Yesterday I spent a pleasant evening at Trinity College Oxford at the No2ID summer identity and privacy event.

This was an enjoyable and lively event made up of a panel of interested parties and members of the public.

On the panel were:

Many points were raised, including the need to not be complacent.

Something of particular interest which was raised by someone in the audience before I had a chance to do so, and that is the issue of data ownership.

I think that it is data ownership that is at the heart of the issue here. As we move into a much more data-centric society with more and more information about us is held by third parties, we need to start looking at our laws – and in particular to enshrine in law the concept that data about a person belongs to that person.

Right now we have a rather backward system where agents – be they the Government or Amazon – who collect information about your view that information as theirs. They mine it, monetise it and share it, all without your permission.

If the organisation is in the UK, there is a certain amount of protection afforded to you by the data protection act (unless it’s the government that holds your data), but this is rarely enforced and has been systematically weakened by the labour government.

What would happen if individual was the arbiter of who has access to what? Since third parties can be rarely trusted to retain important data, what would happen if we made the individual the physical gatekeeper of such information?

Could we have a device that asked you “Agency X is trying to access item Y, allow? (no, once, always)”, and allow you to revoke such permission at any time?

Such data you released could then be licensed, and perhaps we could at last put DRM to some good use?

Its technically possible, but probably impractical. Still, if we could just do the very first part – reversing the basic idea of who owns what – we would have a way forward.

Data about me is mine, the audit trail I leave as I live my life is also mine. Some time after I die, I dare say it would be useful for society to have access to that data since I no longer need it (perhaps for census data or medical research) but certainly while I am alive it is me that should govern who has access and for what purpose.

While I am alive it will be necessary for some third parties to have access to my data, either because it exists in their systems, or because they need it to provide me with a service. I can choose to grant access to them for a limited time and for set purposes.

There is already a system in place to handle this sort of arrangement, its called copyright. Thanks to all the lobbying done by big business the punishment for copyright infringement these days is punitive to say the least (in most cases it is a civil offence not criminal – so theoretically less punitive than a breach of the DPA – but civil actions seem to be pursued more often).

Wouldn’t it be a delightful irony if these restrictive and punitive laws turned out to be one of the great safeguards of individual sovereignty?

Of course, as I mentioned previously – once the data is out it is out – so it is still better not to give out unnecessary information in the first place.

But if the individual was concious that data belonged to them in the same way as their clothes, car or house they might mind a little more if this data was misused. Equally, if agencies feared the punitive action for such misuse available under copyright law, perhaps such instances of misuse would be fewer.

Just a thought, any lawyers want to comment?

2 thoughts on “Musings on data ownership

  1. Glad you enjoyed the event Marcus. What you are talking about looks an awful lot like “VRM” Vendor Relationship Management, which is the mirror image of traditional CRM. So the customer holds their data and provides it to organisations as you say. There’s more on this here:

    The Tories do seem to be making the right sort of noises on this: But of course these things are much easier in opposition than in power…

Leave a Reply