[Originally posted on Linked In March 4, 2017]

While peer reviewing an upcoming Data Management paper, I sat back and wondered if the termData Owner” was in fact appropriate to use within the context of data management. The original rationale for the “owner” designation was really pointing out that Technology platforms didn’t “own” the data, but the “Business” was accountable for the data - and the term owner was used. I’ve personally recited that mantra for many years, but when I was thinking about GDPR and “ownership” in that mind I started to question the implied meaning of that term.

Perhaps I will talk myself back around to the “business” ends up owning the instance of the data, or maybe just accepting the definition associated with “Data Owner”.

However before going into a scenario it is worth covering the dictionary language definition of Owner.  The most appropriate web sources for own/owner I found are below:

“ to have or hold as property https://www.merriam-webster.com/dictionary/owner. ”

“ Have (something) as one's own; possess: https://en.oxforddictionaries.com/definition/own

And for completeness here are the available more precise definitions I found for “Data Owner” (and the second is strictly "Data Ownership"):

“ Entity that can authorize or deny access to certain data, and is responsible for its accuracy, integrity, and timeliness. http://www.businessdictionary.com/definition/data-owner.html ”

Data ownership is the act of having legal rights and complete control over a single piece or set of data elements. It defines and provides information about the rightful owner of data assets and the acquisition, use and distribution policy implemented by the data owner.https://www.techopedia.com/definition/29059/data-ownership 

Interestingly I was expecting a more robust definition of “owner” from the dictionary sources, especially around the rights to sell/dispose of the goods. So I must admit that surprised me a little!

So on to the scenario relating to data ownership,  Person A submits a loan form to a financial institution B. The form has their name, current address, postal code and other aspects to the loan request. In this scenario is there, and if so who is, an owner of the submitted data?

In this scenario does the Business really “own” the submitted data (or are we getting into the difference between data & information?), or just own the form that has a copy of personal information on it? As they say possession is nine tenths of the law! On reflection, and breaking years of the mantra “the business owns the data”, I would say neither IT or the business really own that particular submitted data. The data represents information was loaned to institution B with the expectation it was only used for the intended purpose, and the institution cannot use the information for purposes outside of the permitted uses as stipulated by either the form (terms and conditions) or law. This form's purpose is not to convey ownership, aka a sale contract, but is a conduit for a different purpose. Which then allows for the "right to be forgotten" to not fall fowl of a ownership implication.

Now a second area that I have seen organizations get stuck differentiating the concept of a data content owner and data meaning owner. Both come under the banner of data owner, and appears to highlight a missing set of lower more granular terms. In the above scenario I can see that the “business” would own the meaning of the various fields on a form - but would not “own” any submitted content.

So with all this in mind, do we think "data owner" is a Preferred Term or should we start to migrate to other more precise fit-for-purpose terms to better indicate these concepts? When we talk about data protection there are well defined terms in use today (albeit most focus on sensitive data):

Is it time in the data area to define and align our "data ownership" related terms to legal concepts to help align understanding within the data user community. While I'm not advocating reusing legal terms as that brings its own complications, I do think we should minimally clearly define data accountability & responsibility terms so they can be aligned with increasingly structured legal terms dealing with data.

Finally during this research and pondering I found What is Data Ownership? by Malcolm Chisholm (Originally published November 2011)  which appears to mirror much of my musing - but several years earlier!