Guest post by Jack Hardinges, Policy Advisor at Open Data Institute. The ODI works with companies and governments to build an open, trustworthy data ecosystem, where people can make better decisions using data and manage its harmful impacts.
The ODI and IF are starting a project to investigate how the right to data portability interacts with the fact that data can often be about multiple people.
Data is usually about multiple people
A medical record can describe a patient as well as their doctor, spouse and children. A review left on Airbnb could be about a host, a guest and the guest’s companions. Information about energy used in a home may describe multiple members of a family or different housemates.
People have increasing needs to control over data about them held by organisations. This control can be embodied in rights; some are described by the General Data Protection Regulation (GDPR). For example, the rights to explanation about how personal data is used or shared and to rectification if the data is inaccurate. It also includes the right to ‘data portability’.
Data portability gives people the right to get hold of data held about them by an organisation ‘for reuse across other services’. It shows potential not only as way of supporting individuals to exercise control over data about them, but also in enabling innovation and new products and services.
GDPR says that the right to portability “shall not adversely affect the rights and freedoms of others”, but the portability of data about multiple people isn’t covered extensively in the regulation. Guidance produced by the Article 29 Data Protection Working Party has suggested that organisations should not take an “overly restrictive interpretation” and gives examples of telephone and instant messaging records as including data about multiple people. It describes that “although records will therefore contain personal data concerning multiple people, [users] should be able to have these records provided to them in response to data portability requests, because the records are (also) concerning the data subject.”
Control and shared rights
Data portability is not only driven by regulation and individual rights. In recent weeks the sharing of data between Facebook, Global Science Research and Cambridge Analytica, has shown how the choices organisations and individuals make about how data about them is used and shared can impact other people also described by the data. Terms like ‘interdependent privacy’ describe how the choices made by others, in part, determine your own level of privacy. Building understanding of how data portability can consider the rights and freedoms, opinions, and choices of multiple people is important in building trust in data.
IF will be working with the ODI to prototype different scenarios in which data portability involves data about multiple people, and testing these scenarios with people. These will include things like splitting energy bills between housemates, health information stored in food receipts, shared devices and switching between public services when moving house as a family. We expect them to surface challenges and opportunities such as:
- when authorisation and/or consent may be required from multiple people
- delegated responsibilities and decision-making about how data is used and shared
- the types of purposes for which the portability of data about multiple people may be used
- different levels of disclosure for individuals, groups and organisations
Following testing, the prototypes will help us to illustrate the scenarios and make recommendations for designing for portability of data about multiple people.