Call for evidence outcome

Data intermediaries: government response

Updated 1 August 2025

Introduction

Data intermediaries are organisations that help manage and facilitate data sharing between parties. They hold significant potential to empower individuals to take control of their data, as well as to support innovation and boost economic growth by making data sharing more efficient and trustworthy. However, there are challenges that limit the effectiveness of data intermediaries in the UK.

To address these issues and gather expert perspectives, the government launched a call for evidence, inviting stakeholders to provide input on key topics such as legal rights, barriers to progress, and potential risks associated with the growth of this sector.

The government is committed to treating data as a strategic asset—essential for driving innovation, productivity and long-term economic growth. As outlined in the Industrial Strategy, data and artificial intelligence are central to the UK’s ambition to play a leading role in the global digital economy with schemes such as Smart Data discussed as one of the potential key drivers of growth.[footnote 1] Significant quantities of data (both personal and non-personal) are being produced daily, however, only a limited portion of businesses that handle this data are using it to generate new insights or knowledge. Meanwhile, individuals do not fully understand their data subject rights or the benefits that can be gained by using intermediaries to better manage and control their data, which may include financial rewards or the ability to donate data to research into causes they care about. Insights from the responses to this call for evidence are informing ongoing policy development in this area.

This document is a UK government response to the data intermediaries call for evidence held between 17 March 2025 and 12 May 2025. It provides a summary of the themes identified through analysis of the responses.

The government received 59 full responses to the Call for Evidence, including: 

  • 46 responses received through Qualtrics (the survey platform used to collect responses); 
  • 13 responses received by email.

Responses came from data intermediary organisations, data holders, businesses, academia and research institutes, law firms and various other parties.

The call for evidence was structured in the following way:

  • Section A (questions 1 to 3) sought to examine the reasons for the limited exercise of some data subject rights, particularly the right to data portability, and considered whether rules around the delegation of data subject rights to third parties should be more explicit.

  • Section B (questions 4 and 5) focused specifically on the activity of data intermediaries, aiming to define their nature and functions, and presented a working taxonomy for feedback.

  • Section C (questions 6 to 8) invited contributions to help develop a common understanding of the barriers that prevent data intermediaries from working to their full extent, as well as the critical success factors involved.

  • Section D (questions 9 to 11) sought comments on perceived risk factors associated with the broader exercise of data subject rights by third parties and the potential for significant growth in the activities of data intermediaries.

The following sections set out summaries of the evidence received to each question in turn.

Evidence summaries

1. Can you provide examples of where data subject rights are currently exercised by third parties on the instruction of, or in the interest of, the data subject?

Respondents to our call for evidence highlighted that individuals often delegate the exercise of their data rights to third parties for a range of reasons: convenience, necessity, or because a third party is better equipped to act on their behalf. Examples of this mentioned by the respondents include parents managing their children’s data rights; legal representatives submitting data subject requests during legal proceedings; workers seeking assistance from unions or internal privacy officers with sensitive employment-related data; and executors of estates accessing or deleting a deceased individual’s data as part of managing digital legacies or probate duties .

Sector-specific frameworks illustrate how delegated data rights can work in practice. In the financial sector, Open Banking was frequently cited as a strong example of a well-regulated environment where users can give explicit consent for third-party providers to access their banking data. In healthcare, respondents pointed to intermediaries such as patient-facing platforms, health data cooperatives, and civic data trusts that assist individuals particularly those with vulnerabilities in managing their health records, often for insurance or research purposes.

A number of organisations and initiatives were highlighted as actively facilitating data rights on behalf of individuals. For example, the Roberta Data Trust (developed by the University of Southampton) was cited as an intermediary model that enables individuals and communities to donate their personal health data for research and policy change in a safe, transparent manner. Similarly, Worker Info Exchange (WIE) has, over the past few years, submitted thousands of subject access requests on behalf of gig-economy workers, enabling them to gain transparency about the data collected on them and to challenge unfair practices or automated decisions.

Respondents noted that public-interest organisations can act on behalf of individuals under Article 80 (1) of the UK GDPR, provided they have the individual’s prior authorisation. For instance, the Open Rights Group has used this provision to make coordinated data access requests as part of investigations into issues such as political profiling. In addition, lawyers and courts frequently invoke data subject rights under GDPR  during legal actions, obtaining relevant personal data during insurance claims, employment disputes, or consumer rights cases.

Technological advancements are introducing new forms of delegation. Several respondents highlighted the emergence of automated agents and tools that can act on a user’s behalf in managing data permissions. As AI becomes integrated into daily life, it is expected that individuals will increasingly delegate decisions to these agents, making automation an important factor in the future of data intermediaries.

Strong governance and trust safeguards are seen as essential for data intermediaries to succeed. Many respondents emphasised the need for independent verification mechanisms to ensure that authorisations genuinely come from the individual concerned. Additionally, respondents pointed out that the limitations of Article 20 of the GDPR have meant that data portability is in some cases only available to intermediaries through APIs that have been put in place by data controllers for use in the EU because of requirements under the European Digital Markets Act. These are then extended for use in the UK on a voluntary basis, but there is a risk that they could be deactivated without changes to UK legislation. These mechanisms were viewed as key to expanding data rights in a way that is legally sound, technically viable, and user-friendly.

Finally, respondents observed that the ecosystem of intermediaries is expanding to include businesses offering services for personal data management, monetisation opportunities, and linked data connections. These platforms enable individuals to update, manage, and control their information, while also supporting collective efforts through data cooperatives and unions. This growing prominence of intermediaries highlights their essential role in the data rights landscape as trusted facilitators between individuals and the entities that hold their data.

2. What barriers do individuals, businesses, or other organisations face in the uptake of the right to data portability or other data subject rights?

Respondents highlighted a number of barriers faced by individuals, businesses and other organisations in relation to the uptake of the right to portability and other data subject rights. These included barriers related to awareness, user benefits and incentives for data controllers.

Awareness

Most prominently discussed was the lack of public awareness about data portability rights, with many people reported to be unaware that they can or should be able to request their data to be transferred via a third party. Separately, some respondents highlighted that data controllers sometimes introduce the friction mentioned above due to a lack of understanding or awareness about the need to provide access to individual’s data, which may partly be down to the ambiguity in UK GDPR about whether data subject rights can be delegated to a third party.

User benefits

For those individuals who are aware of data subject rights and do try to make requests, further barriers are met either through a lack of understanding of the potential benefits (including a miscommunication about how those benefits can outweigh the effort), the complexity of the process, and – as was reported frequently in the responses – friction caused by the data controller that restricts the potential benefits. There was repeated mention in responses about there being a lack of a clear role for what data intermediaries should do, along with concerns from users about trust, security and what could be done with their data – including whether it could end up being sold.

Data controller incentives

Several responses discussed how data controllers often appeared to introduce the friction in the process of delegating rights to third parties mentioned above with the intention of minimising demand by making processes inaccessible, requiring disproportionate amounts of information or including overly restrictive terms of service. Conversely, data controllers indicated that these processes are necessary given their duties under GDPR, with concerns around security, transparency of information about the third party and the legitimacy of the requests being made causing reluctance at times to accept third party requests. Respondents also highlighted the legal and regulatory ambiguity in relation to data portability and intermediaries with suggestions that, along with imbalanced incentives that do not motivate controllers to facilitate portability by giving up the data they hold, this enables and potentially even encourages the friction discussed above to be introduced.

Other barriers

Responses to this question also highlighted several technical barriers, ranging from a lack of standard formats, tools and infrastructure to limited possibilities for interoperability or cross-sector functionality. Several responses indicated that often portability was made possible by allowing a user to download their data as a one-off process, but that it was rare for direct or continuous transfers from one service to another to be possible – with others stating that in order to operationalise this type of transfer there would need to be a high degree of security assurance built in.

3. Aside from personal data protection laws, how do other areas of law interact with the operation of data intermediaries?

In addition to data protection law, there are many other laws that interact with data intermediaries. Those highlighted most frequently were contract law, competition law and intellectual property law.

Contract law was discussed by a number of respondents, with an emphasis on the importance of contractual arrangements for intermediaries to function despite an acknowledgement of their complexity.    There was also focus on the need for intermediaries to be precluded from sharing data onwards to further third parties.

The role of data in market power meant there were frequent links to competition law. Many respondents noted the potential for digital markets regulations to reduce discriminatory access to data and open up data portability, allowing new entrants to the market and preventing consumers from being ‘locked-in’ to any one service provider. [footnote 2]

Intellectual Property (IP) law was referred to as something which may constrain reuse and the ability to share onwards certain data assets, with a recognition that it can be difficult to distinguish between personal data and protected corporate knowledge  such as trade secrets that may emerge from an intermediary’s datasets. Respondents flagged that allowing intermediaries to extract data  could hinder innovation in certain sectors, where the unique selling points of certain products or services can be the data or insights gained from it.

Respondents highlighted that the legal environment is often complex due to a range of different sector-specific regulations such as the Smart Energy Code for retail energy payment services and Open Banking for finance. This creates fragmented obligations across sectors, causing difficulty when operating across more than one.

4. Does the taxonomy above fully reflect the range of models of data intermediaries in the UK or elsewhere?

Table 1: Data intermediary taxonomy (full version can be found on the published data intermediaries call for evidence)

Category Type Description
Personal Data Intermediaries Data Wallets Securely store and manage personal data, allowing user-controlled access.
Personal Data Intermediaries PIMS Combine shared data to deliver insights or services aligned with user goals.
Personal Data Intermediaries Data Unions Aggregate voluntarily donated data, sell access, and share revenue with donors.
Personal Data Intermediaries Data Cooperatives Aggregate donated data to generate insights for members’ benefit (non-commercial).
Personal Data Intermediaries Trusted Research Environments Provide secure access to anonymised data for analysis without exposing raw data.
Personal Data Intermediaries Data Trusts Manage personal data and rights on users’ behalf to deliver benefits under fiduciary duty.
Non-personal Data Intermediaries Commercial Data Exchange Marketplace for data assets enabling exchanges on commercial or non-profit terms.
Non-personal Data Intermediaries Industrial Data Platform Sector-specific data aggregation and analysis platform for authorised contributors.

There were differing views on the proposed taxonomy of data intermediaries. Respondents were split between those who thought the taxonomy was largely sufficient, those who said it was a useful starting point but doesn’t fully capture all emerging models, and those who proposed alternative structures.

Respondents commonly referred to the distinction between data intermediaries and data brokers as being an important part of the taxonomy. Suggestions were made around the need to include details on governance – particularly where fiduciary models  (that legally oblige the organisation to act in the best interests of the beneficiary) are involved. There were also suggestions for clarity on whether an organisation seeking data is for profit or non-profit, and the level to which the data subject themselves is involved in decisions. Additionally, there were a range of suggestions for different models that are not included in the current taxonomy, including data stewards, data commons, personalised AI platforms, trust frameworks and hybrid models that cover identity verification, consent management and data portability in a single solution.

5. Is the current law around the operations of data intermediaries sufficiently clear? What changes and/or additional guidance would be required to provide clarity to data intermediaries? Does this differ based on operating model?

The majority of responses received took the view that the current law around the operations of data intermediaries is not sufficiently clear, although a small number did believe it was. There were a range of suggestions for how clarity could be provided, discussed further below.

Responses set out that there was not sufficient clarity in the current law, particularly around the ability to delegate a data subject’s Chapter III rights under UK GDPR to a third party, which a number of respondents said should be made explicit. There was also discussion about how the clarity is particularly challenging when operating across sectors. While GDPR applies across sectors, there are specific rules in particular sectors that vary (e.g. finance has specific rules for Open Banking, which do not apply to other sectors), making them unsuitable for the emerging role for data intermediaries in the data economy where data sharing across sectors offers potential.

Providing clarity

To achieve sufficient clarity, respondents discussed a range of changes that could be made.

  • Defining data intermediaries
    Most prominently discussed was the need for legal recognition of data intermediaries, clearly setting out their responsibilities and legal obligations. Respondents indicated that this could help to create a clear delineation between data controllers, processors and intermediaries, while also providing clarity on their responsibilities, legal obligations and about how and when they can act on behalf of individuals.

  • Guidance for data controllers
    In addition, respondents emphasised the need for guidance to set out the expectations on data controllers that they should facilitate data portability via APIs. Views received suggested that guidance should explain when data requests must be complied with (including when data needs to be sent directly to another party), and should also make clear that terms of service can’t be used to block people’s rights to move their data or control how it’s used after transfer.

  • Guidance for users
    The responses stated that guidance could also help to improve uptake of intermediary services by conveying that having data subject rights delegated to and enacted by third parties is allowed, encouraged and supported.

  • Other suggestions
    The need for standards across consent, security and governance were also widely discussed. A particular point here was the need for standards to govern the ethical handling of vulnerable individuals’ data. There was also further discussion about the need to provide clarity around interoperability as there is currently no legal or technical infrastructure to support the seamless mobility of data across platforms.  

6. What are the main barriers to performing data intermediation services in the UK, and how do they differ across sectors and models?

Respondents discussed a range of barriers to performing intermediation services in the UK. These included barriers at the individual level, legal and regulatory barriers and barriers introduced by data controllers.

Individual level

At the individual level, respondents noted that people often lack the trust for the intermediaries sector to thrive. Responses noted that users are often hesitant about data sharing due to mistrust, lack of accredited intermediaries, and limited awareness of its broader benefits beyond personalised marketing, highlighting the need for clearer communication and education to encourage engagement. One respondent said that trust itself is not a barrier, and that if intermediary services are provided with a clear consent flow  (the process through which an individual is asked to give approval for their data to be accessed), and a valuable service is being offered, users will be happy to use them.

Regulatory level

From the regulatory perspective, the responses highlighted the current ambiguity in the law regarding whether or not data subject rights can be delegated to a third party. There was discussion of how GDPR lacks a clear definition or framework for intermediaries, instead focusing on the roles of data controllers and data processors. The responses noted that, coupled with a lack of regulatory guidance, fragmented sectoral regulations that are rarely designed to work with each other and a lack of interoperability and data portability standards, this has created an environment in which intermediaries cannot operate with certainty or ability to scale.  

Data controller level

On the data controller side, respondents emphasised the lack of commercial incentives for controllers to share data. This is seen by a lack of support for direct data transfers to allow for portability, with a download service often used to meet legal obligations instead which a user must request, takes a long time and provides data in a non-standard format that cannot be easily sent to a new supplier. This introduces enough friction in the process to make it unattractive for users, who have as a result not yet shown there is the demand for more. In the absence of any oversight, public registries, or enforcement mechanisms, some data controllers remain incentivised to retain data rather than share it—undermining the potential benefits for intermediaries and entrenching the status quo.

Other barriers

Other barriers were discussed, including lack of awareness, as well as of capacity and/or data literacy to understand and take advantage of the opportunities of data sharing, and a lack of funding available – which is compounded by the lack of regulatory certainty and cost of providing data sharing infrastructure that collectively makes it difficult for new entrants to the market to scale effectively.

7. What role should the government have in addressing these barriers? Are there examples of effective or ineffective government interventions in other countries or markets?

Views on the role that government should have in addressing barriers to data intermediary services varied. We focus below on the 3 main categories that were suggested by respondents.

Providing legal clarity was discussed frequently amongst the responses. Open Banking – a Smart Data scheme - in the UK was provided as an example where clear standards and liability along with strong governance had helped launch the sector. Within this category of suggestions, there were numerous mentions of the need for guidance or a code or practice on how intermediaries should operate.

While some respondents emphasised that clarity would not necessarily have to be achieved through legislative means, others proposed the introduction of a fiduciary duty (an obligation to act in the best interests of another) on data intermediaries to ensure they work in a way that benefits the data subjects. Similarly, some responses called for the roles and responsibilities of intermediaries to be made clear, recognising their distinct method of operation compared to data controllers and data processors. Finally, any legal clarity for the sector needs to be supported with a robust enforcement approach and a firm position on anti-competitive data hoarding.

Standards

The development of standards was also discussed as part of a broader suggestion to establish open infrastructure for interoperable data sharing. The Estonian X-Road system was highlighted as an example of infrastructure that provides secure, standardised data exchange across the government and private sector, while Open Banking was again referred to as a demonstration of how innovation can flow once access is standardised. Interoperability should be mandated along with the use of API standards to enable expansion  across multiple sectors, similar to Australia’s Consumer Data Right regime. Suggestions also included mandating that large data holders enable portability through real-time APIs, and to compel other organisations to accept ported data.

Confidence and trust

The third category of suggestions were around generating confidence and trust in the intermediaries market. There was a recognition that communication and inclusive public engagement about data portability and data rights was needed to address the barrier that many individuals do not currently understand the potential benefits. There were also numerous suggestions for funded pilot programmes to demonstrate the benefits of intermediaries, while some suggested embedding data rights literacy training into digital skills programmes. Other suggestions included a certification or accreditation scheme that could help to develop trust.

8. Can you provide examples of successful data intermediaries and the technological and non-technological factors that contributed to their success?

The UK’s Open Banking framework was cited regularly as successfully allowing data intermediaries to operate effectively. Among the success factors discussed for Open Banking was a focus on trust and how a secure authentication process, regulation and monitoring all helped to enable this. Similarly, the legal clarity and regulatory support that provide clear roles and purposes for intermediaries along with compliance, legal and technical requirements, conveyed the importance of having the legislative backing.

The trust element of Open Banking was also discussed as a key factor in the success of several other initiatives, including Mozilla’s Common Voice project, the Serpentine Trusted Data Intermediary and Finland’s ‘Findata’ authority.

Another key success factor appears to be interoperability and infrastructure to ensure intermediaries can work effectively. Contained Technology was referenced as a platform enabling the sharing of data between platforms and public sector bodies, while Estonia’s X-Road and the Plaid finance tools were also discussed.

9. Can you provide any evidence on potential risks for the wider exercise of data subject rights by third parties (such as data stewards) on behalf of a data subject? Can you identify any risks associated with the activities of data intermediaries?

There were a variety of risks discussed in the responses about the wider exercise of data subject rights by intermediaries. These underline the importance of ensuring appropriate safeguards are in place if further development of the sector is sought.

Trust

Respondents emphasised that maintaining trust between individuals and data intermediaries is vital to their success. People need to feel confident that their choices are respected and that they retain control over how their personal data is used. Since intermediaries act on behalf of users, it can be difficult to maintain an accurate and up-to-date record of each person’s evolving preferences and consents. Transparent communication, strong ethical standards, and reliable consent mechanisms are especially important when supporting vulnerable groups. If users perceive an intermediary as untrustworthy or feel their expectations have been breached, that loss of trust can quickly damage the intermediary’s reputation and effectiveness.

Security breaches

As intermediaries become more prominent, they could potentially encounter a heightened risk of security breaches and unauthorised access. They may become attractive targets for cyberattacks, including phishing scams and other fraudulent activities aimed at compromising their systems.

It is essential to ensure that data is securely stored, transmitted, and only shared with verified parties. Some respondents noted that centralised repositories of user data could heighten vulnerability and suggested that models which retrieve data on demand from distributed sources without storing it centrally may offer a safer alternative.

Overall, participants stressed the importance of robust security architectures, acknowledging that while these systems can be complex and costly to implement, they are critical to preventing data breaches.

Misuse of authority

The potential misuse of authority by intermediaries was a further risk raised by respondents. Concerns were raised about fraudulent actors falsely claiming to represent individuals without proper authorisation, as well as legitimate intermediaries operating with limited transparency, leaving individuals uncertain about how their data is being used. These risks highlight the need for clear rules and oversight.

Respondents proposed that data intermediaries should be held to defined accountability standards, similar to those in other regulated sectors, to ensure they act transparently, responsibly, and in the best interests of the individuals they serve.

Without such safeguards, there is a broader systemic risk that a small number of dominant intermediaries could consolidate power, leading to de facto data monopolies and reducing user choice and control. Effective regulation and standards are therefore seen as essential to prevent abuse and to support a fair, competitive intermediary ecosystem.

Burden on data controllers

Another challenge discussed was the potential burden placed on data controllers. If large numbers of individuals begin exercising their data rights through third parties, organisations holding data could face a sharp increase in requests, potentially straining their resources and requiring new operational capabilities. Respondents also noted that there is currently no formal mechanism for verifying the legitimacy of third-party data recipients or that delegation of data subject rights was authorised with informed consent, adding further uncertainty for data controllers who are being asked to provide access.

10. Are there potential implications for digital inclusion of delegation of data subject rights and the activity of data intermediaries? Are there any disproportionate effects on those with protected characteristics under the Equality Act 2010?

Respondents highlighted both the opportunities that delegating data subject rights to intermediaries could bring to digital inclusion, as well as the risks that could exacerbate poor inclusion if data intermediaries are poorly designed.

If data intermediaries are designed with inclusivity, accessibility and transparency at their core, respondents indicated that they have the opportunity to bridge existing inequalities and promote social equity. Some respondents stated that delegation of data subject rights to data intermediaries, when designed well, should help improve the ability for individuals with protected characteristics to exercise these data subject rights, and could help groups better access services without needing to manage complex access processes. In order to achieve this, respondents flagged that both better awareness and education would be needed to ensure trust and uptake of intermediary services.

In terms of the negative implications if they are designed poorly, respondents flagged risks to older adults, people with learning disabilities, non-English speakers, those with limited digital skills and disabled users. These risks come from complexity and accessibility barriers that may exclude people from making use of them, or structural exclusion of those people with limited access to devices or connectivity. Further, the risk of coercive delegation and power imbalances – particularly for minority groups with historic experience of discrimination – could lead to lower trust in intermediary services. There are also risks around the loss of privacy, risk to anonymity through re-identification, and unintentional reinforcement of discrimination through decisions taken by AI services.

11. Can you provide any evidence of a best practice approach to managing those risks? What should the roles of government, regulators, and the market be?

Best practice approaches to managing risks in relation to data intermediaries were varied. A number of responses emphasised the need for transparency, particularly around consent flows (the process through which an individual is asked to give approval for their data to be accessed), and for audit trails to see what data has been accessed. There were also frequent mentions around the topic of data minimisation, with respondents stating that there should be limited duplication of data, minimal data retention wherever possible and collection of data ‘just in case’ should be discouraged.

Additionally, responses highlighted the need for clear definitions of the responsibilities for data intermediaries along with redress mechanisms available to individuals for if anything goes wrong and they incur losses. Specific examples given including the Solid project for showing how an independent system could allow individuals to exercise consent, along with Open Banking and Estonia’s X-Road which offer strong regulatory frameworks, independent oversight, technical oversight and clear consent protocols to manage any risk.

There were several suggestions for what the role of government should be in managing the risks of wider delegation of data subject rights and to build trust and accountability into the process. Responses suggested that government should provide legal clarity on delegated rights, support ethical infrastructure development and mandate data access APIs, as well as clarity on how portability requests from outside of the UK should be handled.

Conclusion

This section sets out the conclusions and next steps in light of the evidence considered and summarised in the questions above. The government is aware of the potential for data intermediaries to act as a vehicle to facilitate trusted and secure data sharing and data access for a range of data-driven economic activities including Artificial Intelligence.

Responses to the call for evidence have identified a number of challenges faced by data intermediaries, individuals, data controllers and processors, as well as other stakeholders, which can be summarised in 3 key groups:

  • Awareness – stemming from people not knowing their data subject rights or how they could benefit from using them;

  • Friction – where third party data access requests are often slow and burdensome, and data controllers lack the incentives to improve this; and

  • Legal Ambiguity – which underpins the other challenges by causing confusion about the legal roles of data intermediaries and the ability to delegate data subject rights to them.

These barriers are currently limiting the uptake and growth of the sector. Responses suggest these barriers appear interrelated and mutually reinforcing, leading to a sector with potential that is yet to be fully realised.

There are also risks that must be considered in any development of the data intermediaries sector. Data controllers need to feel confident that informed consent has been given by data subjects for third parties to access their data and also need clarity from the law about whether they should be accepting such requests. Misuse of authority, security breaches, and potential for damaged trust in intermediaries all indicate a requirement to consider appropriate safeguards that need to be in place for this sector to thrive.

In considering further actions that could be taken with regards to supporting the data intermediaries sector, the call for evidence responses suggests the need to:

  • address legal ambiguities

  • remove friction

  • improve awareness

We are investigating policy options that could best support these priorities across the data intermediaries’ sector as well as the wider data economy, all while ensuring the correct mitigation are in place to safeguard individuals’ right, uphold public trust, and enable responsible and secure data use. Government will provide an update in due course.

  1. Industrial Strategy 

  2. The Digital Markets, Competition and Consumers Act 2024 commenced in January 2025 and empowers the Competition and Markets Authority (CMA) to designate undertakings which are very powerful in particular digital activities with Strategic Market Status and impose additional rules to address competition issues.