{"id":7556,"date":"2023-05-05T01:01:00","date_gmt":"2023-05-05T01:01:00","guid":{"rendered":"https:\/\/dgen.net\/0\/?p=7556"},"modified":"2025-04-06T22:15:57","modified_gmt":"2025-04-06T22:15:57","slug":"on-data-where-is-it-and-what-can-we-do-with-it","status":"publish","type":"post","link":"https:\/\/dgen.net\/0\/2023\/05\/05\/on-data-where-is-it-and-what-can-we-do-with-it\/","title":{"rendered":"On data: where is it and what can we do with it?"},"content":{"rendered":"\n<p><em>From a discussion with a non-technical board which I was helping recently<\/em><\/p>\n\n\n\n<p id=\"bbca\">There was confusion around \u2018where is the data?\u2019, \u2018who owns what?\u2019 and \u2018what can be done with it?\u2019.<\/p>\n\n\n\n<p id=\"cd3f\">My synopsis is that:<\/p>\n\n\n\n<p id=\"d4dd\"><strong>The \u2018data gap\u2019 is usually leadership<br><\/strong>Data governance needs to be taken seriously at the C-suite, management and internal processes. Not doing so both creates risks and misses opportunities. This must be addressed \u2018today\u2019.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Legal rules need to better balance risks and benefits<\/strong><br>There are likely areas of legal exposure on contracts that must be (re)thought through in a way that both protects the organisation\u00a0<em>and<\/em>\u00a0helps to unlock innovation through data sharing. Often the default is too restrictive and\/or misses entire categories of risk.<\/li>\n\n\n\n<li><strong>Company policies must be enforceable, monitored and applied<br><\/strong>Organisations should use procurement and contracting processes and ensure that they are fit for purpose, and have standard operating procedures for data governance. This should include clear definitions of\u00a0<em>who<\/em>\u00a0is responsible (e.g. \u2018Data Controller\u2019, Chief Data Officer), for\u00a0<em>what<\/em>\u00a0areas and purposes, and\u00a0<em>how<\/em>\u00a0data processing will be managed. All third-party services must contain clear definitions of IP, security, support, and maintenance (even if some services are offered for \u2018free\u2019).<\/li>\n<\/ol>\n\n\n\n<p id=\"1d7e\">One issue I heard a lot of confusion about was the \u2018location\u2019 of data.<br>Its location can be interpreted in two ways:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Its\u00a0<strong>physical location<\/strong><\/li>\n<\/ol>\n\n\n\n<p id=\"6dbc\">Data can be stored on computers and in systems that are under the organisation\u2019s direct ownership or control through third parties that it uses. These might include cloud computing providers like Google, Amazon, or third-party analysis systems. It is completely fine to have data in many physical places (and \u2018the cloud\u2019 is exactly that).<\/p>\n\n\n\n<p id=\"08b1\">The impact of \u2018many physical systems\u2019 does create an operational burden and the organisation\u2019s data teams should aim to minimise this burden by storing data in as few systems as possible. But they must maintain direct contractual control to ensure that the data is well managed and can be held to account (e.g. such as direct contracts with third parties).<\/p>\n\n\n\n<p id=\"445c\">2. Its&nbsp;<strong>legal<\/strong>&nbsp;<strong>location<\/strong><\/p>\n\n\n\n<p id=\"d207\">Regardless of physical location, the legal basis for data sharing must be clearly defined, contracted and enforced.<\/p>\n\n\n\n<p id=\"7961\">Organisations should aim to act as (and it&nbsp;<em>will<\/em>&nbsp;be in many jurisdictions) the primary data&nbsp;<strong>controller<\/strong>&nbsp;for all data that it collects. Making this clear is especially important when dealing with countries where rules around data are \u2018early stage\u2019. The concept of data \u2018ownership\u2019 is highly complex (especially with personal data) and a focus on \u2018rights\u2019 (rather than just \u2018ethics\u2019) can often help people focus on what\u2019s important.<\/p>\n\n\n\n<p id=\"69c9\">The organisation can, and should, own the IP (intellectual property) on certain data it collects ( e.g. raw such as non-personal data that its teams have collected), derivative data (aggregate statistics), reports, analyses, insights, visualisations, etc. Owning the IP allows the organisation to explicitly license it to others if it wishes to (whether under Open Data or Shared Data licenses).<\/p>\n\n\n\n<p id=\"4b79\">The organisation will not \u2018own\u2019 personal data about individuals (e.g. EU citizens\u2019 rights are covered by GDPR). Instead, it has a role as a data&nbsp;<strong>controller<\/strong>&nbsp;or as a data&nbsp;<strong>processor<\/strong>. Depending on its contracts it may have the right to do things with the data, including analysing it and sharing outputs with others.<\/p>\n\n\n\n<p id=\"4a9a\">If the organisation contracts a third party to do, for example, some data cleaning or analysis, it must (a) have the rights to do so; and, (b) do so under a contractual agreement that allows data to be processed by that third party. The organisation should not assign any ownership rights to any \u2018primary\u2019 data and nor should it assign rights to any derivate outputs (e.g. analysis) without assessing the risks or benefits of doing so. If it does, such rights must be codified in a contract.<\/p>\n\n\n\n<p id=\"e726\">It may be the case that sharing data with a third party can help create additional benefits (e.g. they can improve their analytics systems), in the same way using data from others can create additional benefits for the organisation.<\/p>\n\n\n\n<p id=\"41b0\">However, there are also new risks, such as using an organisation&#8217;s data to train machine-learning \/ artificial intelligence systems in ways that cannot be predicted. These risks include commercial, competitive, legal, liability, IP, ethical and moral hazards.<\/p>\n\n\n\n<p id=\"b83b\">The impact of \u2018many legal contracts\u2019 creates compound risks and the organisation must be crystal clear about its approach to data governance, including protections, licensing, processing and security. Creating common legal frameworks with multiple parties can take time, but they can also create cohesion, reducing risk and&nbsp;<em>unlocking permission<\/em>&nbsp;for innovation.<\/p>\n\n\n\n<p id=\"f433\">One way to think about this is to imagine \u2018technical systems\u2019 as consultants. It doesn\u2019t matter where they are, we don\u2019t give a consultant the right to do anything other than what we need them to do. It doesn\u2019t stop them from learning and building on their own experience. As we move forward with new \u2018ai\u2019 systems, this takes on materially different dimensions and creates new types of risk and new types of opportunities.<\/p>\n\n\n\n<p id=\"9f60\">The purpose of this piece was to help non-technical people understand some of the basis of \u2018<strong>where\u2019 is data, who&nbsp;<\/strong>can use it, and for&nbsp;<strong>what<\/strong>&nbsp;purposes. I hope you found it useful and please leave comments if you have further questions or feedback.<\/p>\n\n\n\n<p id=\"0893\">One personal note: I find it far more useful to think about data&nbsp;<strong>rights<\/strong>&nbsp;(can&nbsp;<em>this<\/em>&nbsp;data be used for&nbsp;<em>that<\/em>&nbsp;purpose in&nbsp;<em>this<\/em>&nbsp;way) rather than data \u2018ethics\u2019 (which can mean very different things to different people).<\/p>\n\n\n\n<p>As we continue on our journey to a data-enabled world, we must ensure that&nbsp;<strong>data governance processes<\/strong>&nbsp;are in place to help everyone understand what they can and can\u2019t do, and what to do when things go wrong.<a href=\"https:\/\/agentgav.medium.com\/?source=post_page---byline--9a09a0f93804---------------------------------------\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>From a discussion with a non-technical board which I was helping recently There was confusion around \u2018where is the data?\u2019, \u2018who owns what?\u2019 and \u2018what [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5,29,38,3],"tags":[],"class_list":["post-7556","post","type-post","status-publish","format-standard","hentry","category-business","category-data","category-government","category-stuff"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfJFK3-1XS","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/posts\/7556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/comments?post=7556"}],"version-history":[{"count":1,"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/posts\/7556\/revisions"}],"predecessor-version":[{"id":7557,"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/posts\/7556\/revisions\/7557"}],"wp:attachment":[{"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/media?parent=7556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/categories?post=7556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dgen.net\/0\/wp-json\/wp\/v2\/tags?post=7556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}