A Public Sector Body (PSB) may receive a request for voluntary data sharing under the Data Governance Act (DGA) or wish to share data with other parties to encourage research or for other purposes.
The CSO role as the Article 7[1] competent body under the DGA is to act as an intermediary between the respective PSB and other parties to ensure that the data shared is protected and preserves the privacy of the PSB’s customers. The PSB is the data controller for any protected[2] (including confidential and personal) data shared since the PSB will decide who accesses the data, including their purposes, and on the means of processing protected data. In this instance the particular service being offered by the CSO under the DGA is anonymisation. To produce this anonymised dataset, the CSO may require protected data, though direct identifiers such as names are not necessary. The dataset supplied to the CSO will be destroyed once the service is provided.
When requested, the CSO, as an Article 7 competent body, may provide an anonymised version of a PSB’s dataset to the PSB which they can then share with other parties under the DGA. This will involve the creation of an anonymised version of the relevant dataset such that data subjects can no longer be identified, and the dataset no longer qualifies as having protected data. The CSO will also provide a ‘Template for PSBs to Create End-User AMF Request Form' which the PSB may wish to use as an application form to help record requests to the PSB for access to the AMF. The PSB should note that these approvals must generally be non-discriminatory under the DGA once access is initially granted to an Anonymised Microdata File (AMF) by the PSB. While data sharing is voluntary, once a dataset is released, it should be available subsequently to all applicants.
The key feature of the AMF which will be generated under this service is that any output generated does not need to be checked or assessed any further for confidentiality issues.
____________________________________________________________________________________________________________________________________________________________
[1] S.I. No. 272/2024 - European Union (European Data Governance Act) Regulations 2024
[2] protected data means data held by a public sector body which is protected on the grounds of:
(a) commercial confidentiality, including business, professional and company secrets,
(b) statistical confidentiality,
(c) the protection of intellectual property rights of third parties, or,
(d) the protection of personal data, insofar as such data fall outside the scope of Directive (EU) 2019/1024.