THE COUNCIL,

HAVING REGARD to Article 5 b) of the Convention on the Organisation for Economic Co-operation and Development of 14 December 1960;

HAVING REGARD to the Declaration on International Investment and Multinational Enterprises [OECD/LEGAL/0144]; the Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data [OECD/LEGAL/0188]; the Recommendation of the Council concerning a General Framework of Principles for International Co-operation in Science and Technology [OECD/LEGAL/0237]; the Recommendation of the Council concerning Principles for Facilitating International Technology Co-operation Involving Enterprises [OECD/LEGAL/0282]; the Recommendation of the Council concerning Guidelines for Cryptography Policy [OECD/LEGAL/0289]; the Recommendation of the Council concerning Access to Research Data from Public Funding [OECD/LEGAL/0347]; the Recommendation of the Council for Enhanced Access and More Effective Use of Public Sector Information [OECD/LEGAL/0362]; the Recommendation of the Council on Human Biobanks and Genetic Research Databases [OECD/LEGAL/0375]; the Recommendation of the Council on Principles for Internet Policy Making [OECD/LEGAL/0387]; the Recommendation of the Council on Regulatory Policy and Governance [OECD/LEGAL/0390]; the Recommendation of the Council on Digital Government Strategies [OECD/LEGAL/0406]; the Recommendation of the Council on Budgetary Governance [OECD/LEGAL/0410]; the Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity [OECD/LEGAL/0415]; the Recommendation of the Council on Health Data Governance [OECD/LEGAL/0433]; the Recommendation of the Council on Public Integrity [OECD/LEGAL/0435]; the Recommendation of the Council on Open Government [OECD/LEGAL/0438]; the Recommendation of the Council on Artificial Intelligence [OECD/LEGAL/0449]; and the Declaration on Public Sector Innovation [OECD/LEGAL/0450];

RECOGNISING the importance of data-driven innovation, including artificial intelligence (AI) and the Internet of Things (IoT), the growing demand for data across society, including on the part of both public and private sector organisations and individuals, and the enhanced ability to collect, access, share and use data as it is increasingly stored in digital formats;

RECOGNISING that data access and sharing can generate a wide range of benefits, including by facilitating collaboration and the harnessing of new and existing data sources to foster data-driven scientific discovery and innovations across the private and public sectors globally that help to: resolve economic, societal and environmental challenges including global emergencies such as the COVID-19 crisis; boost sustainable growth; enhance social welfare and well-being; improve evidence-based policy making and public service design and delivery; increase transparency, accountability, and trust across society; and empower users of digital goods and services, including enterprises, workers, citizens and consumers;

RECOGNISING the need to foster trustworthiness and safeguard against risks such as potential breaches of confidentiality or privacy, unethical uses of data including harmful biases and discrimination against individuals or social groups, or the violation of other legitimate private or public interests from the integrity of individuals to commercial interests, including trade secrets and other intellectual property rights, or national security interests;

RECOGNISING that policy measures should aim to promote an environment where data access and sharing is trustworthy, responds to specific public policy and societal objectives, is appropriate and grounded in ethics, the rule of law, the protection of human rights, privacy, and freedoms, including the right to access public sector information, and where individuals and communities are at the centre of decisions about data concerning them that is accessed, shared, or used by the private or public sector;

RECOGNISING that data management, including creating, collecting, storing, curating, enriching, deleting, providing access to, and sharing data, as well as using data and managing the associated risks, can require substantial investments over time and may involve a wide range of complementary digital resources, including algorithms, software, hardware, and other foundational infrastructures from multiple parties;

RECOGNISING that co-operation and trust between all stakeholders is crucial to shared value creation in the data ecosystem;

RECOGNISING that effective and efficient data access and sharing often depends on machine-readability and interoperable specifications including common licensing arrangements, standards, and metadata that enable findability, accessibility, interoperability, reusability, and the correct interpretation and analysis of data, and that standard-setting organisations and industry consortia as well as open source play a critical role in the development and adoption of these interoperable specifications;

RECOGNISING that data access and sharing arrangements can fall across a continuum of different degrees of data openness, covering various forms of conditioned access to data and open data arrangements, and that this continuum enables value to be created while also taking into account the rights, interests, and obligations of all stakeholders, including the rights of citizens and others to information of public interest;

RECOGNISING that investments in data access and sharing, as well as other data-related activities, whether within or between the private and public sector, may be sustained by a range of different business and financial models over the long term;

RECOGNISING that market-based approaches, including commercialisation of data and freedom of contract, are essential for incentivising data access and sharing and related investments, but that there may be costs, risks, and limitations to these approaches’ ability to fully meet demand for data;

RECOGNISING that data access and sharing provided at the lowest possible cost, including free of charge or at marginal cost of dissemination, can create value for society beyond the value that data holders may be able to independently capture;

RECOGNISING that in the context of evolving opportunities and challenges there is a need to further the promotion of a consistent culture of responsible data access and sharing and the legal and technical skills and capabilities necessary for responsible data access and sharing across society, including in the private and public sectors;

RECOGNISING that data access and sharing arrangements, including government access to proprietary and personal data held by the private sector, may involve activities governed by specific national and international legal frameworks that need to be taken into account in such arrangements;

RECOGNISING the need for greater coherence across policy approaches to enhancing access to and sharing of all forms of data, including personal data, research data, public sector data, and that the development of general principles and policy guidance will support such coherence;

On the proposal of the Committee on Digital Economy Policy, the Committee for Scientific and Technological Policy, and the Public Governance Committee:

I.            AGREES that the purpose of this Recommendation is to set out general principles and policy guidance on how governments can maximise the benefits of enhancing data access and sharing arrangements while protecting individuals’ and organisations’ rights and taking into account other legitimate interests and objectives. These general principles and policy guidance are principally aimed at data in digital formats.

II.           AGREES that, for the purposes of this Recommendation, the following definitions are used:

●               ‘Data’ refers to recorded information in structured or unstructured formats, including text, images, sound, and video.

●               ‘Data access’ or ‘access to data’ refers to the act of querying or retrieving data for its potential use, subject to applicable technical, financial, legal, or organisational access requirements.

●               ‘Data sharing’ or ‘sharing of data’ refers to the act of providing data access for use by others, subject to applicable technical, financial, legal, or organisational use requirements.

●               ‘Data access and sharing arrangements’ refers to the institutional, regulatory, policy, legal, and contractual frameworks established to determine the conditions of data access and sharing.

●               ‘Data value cycle’ refers to data-related processes through which value is created with data, including data creation, collection, validation, verification, storage, curation, enrichment, processing and analysis, access and sharing, and deletion.

●               ‘Open data arrangements’ refers to non-discriminatory data access and sharing arrangements, where data is machine readable and can be accessed and shared, free of charge, and used by anyone for any purpose subject, at most, to requirements that preserve integrity, provenance, attribution, and openness.

●               ‘Non-discriminatory data access and sharing arrangements’ refers to a specific type of data access and sharing arrangement, where data can be accessed and shared, free of charge or for fees, based on terms that are independent of the data users’ identities.

●               ‘Conditioned data access and sharing arrangements’ refers to data access and sharing arrangements that permit data access and sharing subject to terms that may include limitations on the users authorised to access the data (discriminatory arrangements), conditions for data use including the purposes for which the data can be used, and requirements on data access control mechanisms through which data access is granted.

●               ‘Data access control mechanisms’ refers to technical and organisational measures that enable safe and secure access to data by approved users including data subjects, within and across organisational borders, protect the rights and interests of stakeholders, and comply with applicable legal and regulatory frameworks.

●               ‘Data holders’ refers to organisations or individuals who, according to applicable laws or regulations, are competent to decide on granting access to or sharing data under their control, regardless of whether or not such data are managed by that organisation or individual or by an agent on their behalf.

●               ‘Data producers’ refers to organisations or individuals that create, co-create, generate, or co-generate data, including as a by-product of their social and economic activities, and can therefore be considered a primary data source.

●               ‘Data intermediaries’ refers to service providers that facilitate data access and sharing under commercial or non-commercial agreements between data holders, data producers, and/or users. Data holders and trusted third parties can act as data intermediaries.

●               ‘Personal data’ refers to information relating to an identified or identifiable individual (data subject).

●               ‘Metadata’ refers to recorded structural or descriptive information about the primary data. Metadata can include personal data.  

●               ‘Data ecosystem’ refers to the integration of and interaction between different relevant stakeholders including data holders, data producers, data intermediaries and data subjects, that are involved in, or affected by, related data access and sharing arrangements, according to their different roles, responsibilities and rights, technologies, and business models.

SECTION 1. REINFORCING TRUST ACROSS THE DATA ECOSYSTEM

III.          RECOMMENDS that Members and non-Members having adhered to this Recommendation (hereafter the “Adherents”) empower and pro-actively engage all relevant stakeholders alongside broader efforts to increase the trustworthiness of the data ecosystem in advance of, and throughout, the establishment and implementation of policy measures for enhancing data access and sharing. In particular, Adherents should:

a)         Promote inclusive representation of and engage relevant stakeholders in the data ecosystem – including vulnerable, underrepresented, or marginalised groups – in open and inclusive consultation processes during the design, implementation, and monitoring of data governance frameworks related to data access and sharing to reinforce trust;

b)         Encourage competition-neutral data-sharing partnerships, including Public-Private Partnerships (PPPs), where data sharing across and between public and private sectors can create additional value for society. In so doing, Adherents should take all necessary steps to avoid conflicts of interest or undermining government open data arrangements or public interests;

c)         Enhance transparency of data access and sharing arrangements to encourage the adoption of responsible data governance practices throughout the data value cycle that meet applicable, recognised, and widely accepted technical, organisational, and legal standards and obligations, including codes of conduct, ethical principles and privacy and data protection regulation. Where personal data is involved, Adherents should ensure transparency in line with privacy and data protection frameworks with respect to what personal data is accessed and shared, including with whom it is shared, for what purpose, and under what conditions access may be granted to third parties;

d)         Empower individuals, social groups, and organisations through appropriate mechanisms and institutions such as trusted third parties that increase their agency and control over data they have contributed or that relate to them, and enable them to recognise and generate value from data responsibly and effectively.

IV.          RECOMMENDS that Adherents adopt a strategic whole-of-government approach to data access and sharing to ensure that data access and sharing arrangements help effectively and efficiently meet specific societal, policy, and legal objectives that are in the public interest. In particular, Adherents should:

a)         Prioritise data access and sharing arrangements that help achieve such objectives, taking into account applicable laws and regulations. In so doing, Adherents should work together with key stakeholders to clearly define the purpose of these arrangements and identify data relevant to these purposes, taking into account their benefits, costs, and possible risks;

b)         Adopt and regularly review coherent, flexible, and scalable data governance frameworks – including national data strategies, which integrate cross-cutting economic, social, cultural, technical, and legal governance issues – in order to foster data access and sharing within and across society, public and private sectors, and jurisdictions;

c)         Demonstrate strong leadership, ideally at the highest level of government, combined with a whole-of-government approach that enables effective policy coordination and implementation of these frameworks with multi-stakeholder participation; and

d)         Adopt technology-neutral and agile legal and regulatory environments that promote responsible data access and sharing and enable regulatory innovation, while providing the necessary legal certainty and protection with the engagement of all relevant independent enforcement authorities, oversight bodies, and stakeholder groups.

V.           RECOMMENDS that Adherents seek to maximise the benefits of measures for enhancing data access and sharing, while protecting individuals’ and organisations’ rights and taking into account other legitimate interests and objectives, alongside broader efforts to promote and enable a culture of responsibility for data governance throughout the data value cycle. In this regard, Adherents should:

a)         Encourage data access and sharing arrangements that ensure that data are as open as possible to maximise their benefits and as closed as necessary to protect legitimate public and private interests, including interests related to national security, law enforcement, privacy and personal data protection, and intellectual property rights as well as ethical values and norms such as fairness, human dignity, autonomy, self-determination, and the protection against undue bias and discrimination between individuals or social groups;

b)         Take necessary and proportionate steps to protect these legitimate public and private interests as a condition for data access and sharing. In so doing, Adherents should strive to ensure that stakeholders are fully informed as to their rights (including their right to information and to obtain redress), responsibilities and respective liabilities in case of violations of privacy, intellectual property rights, competition laws, or other rights and obligations;

c)         Ensure that stakeholders are held accountable in taking responsibility, according to their roles, for the quality of the data they share and for the systematic implementation of risk management measures throughout the data value cycle, including measures necessary to protect the confidentiality, integrity, and availability of data (data security). To this effect, Adherents should promote the adoption of impact assessments and audits as well as responsible stewardship for data sharing within organisations, and appropriate human resource policies that clearly assign roles and data governance responsibilities, install consultation mechanisms, promote awareness and a culture of confidence, and avoid undue risk averseness;

d)         Foster the adoption of conditioned data access and sharing arrangements with the use of technological and organisational environments and methods, including data access control mechanisms and privacy enhancing technologies, through which data can be accessed and shared in a safe and secure way between approved users, combined with legally binding and enforceable obligations to protect the rights and interests of data subjects and other stakeholders.

SECTION 2. STIMULATING INVESTMENT IN DATA
AND INCENTIVISING DATA ACCESS AND SHARING

VI.          RECOMMENDS that Adherents provide coherent incentive mechanisms and promote conditions for the development and adoption of sustainable business models and markets for data access and sharing. In particular, Adherents should:

a)         Foster competitive markets for data through sound competition policy and regulation that addresses possible exploitation of market dominance and other appropriate measures, including enforcement and redress mechanisms that increase stakeholders’ agency and control over data and ensure an adequate level of consumer, intellectual property, and privacy and personal data protection;

b)         Promote, where appropriate, self- or co-regulation mechanisms – including voluntary guidance, codes of conduct and templates for data access and sharing agreements – that provide legal flexibility while ensuring that all relevant stakeholders have certainty as to applicable laws and regulations;

c)         Support long-term investments in data access and sharing arrangements to ensure their sustainability, including in open data arrangements. Adherents should consider a combination of various structured financing and revenue models to support these arrangements where appropriate;

d)         Promote appropriate incentive mechanisms that enable the fair distribution of the benefits of data access and sharing arrangements and ensure that stakeholders are enabled, encouraged, recognised, and rewarded for engaging in data access and sharing arrangements;

e)         Support the development and upscaling of new business models and application areas for data access and sharing through a mix of policies for innovation that take into account the context of data access, sharing and use, and the various roles, responsibilities and rights, technologies, and business models of all relevant stakeholders in the data ecosystem.

SECTION 3. FOSTERING EFFECTIVE AND RESPONSIBLE DATA ACCESS,
SHARING, AND USE ACROSS SOCIETY

VII.         RECOMMENDS that Adherents further improve conditions for cross-border data access and sharing with trust. To this effect, Adherents should:

a)         Assess, and to the extent possible minimise, restrictions to cross-border data access and sharing, in particular for purposes of global public interest, taking into account the need to ensure respect for fundamental rights and vital interests, including the protection of privacy and intellectual property rights and the right to access public information;

b)         Ensure that measures that condition cross-border data access and sharing are non-discriminatory, transparent, necessary, and proportionate to the level of risk, taking into account, among others, the sensitivity of the data, the purpose and context of data access, sharing, and use, and the extent to which measures are in place to enforce accountability irrespective of the jurisdiction in which the data is stored;

c)         Promote continued dialogue and international co-operation on ways to foster data access and sharing across jurisdictions – including through the implementation of trust-enhancing measures as set out above – as well as the interoperability and mutual recognition of data access and sharing arrangements, taking into account applicable legal requirements and global standards.

VIII.        RECOMMENDS that Adherents foster where appropriate the findability, accessibility, interoperability and reusability of data across organisations, including within and across the public and private sectors. In particular, Adherents should:

a)         Strive to ensure that data are provided together with any required meta-data, documentation, data models and algorithms in a transparent and timely manner, supported by appropriate data access control mechanisms, including application programming interfaces (APIs);

b)         Assess and, whenever possible, promote the development and adoption of interoperable specifications for effective data access, sharing, and use, including common standards for data formats and models as well as open source implementations. To this effect, Adherents should promote open, accessible, voluntary, and consensus-based efforts by relevant organisations, and work together with relevant stakeholders, including standard-setting organisations, to increase awareness about the benefits of these specifications.

IX.          RECOMMENDS that Adherents adopt measures to enhance the capacity of all stakeholders to effectively use data responsibly along the data value cycle. In particular, Adherents should:

a)         Foster awareness about the benefits and risks of data access, sharing, and use to encourage responsible data governance throughout the data value cycle by engaging in dialogues with all relevant stakeholder groups and partnerships. To this effect, Adherents should disseminate good practices on data access, sharing, and use that help address barriers to accessing and sharing data responsibly and increase the capacity of individuals and organisations to manage, access, share, and use data responsibly;

b)         Promote the development of the data-related skills and competencies needed, including by workers and public servants, to harness the benefits of data access, sharing, and use throughout the data value cycle in a manner consistent with the strategic approach to data access and sharing as set out above. This should include promoting data literacy among the public and increasing citizen’s capacity to understand relevant data governance issues and exert their rights;

c)         Facilitate access to and the adoption of the sustainable, open, scalable, safe, and secure foundational infrastructures needed along the data value cycle, including for connectivity, storage, and computing, by promoting digital security risk management practices throughout the data value cycle, incentivising investments in and the adoption of such infrastructures across the data ecosystem, and leveraging PPPs where practicable and appropriate.

***

X.           ENCOURAGES data holders, data producers, data intermediaries, and other relevant stakeholders in the data ecosystem to implement or, as appropriate according to their role, support and promote the implementation of this Recommendation.

XI.          INVITES the Secretary-General and Adherents to disseminate this Recommendation, including to all stakeholders and other international organisations.

XII.         INVITES non-Adherents to take due account of and adhere to this Recommendation.

XIII.        INSTRUCTS the Committee on Digital Economy Policy, the Committee for Scientific and Technological Policy, and the Public Governance Committee to:

a)         develop and iterate further practical guidance on the implementation of this Recommendation including guidance on responsible data governance for data access and sharing in the public and private sectors;

b)         serve as fora for exchanging information on policies and experience with respect to the implementation of this Recommendation, fostering dialogue with and among stakeholders, improving the evidence base on the adoption of data access and sharing arrangements, and further exploring issues relating to data governance, including data management and control, and the interoperability of data access and sharing arrangements; and

c)         report to the Council on the implementation, dissemination, and continued relevance of this Recommendation no later than five years following its adoption and at least every ten years thereafter.