Closed call for evidence

Data intermediaries

Published 17 March 2025

Introduction

Data is integral to people’s lives. Significant quantities of personal (and non-personal) data are produced daily– through using connected devices, shopping, using transport, accessing healthcare and public services to name a few. As a result, data fuels most modern business, with 77% of UK firms handling digitised data.^{[footnote 1]} Data-specialised businesses are a growing part of the economy - increasing their share of GDP from 6.5% to 7.4% between 2021 and 2023 alone.^{[footnote 2]} At the frontier, businesses are using data in highly innovative ways; however, the vast majority of businesses across the economy are missing out of the opportunities data provides. Only ​21% of all businesses that handle any digitised data analyse it to generate new insights and knowledge. Only 14% of businesses share data outside of their organisation and only 2% of businesses use their data for Artificial Intelligence or Automated Decision-Making purposes.^{[footnote 3]} There is a huge opportunity for the UK to use its data more strategically, driving innovation and economic growth, with the continued imperative to do so in a trusted and secure way. It has been estimated that data has the potential to contribute to UK productivity growth by between 0.23% to 1.26% per year.^{[footnote 4]}. Individuals have rights as data subjects, and a range of innovative organisations and services allow individuals to make better use of data about them or that they have contributed to producing.

Data intermediaries can play an important role, as data driven technologies such as AI become more widely adopted. This term refers to a range of organisations that facilitate access to and exchange of data. When dealing with personal data, they do so on behalf of or for the benefit of data subjects. This is currently a nascent, developing area of activity in the UK and globally, but has the potential to form an important part of the UK’s approach to a vibrant data economy. Data intermediaries are one way of facilitating the right to data portability, as they can enable data subjects to port their data from one data controller to another, acting on a data subject’s behalf or in their interest. They differ from other data-driven companies such as data brokers, in that they rely on the agreement of the individual (the data subject) and act in their interest. Officials are considering bodies such as data brokers (also known as information brokers or data providers) separately from this work, on the basis that their purpose and goals are different to those of data intermediaries. A separate call for views on the role of data brokers has been issued.

Why we are consulting

This call for evidence concerns the exercise of data subject rights, the delegation of those rights to third parties, and the activity of ‘data intermediaries’, as well as the wider regulatory framework for these activities.

This call for evidence is structured in the following way:

Section A seeks to examine the reasons for the limited exercise of some data subject rights, particularly the right to data portability, and whether rules around the delegation of data subject rights to third parties should be more explicit.

Section B turns specifically to the activity of data intermediaries, seeking to define the nature and activities of data intermediaries, with a working taxonomy offered for reaction.

Section C invites contributions to help develop a common understanding of the barriers preventing data intermediaries from working to their full extent, as well as critical success factors.

Section D asks for comments on apparent risk factors associated with the wider exercise of data subject rights by third parties and the prospect of significant growth in the activities of data intermediaries.

Section A: Exercise of data subject rights

(Questions 1 to 3).

The UK GDPR specifies a number of rights enjoyed by data subjects, including:

• the right of subject access;
• right to be informed about how why data is used;
• right to have data rectified, erased, or restricted;
• right to object;
• rights related to automated decision making, including profiling;
• the right to portability.

The right to data portability empowers data subjects by giving them control over their personal data so they can use it for their own benefit, e.g. allowing them to easily transfer their data from one provider to another.

The government is already taking steps to increase data portability, in the Data (Use and Access) Bill by legislating for a framework for Smart Data  schemes. Smart Data utilises authorised third party providers (ATPs) to securely share customer data, upon the customer’s request. Open Banking sets the precedent for these schemes and has been the driver for a number of innovative services and enhanced competition in the banking sector.

Exercise of data subject rights by third parties

Legal uncertainty about delegating data subject rights to third parties such as data intermediaries may hinder intermediaries’ ability to function effectively. Generally, Article 80 of the UK GDPR permits data subjects to mandate the rights under Chapter VIII to certain third parties. However, while UK data protection law does not currently prevent delegation of Chapter III rights, there is no explicit permission to do so, and stakeholders have raised with the government that this creates legal ambiguities.^{[footnote 5]} As a result, third parties can be hesitant to exercise a data subject’s rights on their behalf, and data controllers are can be reluctant to accept data portability requests from third parties. In accordance with the UK GDPR, a ‘third party’ is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.^{[footnote 6]}

Engagement by DSIT officials with a range of stakeholders including data intermediaries, data holders, businesses, and innovators, identified that a significant reason for comparatively low exercise of the right to portability is a lack of incentives for data subjects to exercise their right. Providing clarity to existing ambiguities may improve the uptake of the right of data portability, and play a role in facilitating new businesses, innovative products and services, greater consumer outcomes and stronger protections for individuals.

Section B: Data intermediaries 

(Questions 4 to 5).

Data intermediaries could have the potential to empower individuals to exercise their data subject rights more easily, and enable responsible and low-friction sharing of quality data.

Data intermediary is used as a general term to describe a range of models of governance, organisation, and structure. They are entities that facilitate data sharing or access between those who wish to make their own data available (or those legally permitted to exercise the rights for this data, e.g. those appointed under a Lasting Power of Attorney) and those who are seeking to find and use data they do not have​.

Data intermediaries can be split into two subsets - personal data intermediaries and non-personal data intermediaries. Personal data intermediaries are entities that facilitate data sharing or access between data subjects who wish to make their own data available and those who are seeking to find and use data they do not have. Examples include Data Cooperatives, which support community-based data sharing for insights like health data for scientific research, and Data Wallets, which allow individuals to securely manage and selectively grant access to their personal data.

Non-personal data intermediaries are an entity that facilitates data sharing or access between data holders of non-personal data who wish to make their own data available and those who are seeking to find and use data they do not have.

There are many forms of data intermediary currently providing services in the marketplace. The table below outlines a proposed taxonomy of data intermediary types. This does not include all data-managing organisations. We are also aware that other terms to describe some of these activities are in circulation, such as ‘data community’. In data protection law, many, if not all, of the models below would see a data intermediary classed as a Data Controller under UK GDPR.

Table 1: Personal Data Intermediaries

Entity	Description
Personal Data Stores	A decentralised model, framework or entity that permits an individual to hold, manage, or aggregate their personal data, enabling them to control or monitor access to or processing of that data.
Data Wallets	Enables individuals to gather, securely store and manage their personal data in one place, controlling access to their data on a case-by-case basis.
Personal Information Management Systems (PIMS)	Allows individuals to manage access to their personal data through secure systems on a permissions-based approach. Processors of the data (such as digital service providers) must interact with the PIMS, giving an individual transparent control over access to their personal data.
Data Unions	Pools together and processes personal data donated voluntarily by users. Access to the aggregated dataset is sold to third parties and shares of the resulting revenue are distributed between the data donors.
Data Cooperatives	Pools together and processes personal data donated voluntarily by users. Third parties are granted access to the aggregated dataset to generate specified insights that benefit the members or to further a common aspiration, not for monetary gain.
Trusted Research Environments	Provides approved parties with secure, restricted access to analyse anonymised and protected personal data donated by data subjects. The approved parties are able to extract the results of their processing but not the data itself.
Data Trusts	Collects, stores and aggregates users’ personal data, determining how to process the data through the management of the individual’s data rights on their behalf in order to pursue their aspirations and create benefits for them within a fiduciary responsibility.

Table 2: Non- personal Data Intermediaries

Entity	Description
Commercial Data Exchange	Creates and advertises a central marketplace of data assets contributed by data holders to enable the data holder to exchange data with potential data users on either a commercial or not-for-profit basis.
Industrial Data Platform	Combines datasets relevant to the industry or sector that have been contributed by multiple authorised entities and provides the same entities with access to the datasets or the aggregated datasets and enables them to run analyses, gather and share insights, and use other related services.

Section C: Barriers to data intermediary sector

(Questions 6 to 8).

We are seeking evidence on barriers inhibiting their activities. Some areas for consideration include:

1. Distrust of intermediaries:

• Concern that intermediaries may misuse data or fail to aptly manage risk;

2. Regulatory/legal opacity:

• Uncertainties about how current data rights will be interpreted in the absence of a specific UK regulatory framework for intermediaries.

3. Information gaps/lack of awareness:

• Those sharing/accessing data do not know where to find intermediaries, their benefits, and how to procure their services.
• The assumed knowledge and understanding of the risks of data intermediaries is unrealistic.

4. Lack of market-based incentives to develop intermediary models:

• Many forms of intermediary, particularly resource-intensive ones such as data trusts, lack sufficient market-based incentive to develop.
• Opportunities/incentives do not justify the spending needed to build infrastructure/invest in the coordination needed to support

5. Lack of appealing use-cases for individuals:

• Existing examples of intermediaries may appeal to a narrow pool of users, with specialised needs, meaning that a wider audience is unable to assess service quality or conceptualise how intermediaries are useful to them;
• A lack of existing players to compare service offerings with may hinder effective price signalling, and high market concentrations could enable anti-competitive practices;

6. Limited data availability:

• Ample quality data is necessary for the development of the data intermediary marketplace, but many remain locked up by data holders;
• Stakeholders have noted that low uptake in the exercise of the right to data portability is a major constraint to the sector’s development;

7. Technology immaturity:

• Various technological solutions that could mitigate risk have not yet been developed/reached technical maturity.

Section D: Risks associated with exercise of data subject rights by third parties.

(Questions 9 to 11).

The exercise of data subject rights is a significant responsibility. Trust between the data subject and the third party is essential for this process. This is particularly relevant for data intermediary models that act as ‘data stewards,’ exercising an individual’s data subject rights on their behalf.

It is important that we understand the potential risks associated with the exercise of the data subject rights such as the right to data portability  through a third party, to ensure appropriate mitigation measures are implemented and necessary oversight is established

These risks may include:

1. Creating burdens and costs on industry and other data controllers arising from an increased number of data portability requests on behalf of individuals. Such an increase may   necessitate firms to create new infrastructure and technologies, e.g., APIs, to manage data flows. This could create particular burdens on SMEs;

2. Creating new data monopolies in the form of a single dominant data intermediary;

3. The creation of conflicts between a data controller’s commercial interests with a data intermediary’s responsibility to the data subject;

4. Increased data-intensive economic activity creating significant demands on regulatory oversight;

5. The potential for malicious actors to establish themselves as data intermediaries

How to respond

You are invited to answer 11 questions, split into 4 sections.

Submit your online responses here.

This call for evidence is open until 23:59 on 12 May 2025.

Who we would like to hear from

We welcome the views of individuals or of organisations. We are particularly interested in the views of:

• Data intermediaries – broadly defined
• Personal Data Stores
• Academics, research institutes, think-tanks
• Consumer groups
• Privacy groups
• Relevant regulators
• Data controllers for the personal data of a large number of data subjects

We also welcome the views of individuals and organisations who have experience of models for data sharing using intermediaries in other national or supranational jurisdictions.

We expect that most respondents will be senior executives, legal and policy professionals, or technical experts.

We ask that responses are submitted online.

If you need to submit a hard copy or require another format (e.g. braille or large font) please contact us at dataintermediaries@dsit.gov.uk.

When submitting your response, please state:

• which questions you have answered (there is no need to respond to all questions in the call for evidence, if they are not all relevant to you);
• whether you are willing to be contacted (if so, please provide contact details);
• whether you prefer your response to remain confidential;
• whether you prefer your response to remain non-attributable;
• what kind of respondent you are (e.g.: individual, corporate) and how many people are employed by you/your organisation.

We recommend reading the call for evidence in full before completing the online survey.

Responses will be analysed by the Department for Science, Innovation and Technology.

Data protection

Responses will be analysed by the Department for Science, Innovation and Technology. The Department will process the information you have provided in accordance with the Data Protection Act 2018 (DPA) and will mean that your personal information will not be disclosed to third parties. The information you provide will be used to shape future policy development and may be shared between UK government departments, and the Information Commissioner’s Office (ICO), for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the consultation closing date on the Department’s website with personal data and information that identifies an organisation removed.

In due course, we will publish a summary of the evidence gathered through this process.

1. UK Government, UK Business Data Survey 2024 (London: UK Government, 2024) ↩

2. European Commission, European Data Market Study 2021-2023 (Brussels: Publications Office of the European Union, 2023) ↩

3. UK Government, UK Business Data Survey 2024 ↩

4. Bontadini, F., Corrado, C., Iommi, M., & Jona-Lasinio, C. Data, Intangible Capital, and Productivity: Literature review, Theoretical framework and Empirical evidence on the UK (LUISS University and SPRU – University of Sussex, The Conference Board and Georgetown University McDonough School Center on Business and Public Policy, ISTAT and LLEE, LUISS Business School, 2024 ↩

5. The UK GDPR Chapter III data subject rights: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing right to data portability, right to object, rights related to automated decision making. ↩

6. Legislation.gov.uk, UK GDPR Chapter 1 Article 4 (London: Legislation.gov.uk, 2021 ↩