In previous blogs for Advanced Metadata, I have discussed metadata and why it matters, as well as how data management relates to regulation and compliance. In both, I was able to draw parallels with historical examples, but as in my last article on the changing landscape of compliance, I here deal with a problem that, though we have always faced it in some respect, has become very much a modern-day dilemma: data ownership.
Ownership: The state or fact of being an owner; legal right of possession; proprietorship
Data Ownership is a key concept in Data Management. However, in my experience it is one that is often poorly understood, poorly applied, and fails to address the real meaning of “ownership”.
As my friend Malcom Chilsom wrote for B-Eye-Network back in 2011:
Trying to get a definition of data ownership is not easy, and in most cases (but not all) the term is misleading. (As an aside, Malcom’s article is an excellent alternative take on this topic and is well worth a read).
If we take it as read that “Information is an Asset”, then it follows that the ownership of information in the organization rests with the ultimate owners of the organisation. This would be the shareholders in the case of a limited liability company, or the principals in the case of a partnership.
In that context, the role of the management team and the staff in the organization would be to act in accordance with their legal fiduciary duties to maintain and manage that asset in a state that will support the generation of net cash inflows or the delivery of goods or services by the organization.
The management of the organization therefore has a responsibility to ensure correct data management and data governance to deliver the required outcomes and value. In addition, they are accountable for the management or governance of that information asset.
The Need for Clarity
All too often that accountability is only expressed in terms of the delivery of the net cash inflows or delivery of goods or services. That leads to difficulties in ensuring that there is sufficient clarity in up-stream and downstream accountability and responsibility. To do this, they require having an effective and efficient data governance system in place, and this in turn requires proper metadata management that allows for accessibility within correct and relevant departments, accuracy, and traceability.
Things become slightly more complicated when we consider data about people. This is data that, in Europe and in an increasing number of other jurisdictions, is considered to be subject to a series of rights on the part of the individual that is described by that data. These rights include the right to determine when or how the information may be used, the right to request it be deleted, the right to request a copy of it, and the right to know if an organization is holding data about them. Individuals usually have to be told up-front what will happen with their data, and who that information will be shared with or where it might be transferred to.
And if a person doesn’t want to agree to the terms of the “deal” they usually don’t have to provide their data, unless there is a statutory basis for it or some other right or duty over-rides their choice (e.g. the health and safety of others).
This can often get confusing for organizations who may have spent a lot of money funding the acquisition of data. I have seen a number of initiatives in various organizations where even the legal advice about who had rights to the data about people the initiative was processing was based on a misguided notion that there was an intellectual property right over the personal data processed in the system simply because the organization had paid for the creation of the system.
Let us ignore, for a moment, the concept that you can exert a property right over some aspect of a person by the simple reason of having paid for it (that’s effectively a form of digital serfdom or slavery), and consider what this conflict means for our definition of who “owns” data in the organization.
- Data is an asset that is used by organizations to deliver services and generate net cash inflow.
- Sometimes that data is directly acquired by the organization and is ‘built’ by them. That is the same as the organization buying an office block or a fleet of company cars or other tangible assets. Those ‘things’ are owned by the shareholders and staff working in them or with them owe a duty of care to the shareholders to treat those assets with care and to return them to the organization when they are finished with them.
- Sometimes that data is provided to the organization by 3rd parties. It may be individuals providing personal data to the organization, but it could equally be a commercial partner providing data as an input into a joint venture. In those cases, the information being processed has been borrowed or ‘leased’ from a 3rd party under certain conditions for use. It is important to understand those conditions and the lineage of the information. The analogy in terms of a tangible asset would be if the organization leased computers or cars or their building from someone else. Hiring a car and then selling it on as your own leads to trouble!
The Need for Accountability
Under 2) and 3) above, the management and staff of the organization have a set of accountabilities and responsibilities to the different types of asset that are being acquired through purchase, building, or leasing. These accountabilities and responsibilities, and the metadata respective individuals, groups or departments have access to, need to be defined and aligned as part of a set of decision rights and governance. There is no ‘ownership’ in the legal and dictionary definition sense of the word, there is stewardship.
Stewardship is defined in the dictionary as:
The position and duties of a steward, a person who acts as the surrogate of another or others, especially by managing property, financial affairs, an estate, etc
the responsible overseeing and protection of something considered worth caring for and preserving
In that sense it is both a function and a vocation, a role and a set of actions. The management and staff in your organization act as a surrogate for the real ‘owners’ (shareholders or individuals described by personal data you handle) and they are charged with the responsible overseeing and protection of that data asset which is considered worth caring for and protecting through an effective, accurate and secure data management system.
Organizations will inevitably persist in using the term “data ownership”, but “information stewardship” more accurately describes the function and the purpose of the concept. Hence it is extremely important in information and data governance to ensure that the attributes of ‘ownership’ are clearly and correctly defined in terms of access, decision rights and responsibilities over and for information, and accountability to the ultimate owners of that critical asset.