Meta-Regulation in Administrative Data Sharing for Research in the UK

Over the last two decades, breakthroughs in Artificial Intelligence have created both bewilderment and enthusiasm for the potential of bio-tech and info-tech to gradually transform human relationships and societies. The regulatory implications of game-changing innovation are undoubted; domestic, supranational and transnational regulators are already oriented towards incorporating or pre-empting disruptive technologies within their goals and strategies. While a lot of scholarly attention has been devoted to this task, less emphasis has been laid on the prerequisites of enabling research, public, private or mixed, to produce innovation in contested regulatory environments. With more and more voices calling for ‘socially-informed and fair’ innovation that will allay public worries about automated decision-making, a major challenge emerging in such environments involves processing and sharing personal data of human subjects. Technological development and economic growth, presupposing unobstructed data flows, need to be reconciled with the protection of personal privacy, as well as with numerous other concerns.

This paper discusses the centrality of data-sharing regulation for the regulation of innovation, using the example of UK public-sector, so-called ‘administrative’ data in the GDPR era. In this case, it has been empirically reported that there is significant distance between a regulatory drive to harness the potential of massive datasets for innovative policy-making and a willingness of various stakeholders to materialise it. Care.data, which purported to extract data from NHS primary care medical records in England to improve service-delivery and facilitate research, failed to gain the support of both doctors and patients and was suspended indefinitely. The Administrative Data Research Network, which purported to facilitate access to administrative datasets for evidence-based social research that would improve policy-making, faced significant data access hurdles and failed to fully realise its potential. As a result, overcoming data access barriers is starting to be seen as the litmus test for the success of major research investments, often involving the private sector, in both health and social research. This paper takes issue with this problem, combining insights from regulatory theory, data protection law and socio-legal studies of organisations with the author’s multi-method empirical investigation of the matter, involving semi-structured interview and survey data analysis.

More specifically, I claim that research data-sharing regulation in the UK is, for the most part, meta-regulation: regulators enforce, monitor and evaluate self-regulation of the regulated entities. Despite the assertion that the GDPR’s increased monetary penalties are reminiscent of traditional, command-and-control regulation, regulatory literature has started to observe the Regulation’s capacity as a meta-regulatory instrument. The GDPR creates pockets of uncertainty and delegates significant powers to fill them not only to EU Member States but also individual actors. This is hereby shown by reference both to the interplay between the GDPR and British legislation and to the relevant self-regulatory activity of stakeholders.  When read together with the GDPR, both the UK Digital Economy Act 2017 and the UK Data Protection Act 2018 delegate standard-setting responsibilities to sector-specific regulatees, including Universities. In the context of research data-sharing, this capacity has been exercised by a set of actors to address such challenges as the identifiability risk and managing the expectations of data subjects.

Finally, this paper assesses the effectiveness of meta-regulation in research data-sharing. To do so, it draws on critiques of meta-regulation to identify the main challenges for regulators. Such challenges involve not only guaranteeing accountability for fundamental data subject rights, but, crucially, also enabling communicative possibilities among a number of actors with conflicting interests. Rather than aspiring to offer universally applicable solutions, the paper concludes by calling for attention to the socio-organisational context that gives rise to the challenges and identifies the first steps to tackle them.