Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Can Data Governance Address the Conundrum of Who Owns Data?
Can Data Governance Address the Conundrum of Who Owns Data?
A frequent dilemma that confronts organizations that collect and use information in the Connected Age is the question of who owns the data in the organization’s possession. Colleges and universities collect and use personally identifiable information (PII), academic content produced by students or faculty, and research data and results. Defining ownership is a complex legal issue because it often confuses intellectual property rights with privacy and security considerations. However, it is probably an instance where the old adage that “possession is nine-tenths of the law” does not sufficiently answer the question. Ultimately, the best way to approach the issue is to change the question from who owns the data to what rights and responsibilities accompany its collection and use. Data Governance may be the best vehicle to ensure that the interests of the institution and the individual are addressed in a fair, legal, and appropriate manner.
Let’s start with the PII of college and university students or employees: how can a institution of higher education as an educational entity or as the employer legitimately claim that it owns the personal information of its students, faculty, and staff? Unlike the for-profit sector who might place a monetary value on PII that it uses for marketing purposes and may later transfer to a third party under certain conditions as a corporate asset, the PII that institutions collect is for the purpose of conducting its educational mission. Of course, students will some day become alumni whose data could be leveraged for relationship management purposes such as the solicitation of donations and gifts, too. Additionally, the move towards state longitudinal data systems that seek to track academic progress from pre-school through employment will create a greater demand for interconnections among data systems and will extend the life cycle of the data beyond the immediate needs of institutions of higher education. Colleges and univesities seek to manage or organize "institutional data" increasingly through data warehouses. "Institutional data" is often the term attached to PII - not as an "ownership" statement but rather as a message to colleges, departments, or units that PII is an institutional asset with the accompanying rights and responsibilities regarding collection, storage, and use. The storage of PII by third parties through hosted systems or as part of a cloud strategy will raise similar questions about the rights and responsibilities of service providers who are in possession of the data. In most cases, the contract between the institution and the third party will address the rights and responsibilities with respect to the data.
A similar intellectual property dilemma is presented by research data and the resulting research results that are often eligible for copyright, patent, or trademark protection. Although public policy is shifting towards more openness to data and research results of federally funded research, it does not diminish the need for privacy and security of the data, especially when human subjects are involved. “Data management plans” are increasingly required by federal funding agencies that expect institutions of higher education to address privacy, security, access, and preservation.
Possession of data is a difficult barometer in the Connected Age because the same data can reside in multiple locations that are under the control of a variety of individuals and organizations. In copyright terms, it is more similar to the possession of a copy of the original work (as in a book) as opposed to possession of the original work itself. As multiple copies of data exist – perhaps across campus information systems or third party applications – it does not diminish the importance of user control over their data and in some cases the legal responsibilities of the institution (e.g., with respect to student education records regulated by the Family Educational Rights and Privacy Act or FERPA). Of course, fewer campus instances of collection, storage, and use of PII minimize the potential for security breaches or privacy violations. Enterprise approaches that consolidate data sources into as few systems as possible with the appropriate integration and interoperability is an important step towards a secure technical architecture.
The concerns about ownership are primarily related to the issue of control. With respect to the ownership of intellectual property, the law is pretty clear about the exclusive rights of authors and the “work made for hire” doctrine governs employees, although the application of copyright ownership in the Connected Age remains complex. With respect to control, there is increasing recognition that the interests of the author, employer, or others can be effectively handled by unbundling the rights through license agreements that address both use and control. Similarly, the considerations for the control of PII are already addressed in the Fair Information Practice Principles. For example, the principle of Access is primarily intended to give individuals access to the data collected about them so they can inspect it for accuracy and correct any errors. Similarly, the principle of Notification lets individuals know how their data will be used and describes the extent of choice or consequences for not providing the data.
As Data Governance bodies grapple with the question of who owns the data in their possession perhaps time is best spent reconciling practices with intellectual property law and policy as well as the Fair Information Practice Principles. Then, institutions can move quickly to establish that the data is under institutional control and identify the roles and responsibilities of data stewards (who are the gatekeepers with respect to access) and data custodians (with the ability to provide access once authorized). The role of the data governance body is to establish a policy framework that is both consistent with the law and that upholds institutional policies and values.