data holders (Hardinges, 10 July 2018[26]; Ruhaak, 2021[27]). Examples of data trusts include personal data stores or Personal Information Management Systems (PIMS). PIMS are service providers that enhance an individual’s control over their personal data by choosing where and how they want their data stored, accessed or processed at a granular level. Examples also include trusted data-sharing platforms, where major data holders either designate an existing trusted organisation or create a new trusted organisation and platform to share data with third parties. In the United States, for example, health care and health insurance companies (e.g. Aetna, Humana, Kaiser Permanente and United Healthcare) designated the non-profit Health Care Cost Institute (HCCI) as a trusted organisation. After removing information about which company has provided the data, HCCI shares information about health care use and costs in the United States with selected research institutions (OECD, 2019[3]).

Governments can act as, or create, a trusted third party. In certain countries, national statistical offices have acted as in this capacity. In Australia, under the Data Integration Partnership for Australia, the government initiated a three-year AUD 131 million (around USD 90 million) investment to maximise the use and value of the government's data assets between 2017 and 2020 (Australian government, 2017[28]). Agencies in social services, health, education, finance and other government entities would provide data for linking and integration. Meanwhile, “sectoral hubs of expertise, independent entities that are funded by the Commonwealth” and denominated Accredited Integrating Authorities (AIAs), would enable integration of longitudinal data assets. These data would be “housed in a secure environment, using privacy preserving linking methods and best practice statistics to link social policy and business data” (Productivity Commission, 2017[29]). The Australian Bureau of Statistics – the national statistical office – was the country’s first institution to be recognised as an AIA.17

All these organisational measures have strengths and weaknesses to address concerns around data access and sharing. On their own, they often cannot provide a solution. A combination of technological and organisational measures will be necessary to address stakeholders’ concerns and risks while enabling co-operation. Policy makers could provide incentives or directly experiment with some organisational measures to ensure optimal levels of data sharing occur based on technological and organisational possibilities.

Syntactic and semantic interoperability

Commonly used machine-readable formats are not enough to guarantee technical interoperability (OECD, 2019[3]; 2020[16]). These formats may enable data syntactic interoperability, i.e. the transfer of “data from a source system to a target system using data formats that can be decoded on the target system.” However, they do not guarantee data semantic interoperability, defined as “transferring data to a target such that the meaning of the data model is understood within the context of a subject area by the target.” Both syntactic and semantic interoperability are needed for data interoperability and to enable data openness.

The private sector, including data intermediaries (subsection 3.1.4), has played an important role to develop and promote data-related standards and other technical specifications. Data intermediaries often provide their data in common data formats that assure both syntactic and semantic interoperability – driving their adoption across industries. In so doing, they can define de facto standards for their industry. One example is Google's General Transit Feed Specification (GTFS), a common format for public transportation schedules and associated geographic information (OECD, 2019[3]).

Governments nonetheless play a role to promote development and adoption of interoperable specifications for effective data access, sharing and use, and to ensure these specifications maximise trust. These specifications include common standards for data formats and models, as well as open-source implementations (OECD, 2021[6]). Promotion of their adoption can enhance technical interoperability and be an effective strategy for fostering competition between data-driven services and platforms. This is especially the case where limited interoperability – through, for example, closed application programming interfaces – may serve as an entry barrier (OECD, 2021[2]).

Data quality, which can be understood as “fitness for use” in terms of the ability of the data to fulfil user needs, is an important factor for technical interoperability. In this respect, “government initiatives that focus on the production of good-quality data can also contribute to greater interoperability, sharing and openness in later stages” of the data value cycle (OECD, 2019[31]).

Impacts of interoperability on investment

Although achieving technical interoperability across societies and economies represents a great opportunity, it can also have unintended consequences. Interoperability requirements, for example, may have a negative effect on firms’ willingness to invest in data. They may perceive that lower switching costs enabled by interoperability creates a risk of losing their user base. In addition, interoperability standards that are too prescriptive and have a high cost of compliance can harm competition and innovation. This is especially the case for small and medium-sized enterprises (SMEs) as they may lack capacity to develop and maintain interoperability specifications (Competition Bureau Canada, 2022[32]). Therefore, interoperability needs to be considered in connection with the cross-cutting tension Incentivising investments in data and their effective re-use (section 3.3).

The contributions of different stakeholders throughout the data-driven value creation process

Determining fair distribution of risks, benefits and liabilities across stakeholders for data governance is a multi-pronged process. One important first step is to identify and consider the respective contributions of different stakeholders throughout the data-driven value creation process (from data collection to processing through to use and re-use) and the different types of data that may be involved thereby.

Figure 3.5 presents a stylised process of how a product user (e.g. a consumer) typically interacts with a data product (e.g. an online service or portable smart device) provided by a product provider (e.g. a business). The data product (i) observes the activities of its user, creating observed data;21 and/or (ii) collects input data volunteered by its user, i.e. volunteered data.22 These data can then be accessed for further processing (iii) by the product provider and/or by a third party granted access, leading to derived data.23 Derived data can also be enriched when a set of observed and/or volunteered data is combined with a set of acquired data24 from (other) third parties (OECD, 2019[3]).

Figure 3.5. Data products and the different ways in which data originate

Note: Arrows represent potential data flows between the different actors and a data product (good or service). The type of data is highlighted in bold to indicate the moment at which the data are created.

Source: OECD (2019[3]), Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-Use Across Societies, https://doi.org/10.1787/276aaca8-en.

Observed, volunteered, derived and acquired data

This differentiation between observed, volunteered, derived and acquired data highlights the contribution of various stakeholders to the data value cycle. As such, it indicates the potential interests and claims of stakeholders with respect to those different types of data. Product users are most aware of the data they have voluntarily provided. Consequently, they typically tend to have stronger interests in volunteered data. For their part, product providers will have a particularly strong interest in derived and acquired data given their respective creation and acquisition directly involved financial and non-financial resources.

The differentiation between observed, volunteered, derived and acquired data has been reflected in recent policy considerations on the allocation of access and use rights on data. As countries increasingly adopt data portability regimes, to what extent should data portability rights apply to all types of personal data? Some data held by organisations may have been inferred or derived by the organisations. In other cases, users have been the main contributors (OECD, 2021[17]).

Recent policy decisions treat this question differently. The “Right to Data Portability” (Art. 20) of the European Union (2016[40]) General Data Protection Regulation (GDPR), for instance, only applies to personal data “provided by” the data subject with consent or under contract that is electronically processed. The (former) Article 29 Working Party indicates in its guidance that the definition of provided personal data should include data volunteered by the individual, as well as observed by virtue of their use of the service or device. However, it should not include personal data that are inferred or derived (OECD, 2015[33]).

The differentiation between observed, volunteered, derived and acquired data can also shed light on other aspects of interest to policy design. For example, it can help determine what product users (such as data subjects) may reasonably know about the scale and impact of activities by service providers with personal data about them. This is relevant, for example, when designing policies that seek to protect privacy by strengthening the control capacity of the product users such as through individual consent requirements (subsection 3.1.3).

Multi-stakeholder engagement and participation

The differentiation between observed, volunteered, derived and acquired data is crucial to disentangle the contribution of stakeholders at different phases of the data value cycle conceptually. However, multi-stakeholder engagement and participation is another fundamental instrument to disentangle the multiple interests entrenched in data governance. Available evidence shows that engagement about data governance with stakeholder communities can help better identify and make explicit their various interests, and better define responsibilities and acceptable risk levels across the data ecosystem (Frischmann, Madison and Strandburg, 2014[41]; OECD, 2021[4]; 2019[3]; 2016[5]). In this sense, it also helps build trust in data governance and the data ecosystem, strengthening subsequent buy-in and compliance from all stakeholders.

To be effective, multi-stakeholder engagement and dialogues require establishing whole-of-society, open and inclusive processes where:

• all relevant stakeholders are represented, their roles, responsibilities and modalities of participation are identified, and their various interests recognised and made transparent

• appropriate mechanisms ensure that all stakeholders’ interests are considered in the design, implementation and monitoring of data governance frameworks, that stakeholder feedback is given appropriate attention and consideration and that a rationale is given where feedback is not taken on board (OECD, 2019[31]).

National and sectoral data strategies

National and sectoral data strategies could help address many of the policy issues highlighted above in a comprehensive manner by incorporating a whole-of-government perspective. Many countries have adopted national digital economy and national AI strategies. However, equivalent data strategies are emerging spurred by the recognition of their potential to support the data economy strategically and the responsible use of data across society (OECD, 2022[19]).

National data strategies are cross-sectoral by nature. In many instances, they are designed to help reach higher level objectives. These could include gross domestic product growth, productivity, well-being and/or combatting climate change and fostering sustainable development. To achieve these strategic objectives, many national data strategies build on specific strengths of the country. For example, they often integrate pre-existing national digital economy strategies (Gierten and Lesher, 2022[42]), national broadband strategies, digital government strategies and national AI strategies, which national data strategies often complement. In turn, national data strategies are often complemented by sector-specific data strategies. The most prominent sectoral data strategies relate to health but also science and research, as well as smart cities, smart transportation and smart energy systems.

Approaches to governing national and sectoral data strategies vary across countries, but commonalities can be found. In the case of sectoral data strategies, development, co-ordination and monitoring fall essentially under the ministry in charge of the sector. For national data strategies, a few countries (still the exceptions so far) have appointed a high-level government official with leading development, co-ordination and monitoring. Several have tasked a ministry, ministerial position or other body dedicated to digital affairs. Not surprisingly therefore, several ministries, bodies or institutions may be involved when implementing national data strategies. In some cases, multiple stakeholders are also involved. Indeed, in almost all countries, multiple private and public stakeholders and bodies contribute input to the development of national and sectoral data strategies (OECD, 2022[19]).

Cross-agency co-operation

Interdisciplinary and cross-agency co-operation in both policy making and enforcement are needed in cases where data governance relies on overlapping policy and regulatory frameworks. Data portability initiatives, for example, involve personal data that are also important for businesses and can alter competition conditions. Therefore, governance intersects with competition, privacy and consumer protection. Even if only one of these three areas is the primary motivation for a data portability initiative, the policy will likely implicate the others. Multiple regulatory domains may also be implicated when data governance is implemented at a sectoral level. Open Banking initiatives, for example, involve financial market authorities, as well as privacy enforcement authorities.

Privacy enforcement authorities (PEAs) have long raised the need for closer dialogue between regulators and experts across jurisdictions but also across policy communities. Such a dialogue could achieve more effective competition and consumer protection enforcement. At the same time, it might stimulate the market for privacy-enhancing services (EDPS, 2016[43]; 2014[44]).Multiple OECD reports have discussed enhanced co-operation and co-ordination across agencies (OECD, 2020[45]; 2020[46]; 2019[47]; 2018[48]; 2015[33]; forthcoming[49]). The review of the OECD (2007[50]) Recommendation on Cross-Border Co-operation in the Enforcement of Laws Protecting Privacy found that PEAs are collaborating “generally with regulators responsible for consumer protection, competition/antitrust, cybersecurity, telecommunication, financial regulation, public health and transportation/infrastructure” (OECD, forthcoming[49]). The review notes that

Good practices offer a starting point for other countries

Among good practices, the Office of Australian Information Commissioner (OAIC) has been working with the Australian Competition and Consumer Commission (ACCC) on a range of projects. One example is the development of the “Consumer Data Right” (Australia’s data portability initiative) (OAIC, 2020[51]). Another example is the OAIC’s engagement in the ACCC’s Digital Platforms Inquiry. This inquiry examined the impact of digital platforms on competition in the media and advertising services markets, recommending reform of Australia’s privacy framework. In support of this recommendation, the OAIC provided input from the viewpoint of a PEA acting internationally. This aimed to ensure the interoperability of Australia’s data protection laws globally and optimal regulatory outcomes in the public interest (OAIC, 2019[52]).

Another example is the collaboration between the French data protection authority (CNIL) and the Directorate-General for Competition, Consumer Affairs and Fraud Control (DGCCRF) (the French authority responsible for consumer protection). Together, they have processed personal data by social networks, deceptive marketing practices related to compliance with the GDPR and the use of personal data in electronic commerce (CNIL, 2019[53]).

Despite the increasing number of collaborations, policy makers and regulators may still face challenges. OECD (2021[54]) notes that co-ordination for competition and consumer policy issues and enforcement is generally more straightforward than for those involving privacy enforcement. This is because a common agency has responsibility for both competition and consumer issues in more than 30 jurisdictions. In Germany, for example, legislation provides the basis for co-operation between these authorities (Stauber, 2019[55]).

Few agencies assume responsibility for privacy in addition to competition and consumer protection. In this regard, the United States’ Federal Trade Commission is one of the exceptions. In addition, few countries have legislation to allow cross-disciplinary collaborations between privacy enforcement and other authorities similar to those between competition and consumer protection regulators.

However, there are promising developments in certain countries. The Information Commissioner’s Office (ICO) of the United Kingdom, for instance, has established Memoranda of Understanding with the Financial Conduct Authority (FCA) and the Competition and Markets Authority (CMA) on matters related to data protection and other areas of mutual interest. The agreements set out a range of ways to co-operate, notably through regular communications and consultations. This may include sharing information about investigations, relevant action and relevant information regarding data breaches, fraud and criminal activity (ICO/CMA, 2021[56]; ICO/FCA, 2019[57]). The CMA and the ICO recently released a joint statement on their interactions and next steps, highlighting synergies and potential tensions between different policy areas (CMA/ICO, 2021[58]).

Contract models from government and industry

Some governments and private sector actors have recognised both the importance of contracts and their related issues. In response, they provide guidance and/or voluntary model contracts or contractual clauses for data sharing agreements. These clauses are the default position for parties to consider when negotiating their data sharing agreements for complete, clear and fair contracts (European Commission, 2018[59]). Parties are free to deviate from the proposed clauses at their mutual agreement. Nevertheless, by providing a starting point that seeks to balance power or information asymmetries, contract guidelines and model contracts are seen as a promising means to assure fairer terms and conditions for data access, sharing and re-use.

In Japan, for example, the Ministry of Economy, Trade and Industry has formulated the Contract Guidelines on Utilisation of AI and Data. It summarises issues for private businesses to consider when drafting a contract related to data re-use or development and use of AI-based software (METI, 2019[60]).

Similarly, industry-developed voluntary codes of conduct and public sector data ethics frameworks guide the conduct of a specific sector, firm or public contractor to promote an environment of trust. Such codes generally focus on transparency, disclosure and consent. In the agricultural sector, codes for use of agricultural data complement legislation and encourage best practice in farm data management. They are seen as a means of improving transparency and fairness in agricultural data contracts. As such, they can be a viable option to generate trust in the relationship between farmers and technology providers. These codes are not without challenges, chiefly due to their voluntary nature. However, when they are developed by and for farmers, potentially with government seed funding, they can have broad buy-in (Jouanjean et al., 2020[61]).

As another example from the private sector, Microsoft published three data sharing agreements in July 2019 as templates: the Open Use of Data Agreement (O-UDA), the Computational Use of Data Agreement (C-UDA) and the Data Use Agreement for Open AI Model Development (DUA-OAI). These were complemented by a fourth in November 2019: the Data Use Agreement for Data Commons (DUA-DC) (Microsoft, 2019[62]).

In terms of data ethics frameworks, public procurement processes could enforce alignment with value-based data governance practices (OECD, 2021[4]). For instance, the UK Data Ethics Framework is used for assessing the ethical standards of projects, partners and suppliers in the Crown Commercial Service Dynamic Purchasing System. Suppliers applying to join the system must commit only to bidding where they are capable and willing to deliver the ethical and technical dimensions of a tender (where a buyer has stated there is an ethical dimension to their procurement). Following the bid, suppliers need to provide evidence on how they have been following the Data Ethics Framework during implementation of the product or a service (OECD, 2021[4]).

Investments in ICT infrastructures for data

In many cases, the effective use and re-use of data require complementary investments in metadata, data models and algorithms for data storage and processing, and in secure ICT infrastructures for (shared) data storage, processing and access. For example, the use and correct interpretation of data depend on the possibility to identify their source, the methodology of collection, as well as the various steps of curation. For this reason, investments in metadata and documentation are as critical as those in data collection itself. Complex datasets can also often be interpreted and used correctly only if suitable data processing algorithms and software are available to use.

Investments in and access to data storage processing and analytic infrastructures are thus a key condition for the effective re-use of data across society. This is especially true for SMEs and individuals such as scientists who may find it disproportionately costly to operate, maintain and scale their own data infrastructures. Cloud computing has been a major catalyst for the use and re-use of data and big data in particular. However, its diffusion remains much below expectations in particular among SMEs (OECD, 2021[72]; 2019[73]).

In this context, initiatives such as those presented above that aim to develop data-related skills are often complemented by those that establish ICT infrastructures for data, including data analytic support centres. For example, Australia’s initiative to provide a big data infrastructure and technology foundation covers both support of data-related know-how and of the necessary infrastructure. This includes support to develop and provide statistical and analytical methods and tools with the help of data scientists for different target groups (supporting outcome monitoring and developing indicators based on heterogeneous data sources).

In the public sector, digital investments should be coherent and align with relevant procurement, technology, digital, data and services standards. For this reason, governments across OECD countries are investing to develop shared data infrastructures and standards. This aims to improve the efficiency of digital investments, while promoting data access and sharing within the public sector by reducing proliferation of fragmented digital solutions. Examples in this area include Italy´s National Digital Data Platform and the United Kingdom’s Digital Marketplace (OECD, 2019[31]).

Business models for sustaining the function of ICT infrastructures for data openness

Lack of sustainable funding for ICT infrastructures for data openness, especially in open data infrastructures (such as open data portals and data repositories) remains a concern. This situation is exacerbated by the lack of viable business models for these infrastructures, especially since access to (open) data is often assumed to be free rather than at the cost to the data holder (OECD, 2017[74]). In the area of science and research, many institutions (including funding agencies) are struggling to keep up with demand for help. There is a great demand to fund the infrastructure for data stewardship and data sharing, as well as the necessary training to support these activities.

Against this background, market-based approaches have been recognised as essential for encouraging the use, access and sharing of data. Already in 2017, the G7 ICT and Industry Ministers in Turin recognised that “market-based approaches to access and sharing of data are important to foster innovation in production and services, entrepreneurship and development of SMEs” (G7, 2017[75]). In this context, a growing range of data intermediaries that provide added-value services such as a payment and data exchange infrastructure can facilitate data sharing, including their commercialisation. They thus play a role in sustaining the function of ICT infrastructures for data openness.

However, policy makers need to acknowledge and, where possible, address challenges to enhance functioning of market-based approaches. In particular, the risk of data erosion has increased due to the combination of several factors. First, there is a lack of dedicated funding for data sharing infrastructures and limited pathways for their sustainment, even in critical areas such as science and health care research. This gap combined with misalignment of incentives to invest in, curate and share data has increased the risk of data erosion over time.

To address this issue, policy makers need to promote adoption of viable business models that ensure financing matches the desired duration of data sharing (OECD, 2019[3]). To this end, different revenue models can be used in combination. Promising revenue models include freemium,31 advertisement, subscription, usage fees, selling of value-added goods and/or services, licensing and commission fees.

For research data repositories more specifically, policy makers, research funders and other stakeholders need to consider the ways in which data repositories are and can be funded. They should also reflect on the advantages and disadvantages of those business models in different circumstances (OECD, 2017[74]):

• Structural funding typically involves a trade-off between funding for data repositories and funding for other research infrastructure or for research itself. That allocation will best be made by informed actors making choices, such as through a funding allocation process involving widespread research stakeholder participation, expert consultation and “road-mapping”.

• Host or institutional funding may divorce informed actors from the funding decisions or require additional processes to ensure greater stakeholder understanding of the value of the repository services.

• Data deposit fees bring the trade-off closer to researchers, but their success in optimising allocation will depend on the extent to which the actors are informed and on their freedom of choice. The latter may be constrained by open data mandates (regulation).