Smart-data powers with no scheme: personal data stores stuck at pilot scale
The Data (Use and Access) Act 2025's smart data provisions came into force in August 2025, but no scheme beyond open banking has been designated. Mydex CIC runs personal data stores under Scottish Government contracts; Solid/Inrupt has stalled internationally; the ODI researches data institutions. What is missing is the secondary legislation designating the first non-finance smart data scheme plus an interoperability standard letting certified PDS providers receive and share citizens' data with public services, without which the storage-and-memory layer cannot leave pilot purgatory.
Portability rights without operating schemes are dead letters. One working scheme routed through user-held stores would flip the default from institutional data hoarding to citizen custody, and create a market for UK PDS providers that fifteen years of pilots have failed to create.
DSIT designating a first non-finance smart data scheme (e.g. energy or social-care records) implemented via certified personal data stores, with an open interoperability standard co-developed by ODI, Mydex-type providers and the ICO.
// State-led: Instrument: DSIT smart-data scheme designation via secondary legislation under the DUAA powers.
The legal power now exists but scheme designation stays politically stuck after fifteen years of pilots, DSIT and researchers are partly active, and nothing forces movement soon.
One gap, several dossiers: entries folded into this one (1)
The research pass surfaced this gap independently in more than one domain. Those entries are merged here so the map counts it once: one legislative package: smart-data scheme designation plus certification and rights-agency authorisation for intermediaries.
№ 128 · Personal data intermediaries have no legal authorisation or certification regime (Privacy)
DUAA smart data powers exist, but beyond open banking no scheme is live, and DSIT's June 2026 consultation ('Empowering people through data intermediaries', closes 31 August 2026) concedes the blockers: legal ambiguity over whether intermediaries can exercise data subject rights on individuals' behalf, controller friction when they try, and zero public awareness. Pioneers like Mydex CIC have operated for a decade with no authorisation route; the ICO has no guidance or code. The market that would let individuals actually wield portability rights cannot form.
Its fill: Legislation or an ICO code authorising certified personal data intermediaries to exercise access/portability rights on behalf of individuals, plus launch of the first non-finance smart data scheme (energy or telecoms) with intermediary access built in.