Closed call for evidence

Data brokers and national security

Updated 12 May 2025

Introduction

The UK government recognises that data is one of the UK’s most valuable assets and has the potential to drive economic growth and innovation. Whilst data plays an increasingly important role in our lives and the sharing of data can reap positive outcomes, it’s essential that the government facilitates access to data in a safe and responsible way that ensures security of data and builds public trust in how it is used. As part of this, the Department for Science, Innovation and Technology (DSIT) leads across government on data-related policy issues including ensuring that new and existing technologies are safely developed and deployed across the UK. The benefits of this should be widely shared, kickstarting economic growth that is underpinned by secure digital activity.

Why we are consulting

This call for views concerns the activities involved in facilitating access to UK data (including data on UK persons, businesses, infrastructure etc.) This is via data brokerage, where pre-packaged or bespoke datasets can be obtained at speed and scale. For the purpose of this call for views, organisations undertaking such activities are referred to as data brokers (also known as information brokers or data providers).

Whilst these organisations can support the benefits of data sharing, the government recognises the potential for hostile actors, such as cyber criminals, to acquire UK data on the open market. Hostile actors could exploit this opportunity and data brokers themselves, tainting an otherwise important market, to access large amounts of UK data. This data could include potentially sensitive information a hostile actor may use for malign purposes, resulting in potential national security harms, as set out in part 2 of this call for views. Other countries have also identified data related national security risks and are taking steps to mitigate this.

The UK government is seeking views to understand more about organisations that take part in data broking and the wider industry. In particular, the government would like to understand the operations, security practices and customers of data brokers, to support policy development.

• Part 1 explores the definition and services of data brokers
• Part 2 explores national security risks associated with the data broker industry
• Part 3 explores the effectiveness of data brokers’ security and governance frameworks
• Part 4 asks data brokers for a breakdown of their customer base and explores consumer awareness of data brokers

We understand that some of the responses, such as issues relating to customers or security arrangements, will be commercially sensitive, or respondents may not want to share details for security reasons. Please note, however, that we will handle this data carefully and securely. More details on this can be found in the how to respond section and our privacy notice.

Part 1: Definition and services of data brokers

(Questions 1 to 8).

There is no universal definition of a data broker, and data brokers and data broking are not defined in UK law, though varying definitions can be found in international jurisdictions. Based on our current understanding of the industry, DSIT has developed a working definition of the terms ‘data broker’ and ‘data broking’ with the aim to capture a wide range of entities for this call for views and for any wider work we may consider.

Broadly, DSIT considers data broking to be the practice of obtaining and trading or licensing data, data products and services to third parties. This can include, but is not limited to, the sale of raw datasets, application programming interfaces (APIs), profiling, real-time sharing via auctions or validating records and customer matching. These products are produced through any combination of collecting, processing and aggregating personal and/or non-personal data. In the context of personal data, DSIT understands data broking can involve varying origins of data, including but not limited to data that is collected directly from data subjects where there is a direct relationship between the organisation and data subject e.g. from an organisation’s own customers, as well as data collected where there is no direct relationship with data subjects. Sources can also include both public and private and online or offline sources. The data is then modelled into relevant commercial products.

Uses of data broking can include informing advertising and marketing campaigns and involvement in the AdTech ecosystem, credit and background checks and assisting public bodies in fraud prevention. These services can be provided directly to businesses, government and the public sector and some directly to individuals.

For the purposes of this call for views, DSIT refers to any organisation conducting data broking as a data broker, and in scope of responding. DSIT also welcomes views from organisations that engage in data broking but may not ordinarily describe themselves as a data broker. For example, a supermarket that sells customer data to a third party is engaging in data broking but would not ordinarily be described as a data broker, as data broking is not the primary product or service they offer.

DSIT considers data brokers to be distinct entities from data intermediaries. Data intermediaries have a direct relationship with data subjects as they are engaged by them specifically, for the purpose of sharing their data, with their own terms, for their benefit, e.g. a data trust. This is distinct from data broking where data is sourced from data subjects with which the entity has a direct relationship.  We do not consider data intermediaries to be in scope of this call for views.

Part 2: National security risks

(Questions 9 to 12).

Direct acquisition of UK data in an open market can be used as a pathway by hostile actors to harm UK national security.

Types of hostile actors can include, but are not limited to:

• Actors linked to countries who pose a national security or economic threat to the UK and its interests.
• Cyber criminals
• Actors involved in serious and organised crime

Types of harm arising from hostile actor access to UK data could include:

• Gaining access to sensitive information providing detailed insights pertaining to individuals, organisations or to national security or government assets. This could also be leveraged to conduct surveillance of and/or targeting against certain individuals or groups.

• With data playing an integral part of novel technologies such as artificial intelligence (AI), hostile access to UK data could enable hostile actors or strategic competitors to develop technologies that provide them with an advantage in strategic, technological or security-related areas. For example, such technologies could potentially aid misinformation campaigns and cyber-attacks, among other threats.

• Hostile actors seeking to conduct fraudulent activities could purchase and misuse large amounts of personal data to conduct identity theft and financial scams, particularly on vulnerable members of society.

Part 3: Security and regulatory frameworks

(Questions 13 to 28).

The government is interested in how data brokers protect and secure data beyond what is already required by UK legislation.

The government recognises that data brokers are already in scope of a range of security and privacy legislation, such as UK General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2018 and the Privacy and Electronic Communications Regulations (PECR) which set restrictions on how personal data can be processed, used and shared. However, these exist in a privacy context and are designed to protect individuals’ personal data rights. They were not designed to mitigate potential national security risks. Furthermore, as UK GDPR applies to personal data, not all types of UK data fall within scope of this legislation.

Therefore, the government is considering what tools, beyond existing legislation, may be appropriate to strengthen the UK against emerging data-related national security risks. To do this, the government seeks to understand what other international legislation UK data brokers comply with, and what processes, practices or policies the UK data broker industry, or individual organisations have in place to ensure data is only accessed by trusted actors and used for the legitimate purposes for which it is sold or otherwise made available.

Part 4: Customer base, consumer awareness and transparency

(Questions 29 to 41).

Whilst the government recognises the value of data and the role that organisations play in facilitating access to data and insights which would otherwise be inaccessible, it is critical that the data market is used and operates to the benefit of the UK public, businesses and economy, and does not counter other UK interests.

The data broker industry is a complex ecosystem, and there is a lack of publicly available information profiling the industry’s customers and main beneficiaries. Therefore, the government would like to learn more about the customers buying UK data. This is to better understand who is benefiting from the UK data broking industry and how commercially available data is being used.

How to respond

You are invited to answer 41 questions, split into 4 parts.

Submit your online responses here.

This call for views has been extended until 23:59 on 16 May 2025.

It was previously planned to close on 12 May 2025.

Who we would like to hear from

We welcome all forms of insight from any kind of stakeholder.

We would appreciate it if respondents can note their level of certainty for any claims made and wherever possible provide evidence to support.

We are particularly interested in hearing from:

• data brokers or organisations conducting data broking of UK data
• organisations which supply, license or make available data to data brokers
• organisations which buy, license or obtain data from data brokers
• relevant industry bodies
• academics and think tanks working/interested in data, national security, cyber security and/or other related fields

Responding on behalf of an organisation

Within these organisations, we would prefer responses from:

• senior executives
• data product engineers
• board level leaders responsible for security and resilience

If organisations operate multinationally, we would prefer the leader responsible for security and resilience of UK-based operations to respond. If responsibility for risks is shared across multiple roles, responses from the senior risk owner are preferred for each risk, where relevant.

Please consult the glossary provided which defines the terms used in this call for views.

We ask that responses are submitted online.

If you need to submit a hard copy or require another format (e.g. braille or large font) please contact us at databrokersviews@dsit.gov.uk.

When submitting your response, please state:

• which questions you have answered (there is no need to respond to all questions in the call for views if they are not all relevant to you);
• whether you are willing to be contacted (if so, please provide contact details);
• whether you prefer your response to remain confidential
• whether you prefer your response to remain non-attributable

We recommend reading the call for views in full before completing the online survey.

Responses will be analysed by the Department for Science, Innovation and Technology.

Data protection

The Department will process the information you have provided in accordance with the Data Protection Act 2018 (DPA) which will mean that your personal information will not be disclosed to third parties. The information you provide will be used to shape future policy development and may be shared between UK government departments and the Information Commissioner’s Office (ICO) for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the consultation closing date on the Department’s website with personal data and information that identifies an organisation removed.

We will publish a summary of the responses gathered through this call for views in the coming months.

Glossary

Personal information/data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Anonymous information

Information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Anonymisation

The process of turning personal data into anonymous information so that an individual is not (or is no longer) identifiable.

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Adequacy

Data ‘adequacy’ is a status granted by the UK to countries which provide high standards of protection for personal data. An ‘adequacy’ determination means that personal data can be transferred from the UK to that jurisdiction freely, in accordance with the terms of the relevant adequacy decision.

Adequate jurisdiction

A jurisdiction with a UK adequacy decision.

Non-adequate jurisdiction

A jurisdiction with no UK adequacy decision.

Mitigation

Mitigations reduce the likelihood and/or impact of a risk.

Sensitive information/data

This could include personal and non-personal data that, if accessed, provides opportunities to hostile actors to undermine the UK’s national security, economy, essential services or way of life. These risks are exacerbated when data is collected and aggregated at scale. (This definition is for the purposes of this call for views and is not otherwise intended to cover the definition of ‘sensitive processing’ or ‘special category data’ as referred to respectively in the DPA 2018 or UK GDPR.)

Threat

Any circumstance or event led by a hostile actor with the potential to adversely impact operations, assets, national security, essential services or the economy of the UK.

Artificial intelligence (AI)

Systems designed to perform tasks typically requiring human intelligence, such as decision-making, language understanding and pattern recognition. These systems can operate with varying levels of autonomy and adapt to their environment or data to improve performance.

Datasets

A collection of related sets of information that can be managed as a unit by a computer.

Disinformation campaigns

The deliberate creation and spreading of false and/or manipulated information that is intended to deceive and mislead people, either for the purposes of causing harm, or for political, personal or financial gain.

Misinformation campaigns

The inadvertent spread of false information.

Seeding data

The intentional insertion of false data within a sold or licensed dataset for the purposes of monitoring to ensure the terms of sale or license have been complied with.

Encryption

Protection of information by making it unreadable by everyone except those with the key to decrypt it.