Restrictive Licensing

A licence tells a data user what they are able to do with a given data set once they have access to it. If relevant permissions are not granted through a licence, a data user is often legally not allowed to download or otherwise copy data, combine that data with other datasets, use the data to generate maps, or use the data to help inform internal business conversations.

Ofgem’s principle of ‘Presumed Open’ requires DNOs to start from a position of assuming that data they publish is made available under an ‘open licence’, and to only consider adding restrictions when there are reasons to do so.

To be an open licence, only two restrictions can be placed on data that is being licensed. At most, a data owner can require a user:

• give attribution to the source of the content or data
• publish any derived content or data under the same licence (this is called share-alike)

This means that when data is published openly, anyone is allowed to reuse data for any purpose, including the development of other commercial services.

However, there may be situations in which it is not appropriate to allow others full re-use of data. For instance, there may be personal or otherwise sensitive data contained, or data that UKPN is planning to use for its own commercial purposes in the future.

It is possible to write a licence that allows a data set to be published publicly, or in a shared environment, which grants reusers certain permissions while also restricting others which could increase the risk of harm.

Examples of permissions that may be granted include allowing:

• Data to be used for training and educational purposes
• Full or partial copies of a dataset to be made, perhaps for certain circumstances such as visualisation or to be copied into a report
• Non-commercial research to be carried out (although do note that it is very hard to determine what is ‘non-commercial’ v ‘commercial).
• Organisations to use data for their own internal purposes or decision making
• Organisations to use data for very specific purposes e.g. making planning decisions, or supporting their own internal decision-making,
• Data to be shared with directly controlled subsidiaries or delivery partners (particularly relevant if the data also has access controls placed on it)

Likewise, you might also wish to introduce explicit restrictions such as not allowing:

• Organisations to developing commercial services to sell back either to UKPN or other companies
• Attempts to obtain or derive information relating specifically to an identifiable individual or household
• Sell the information contained within the dataset, or make it available elsewhere outside of any permissions granted (including making images of the data available).

Assumptions

The key assumption underlying this mitigation technique is that by publishing data under a restrictive licence, rather than an open licence, you are able to control the ways in which others will use this data.

Introducing a restrictive licence will certainly deter some users from using published data in ways which you do not wish, others may use this data however they wish, regardless of restrictions within the licence. The licence, however, does allow you legal recourse if you learn about this misuse.

Key considerations

Time taken

Over time you are likely to develop some standard licences which can be used as a starting template. However it can be time consuming to develop these initially, and you will need support from the legal team.

Ensuring appropriate restrictions and permissions are in place

It can be easy to accidentally exclude useful and valuable activities when developing new licences. A classic example of this is excluding ‘commercial activity’, but it is very hard for re-users to define the full range of commercial activity, even if some commercial activities are very obvious.

You will need to work with stakeholders to understand the value within the data, and how they would wish to use it. It is likely stakeholders will have uses that you’ve never considered!

Ensuring privacy and highly sensitive data is protected

As using restrictive licences in isolation is unlikely to deter all possible data users from using data inappropriately, it is highly likely that additional mitigation techniques will be needed. If the value for users is in the detailed data, access controls will likely also be needed.