Cities & Data Sharing – Part 1: London

By Suha Mohamed

September 10th, 2020

With the right structure and mechanisms, data sharing between the public, private sector, and civil society can build trust, enable collaboration, and lead to mutually beneficial outcomes. This has been relatively well established in the field of mobility. Mobility data has been leveraged to shape dynamic and responsive transport management, assess whether services are delivered equitably, and improve the discoverability of transport choices for commuters.

This article is the first in a series and forms a core area of research carried out by Aapti Institute’s Data Economy Lab. As part of this study, models from four cities (London, Los Angeles, Barcelona, and Seattle) were selected and analyzed to understand how data sharing in mobility is currently carried out. These models represent innovative mechanisms for how data may be effectively shared and are critical to consider for their respective strengths.
Nevertheless, challenges still exist in sharing this data, which arguably reinforces the need for Stewardship in Mobility. Each model has different mechanisms for governance, legal concerns, and third party sharing. Through this series, we also explore opportunities for data stewardship and how this framework may be useful in solving issues of lack of accountability and transparency. Stewardship may also enable better control over data and safeguard privacy rights.

Part 1: Transport for London

Transport for London (TfL) was created as a statutory body by the Greater London Authority (GLA) Act. TfL manages London’s transportation system and implements the Mayor’s Transport Strategy (2019)
London’s Transport for London (TfL) model is useful to consider for a few reasons:

Open Data Sharing: TfL has successfully integrated and made publicly available data from multi-modal transit services. This open data model enables the city to shape data-driven transport management and as a result, provide passengers with better services. Similarly, developers and technologists have taken advantage of this and created user-centric applications to improve the discoverability of transport options.

Strong Accountability and Governance Mechanisms: TfL places a paramount on privacy, and institutes a set of internal accountability mechanisms to ensure individuals’ rights are maintained and upheld in alignment with GDPR.

High transparency: Data usage, retention, and storage policies are clearly outlined and citizens are entitled to submit requests to access data.
TfL’s primary focus is on the collection of data from public transit under its jurisdiction and as such does not engage with private mobility companies or services. Limited information exists on how Personally Identifiable Information (PII) data may be collected/shared through public-private partnerships that TfL is engaged with.

What does this mean in the context of Data Stewardship?

Across the world, TfL has become a model to follow, as cities continue to embrace technology and aggregate mobility data. TfL primarily aggregates and makes data under its own jurisdiction available through an open-data license. This has led to significant improvements for transit providers to deliver services in a way that is cost-effective and efficient. For individuals, open access to data has also led to greater accessibility and ease of using transit services.

TfL acts as a kind of data steward as it enforces strict governing policies that determine how and what data can be collected, and is both concerned and responsible to ensure that the digital rights of citizens can be actualized. Given this structure, citizens are able to hold TfL accountable and gain greater control over their own data.
While there are important lessons that can be drawn from this model, a few questions remain:

  • TfL does not actively incentivize reciprocal data sharing by private mobility companies: A Deloitte report outlined that TfL’s data has been extensively leveraged by tech companies and startups to provide customers with innovative products and services. In return, however, companies do not actively share data with TfL.

This has also been referred to in a recommendation by the London Assembly’s Transport Committee in a 2018 Report:

“TfL should continue to make its data open for use by app developers, but seek to enter reciprocal agreements whereby data produced by apps powered by underlying TfL data is shared with TfL. This should be a requirement for existing apps using TfL data and new apps seeking to do so.”

  • Lack of transparency in third-party data sharing processes: While TfL maintains an online register of all existing and new commercial partners, agreements are not detailed and do not provide oversight into what data is being shared and how it is being similarly secured.

Data Sharing

TfL collects data from individuals, anonymizes, and aggregates it to implement the Mayor’s Transport Strategy vision.

TfL’s data is hosted through a hybrid-cloud platform model. Through the open-data ecosystem they’ve created, Tfl both manages and consumes data. They also facilitate its use by third-parties when required through APIs. As data is made available through an open-license, third parties have access to high quality, granular transport data. This has helped TfL in fostering strong relationships with the developer community. They continue to explore partnerships with the private sector as a way to supplement grant funding.

TfL enables open access to aggregated data, which presents a range of benefits for TfL and individuals — Aggregated data and 62 operational open data feeds are made available to researchers, developers, and individuals through APIs, static files and feeds. Open data feeds are used by over 17,000 registered developers to create apps.

Where relevant, TfL may share personal information with government agencies or third-party suppliers/partners — For the prevention or detection of crime, public health or in emergency situations TfL shares personal information with a range of agencies.

Data Sharing is prohibited with third-parties unless, under a contract for agreed-upon services — For instance, TfL has partnered with: MasterCard to implement contactless payments; CleanedUp to install sanitation kiosks and Cubic Transport Services Ltd for payment and app-based services. Details and copies of contracts for previous and new commercial partnerships are made available on TfL’s website.


Governance of PII*/De-personalized data collected by TfL is carried out through legislation, principles, technical measures, and digital techniques.
For instance, TfL must abide by the Data Protection Act, GDPR, and Data Protection principles outlined below. Data is further secured by technical measures and digital standards that ensure privacy isn’t compromised.

More importantly, TfL’s main objective is to collect and manage data in a way that does not infringe upon individual privacy and outlines rights to enable this, many of which are derived from GDPR requirements. This includes:

Depending on the source of data, TfL has outlined retention and handling policies:

PII data can only be collected where there is a legal basis, and if a Data Protection Impact Assessment is completed — This assesses the associated risks of collecting personal data by carrying out a cost-benefit analysis.
The Data Protection Impact Assessment is carried out by a Data Governance Manager, one of the entities TfL has put in place along with a Data Protection Officer and Privacy Advisor. These individuals hold TfL accountable for governing policies and ensure processes adhere to GDPR requirements. Entities include:

The model has a robust governance structure that prioritizes privacy and facilitates grievance redressal effectively. It also represents a good model to share and make open data accessible. While the model is most relevant when sharing open or PII mobility data, there are a few broader leanings that are useful to consider:

Takeaways: Transport for London & Data Stewardship
While this model primarily deals with open, non-personal forms of data, it raises principles that are in-line with qualities of a good steward:

Duty to protect: Similar in nature to the fiduciary responsibility Data Trusts have toward protecting data users, by virtue of GDPR requirements, TfL is bound by a legal responsibility to ensure user’s rights and privacy are upheld. It directs a range of entities including data controllers, processors, and protection officers to maintain these obligations.

Facilitating greater control over data: The Data Protection Officer offers citizens an accessible platform to contact and request access or control over their data.

Open Questions:

  1. How can TfL incentivize and negotiate data sharing on behalf of private transport companies?
  2. How can communities be better represented and more actively participate in shaping data governance processes?