Understand the legal, regulatory and policy context of the initiative

Organisations leading data access initiatives will need a broad understanding of the legal and regulatory context of the region, country and/or sector you are looking to create impact in. Reaching out to civil society organisations, think tanks and researchers working in this field can be a good first step to understanding the relevant laws and regulations. If your organisation has a legal department or a data protection officer, they should support assessing any regulations that might impact the initiative’s outputs.

Policies and guides are part of data infrastructure, and define how data can be accessed, used and shared in the context of the initiative. Initiatives need to first analyse any potential impact or harms of building or strengthening data infrastructure, and assess any regulatory or policy framework to minimise harmful impacts to people and communities. Rules such as laws, regulations and policies define what the initiative needs to consider, and complying with them can contribute to building a trustworthy data infrastructure.

With a better understanding of the rules your initiative needs to abide by, you should be in a position to make a decision about the feasibility of designing data infrastructure in the targeted country, industry, sector or community. These rules might include the below areas.

Laws and regulations

Laws and regulations define the expected compliance and behaviour that the initiative needs to follow when building data infrastructure and include:

Data protection regulation: these rules can provide guidance on how to protect people and communities’ data rights and privacy. You might look at:

• the main privacy or data protection laws, policies and regulatory authorities that impact the access, use or sharing of personal data and/or anonymised data between different organisations, such as the General Data Protection Regulation (GDPR) in the European Union

• any additional regulation related to consent when collecting and managing personal data in your field, such as those required in the open banking initiative or specific privacy protections around health data

• the privacy or data protection laws and regulations governing the access and exchange of data between third parties across sectors and/or across borders.

Intellectual property laws: these are rules governing the intellectual property of data or data infrastructure. Find out:

• whether any intellectual property legislation may be relevant to the use of data required

• any requisite agreements and approaches to data licensing in the country you are looking at building infrastructure in, including a short review of a selection, and if adoption of government open data license is required

Sector-specific regulations: any applicable laws or regulations in relevant sectors that may impact on the access, use or sharing of data between third parties. Consider assessing sector-specific laws ruling how your initiative might collect, share or use sensitive data such as about an individual's health and finances.

Broader laws: any mandatory regulation on how data should be accessed, shared and used, while protecting socioeconomic and environmental rights of specific groups or communities, such as environmental, equality and competition laws.

Policies, processes and principles

These are guides and codes that define how the initiative is expected to behave and what it should consider when building data infrastructure. They include:

Principles: we recommend looking at principles that could enable or restrict the success of your initiative. We recommend:

• Considering what data governance principles might be useful for the initiative to implement. For example, the FAIR principles focus on improving the Findability, Accessibility, Interoperability and Reuse of data.

• Reviewing any relevant design principles that could improve your initiative, such as the Design Justice Network Principles

• Assessing any data sovereignty principles regulating the sector or community the initiative supports. For example, the Te Mana Raraunga Māori Data Sovereignty Network’s Principles of Māori Data Sovereignty; the Indigenous Data Governance Principles from the United States Indigenous Data Sovereignty Network; and the Key Principles from the Maiam nayri Wingara Aboriginal and Torres Strait Islander Data Sovereignty Collective

Data strategies: these define data governance principles at the national (including Indigenous nations), regional and local levels. Examples include:

• UK National Data Strategy

• First Nations Data Governance Strategy

• European Data Strategy

• Gloucestershire County Council Information & Data Management Strategy

Policies and programmes: these can support and guide the data infrastructure such as:

• related innovation programmes that might support the initiative, for example, The Grand Challenges set out in the industrial strategy by the Department for Business, Energy & Industrial Strategy (BEIS) in the UK

Norms

Norms can be implicit rules determined by social or cultural convention. Some norms can be codified through guidelines, standards or codes. Understanding norms is relevant to building or strengthening data infrastructure that respects and protects communities. We recommend:

• looking at norms or standards governing data use in specific communities, such as Indigenous, or environmental groups

• contacting communities that might be impacted by your initiative and assessing any unwritten rule that needs to be considered when building data infrastructure.

Special focus: Indigenous data governance

Indigenous communities around the world have developed data governance practices to help safeguard their rights over data about their communities. Groups such as the First Nations Information Governance Centre (FNIGC) in Canada, the Global Indigenous Data Alliance (GIDA) and others have created principles that anyone working with data about Indigenous peoples should follow. Learning from and drawing on these principles in other contexts and when creating data access initiatives can also be useful, as they highlight the importance of autonomy and participation that apply to other communities.

OCAP®. The First Nations principles of Ownership, Control, Access and Possession (OCAP®) establish how data and information about First Nations (one of the Indigenous peoples in Canada) will be collected, protected, used, or shared. OCAP® is a tool both to support strong information governance towards First Nations data sovereignty, and a means to better educate those seeking to work with First Nations data.

CARE. The CARE Principles for Indigenous Data Governance is another set of principles developed by an international group of Indigenous data experts. The principles of Collective Benefit, Authority to Control, Responsibility and Ethics (CARE) are people and purpose-oriented, reflecting the crucial role of data in advancing Indigenous innovation and self-determination. These principles were designed to complement the existing FAIR principles encouraging open and other data movements to consider both people and purpose in their advocacy and pursuits.