The future of the trust industry?

In a pioneering new initiative, Digital Jersey, together with the Jersey Office of the Information Commissioner, has established the first ‘data trust’ under Jersey trust law. The pilot project, named LifeCycle, was primarily designed to test the viability of using a trust structure for data stewardship. This article explores the concept of a data trust and considers the advantages and risks associated with it.

What is a data trust?

A data trust is a legal structure that provides independent stewardship of data. Like ordinary trusts, which are set up to protect, administer and distribute valuable assets (e.g., cash, shares, investment portfolios and immovable property), a data trust is designed to hold, manage and protect its principal asset: data. A data trust is likely to:

• have been set up as a hybrid or mixed trust;
• be both a non-charitable purpose trust and a discretionary trust;
• have beneficiaries and a purpose to be fulfilled;
• be administered by professional trustees; and
• hold data that has a growing commercial value.

Data trusts are created by a trust instrument and operate within the legal framework of the Trusts (Jersey) Law 1984. Accordingly, trustees of data trusts will have the same duties as traditional trustees under the Law. These duties include:

• acting with due diligence, as a prudent person would, to the best of their ability and skill;
• observing the utmost good faith; and
• exercising their powers solely for the benefit of the beneficiaries.

Trustees of data trusts will also have to preserve and enhance the value of the trust property subject to the terms of the trust instrument. The trust property will, of course, consist entirely of data with a growing commercial value. The trustees will be responsible for analysing the data and deciding when and how to share it with third parties.

The experience so far

LifeCycle has been set up for an initial period of a year and will collect data and create information about the activities of island cyclists as they move around Jersey. The data created will be held in a data trust administered by Jersey private client companies ICECAP and JTC.

LifeCycle will recruit 200 cyclists to participate in the pilot and the data will be collected through lights fixed to the rear of the cyclists’ bikes. The lights are a highly advanced technology combining sensors and artificial intelligence (AI) to monitor the cyclists’ environment. Participants will also be invited to use an app to report any safety and infrastructure issues encountered on their cycling journeys.

The data collected during the life of the pilot will ultimately be anonymised and turned into insights by data analysts. As the body of data grows, so will the commercial value of that data. Similarly, the data acquired will promote the development of environmental, social and governance strategies; for example, by promoting cycling as a safe, healthy and sustainable way to travel around the island.

The information gathered will be shared by early 2024. Only select organisations whose aim is to promote cycling on the island will have access to the insights produced from the data. After the completion of this data trust, Digital Jersey is planning further data trusts in 2024.

Advantages of a data trust

The principal advantage of using a trust structure to hold data is that the data can be stored, managed and shared safely and lawfully in accordance with the trust parameters. The existence of trustees means that fiduciary duties are applied to the stewardship of data and, as with traditional trust structures, a data trust operates within a highly regulated environment.

There are other potential advantages that may make a data trust an attractive option for a business whose principal asset is the data it holds or will acquire. For example:

• Data trusts offer a flexible, sophisticated method of sharing data, so allowing organisations to benefit from the economic and social advantages that come with sharing data in a safe and equitable way.
• A data trust’s purpose can be tailored according to the aims of the stakeholders. For example, the purpose could be societal or environmental, for the public good or for profit, or any combination of these and other factors.
• The data is managed by professional trustees with experience of complex fiduciary responsibilities. As such, a settlor can be confident that even highly valuable and sensitive information will be adequately protected.
• The trust instrument will set out the trust parameters and provide clarity as to stakeholder rights and obligations; e.g., it will set out what data is to be shared, who owns it, who can use or view it and how it is to be used.
• As the data is stored and managed by an independent third party, this will relinquish the settlor of some of the day-to-day responsibilities and risks of operating a business, so freeing up resources to be invested elsewhere in the business.
• The overall risk of data breaches may be reduced in light of the increased safeguards afforded by the trust structure and the appointment of professional trustees.
• In the event of any data breaches or regulatory non-compliance, the organisation may be removed from direct liability, which would instead rest with the trustees of the data trust.
• Optically, it may provide comfort that the data is being held and managed by an independent third party, and help to restore public confidence in information businesses and their treatment of personal data (especially where there have been previous data breaches).

Risks of using a data trust

Notwithstanding the numerous advantages outlined above, it would be naïve to think that a data trust comes without potential risks. There are a number of factors that an organisation will need to consider when deciding whether to establish a data trust.

The most notable risk relates to the regulatory obligations that attach to holding and managing personal data and, in particular, ensuring compliance with the Data Protection (Jersey) Law 2018 and the EU General Data Protection Regulation. Personal data relating to the participants of Lifecycle, for example, will be collected during the life of the project (e.g., their journeys will be tracked to the extent that home addresses, workplaces, habits etc., could all be ascertained). Sanctions for breaches of or non-compliance with data protection legislation can be severe and, as such, professional trustees may not be willing to take that risk. It is perhaps more likely that large, conglomerate, investment-backed professional services firms would be better placed or more willing to assume such risk.

Further, information businesses will need to consider whether it would be acceptable from the regulators’ perspective and/or as a matter of public perception for the data to be held externally. This will be particularly applicable if the business has previously experienced a notable public data breach. There are likely to be calls for the business to be seen to be accountable for its future conduct and the use of a data trust may be viewed as an attempt by the organisation to distance itself from any future liability.

Finally, the data collection methods used in the context of data trusts are increasingly likely to rely on advanced technology and AI, as demonstrated by the use of the bicycle lights in the LifeCycle project. Given the likely interface that data trusts will have with the use of technology/AI, this begs the question of whether trustees are best placed to hold, manage and control the sharing of data as opposed to the information businesses themselves, who are already operating in the digital sphere and have a deeper understanding of the relevant technologies. Although professional trustees will have experience of managing trusts and exercising fiduciary duties, their ability to enhance the value of the trust property (the data) may be less effective than the information business itself would be able to achieve due to its industry experience of dealing with data in a digital era.

The establishment of Jersey’s first data trust is an exciting new development for Jersey trust law. The potential use of such trusts for international businesses that hold and process vast amounts of data is obvious and significant. It will be important to see how this method of data stewardship operates in practice and its next stage of development.