The concepts of data ownership and custodianship seem to be a constant source of confusion, conversation, and chronic ulcers, spawning questions such as How are they different? How do we tell them apart? Where do their responsibilities lie? What is different about their interactions with the data? And so on.
In truth, they are really quite straightforward, when approached simply. Following, is the illustrated version. Those in a hurry, can simply click here.
I have a little girl with an impressive name: Dorothea Adelaide Theresa Aspidistrasa – DATA for short. As her mother, I think I can safely claim ownership of little Data. Yes, I definitely own Data. Unfortunately, the law said that when Data started school, I was obliged to give her into her teacher’s custody for the day.
However, I had a few rules that Data’s daily custodian needed to know and follow if I was to entrust her with my precious Data.
And let’s be clear about this: nobody – but nobody – is allowed to make any rules governing Data’s appearance and behaviour but me, unless I say so. And even then, they still have to run them past me; imagine how my child would turn out if every Tom, Rick and Sally made up random rules for her as they went along?! Not in this lifetime, they don’t!! But I digress.
These are the rules I gave Data’s teacher, Miss Custeau D. Airn:
- No part of Data might be changed whilst she was at school so they couldn’t cut her hair, for example, or graft on another ear. (Ha! You laugh! My neighbours are so lax that their poor child had acquired three extra eyes and lost all his names before first break. But that’s modern parenting for you…).
- Data was not allowed to be taken or sent anywhere I didn’t know about, and give express permission for. Nor was anybody other than Miss Custeau D. Airn allowed any access to Data, unless I had given permission.
- Data was allowed to be combined with the other children for playgroups, reading rings etc, provided this didn’t change her in any way (see rule 1).
- Miss Custeau D Airn was allowed to change any aspect of Data’s appearance that was not an integral part of her, so that she might seem to be a different child to the rest of the world. For example, she was free to change Data’s dress for reading ring, her shoes for maths lines, the colour of her socks for playgroup, etc. Obviously, rule 1 still applied, so Data’s hair, ears and freckles would remain untouched and intact.
- Miss Custeau D Airn had an obligation to ensure that Data was kept clean at all times. (Data is so difficult about being cleaned, that preventing her from getting dirty in the first place is the path of least resistance. She can be such a stubborn little thing).
- Finally, Miss Custeau D Airn was charged with protecting Data from damage or change for as long as Data was in her custody, so that when I (her owner mother) collected her at the end of the day, she was in exactly the same condition as when I left her that morning, except perhaps a teeny bit older.
And boy oh boy, did Data love school! She met so many children, made lots of friends, joined up with others in so many interesting ways for reading ring, and maths lines, and sports houses and even as the back of the horse in the school play – even I didn’t recognise my little Data in that instance: she looked so different! Miss Custeau D Airn was very sweet, and fond of all her little charges. And she kept every one of my rules.
Until last month.
“Mrs Aspidistrasa! Data has been voted as chief-paintbrush-disher-outer in art class, but doing this will mean getting covered in purple paint. As this breaks rule 6, what should I do?”
This posed a bit of a dilemma for me, as Data’s owner mother (I really must stop doing that!) because it meant if I allowed Data to take on this new role, I would have to change one of my rules. But why should I change my rules to suit others? They’re MY rules, just like she’s MY Data!
The answer was clear: without a coat of purple paint, Data would be useless to her classmates, and all the others that had come to depend on her for so many things. And really, other than my personal dislike of purple paint, was there any good reason why Data shouldn’t be covered in purple paint if that was what was needed?
And so it was, at the urging of Miss Custeau D Airn, that I changed the rule about Data remaining completely unchanged whilst in Miss Custeau D. Airn’s care. Henceforth, Data was allowed to be covered in purple paint, but only when acting as chief-paintbrush-disher-outer in art class. And no pink paint. I hate pink.
- Owners – and only owners – set the rules regarding what may happen to their data. They may consider input from others, but the final decision is theirs.
- Custodians have a duty of care to uphold and enforce the application of the rules that the owner has set. They may not create new rules, modify existing ones, or ignore any.
- Owners dictate what their data will look like (its attributes and their values), where it will reside (system, database, etc), who may access it (which people, systems and processes) and the degree of access they have (create, read, update, delete), and how often it may be changed (if ever).
In addition, the owner may specify the purposes for which the data may be used (particularly important in a regulatory environment), where it may go (any systems through which it may pass, and where copies may be stored), the conditions under which it may be accessed and/or changed, and any exceptions to these stipulations.
- Custodians ensure that the data remains intact, that its source remains constant, and that all access is controlled in accordance with the owner’s stipulations.
- Ultimately, it is the owner who bears full and final responsibility for the data, and it is the owner – not the custodian – who is held liable when things go wrong.
The relationship with the custodian is based on an immense degree of trust, but it is nonetheless up to the owner to ensure that the custodian doesn’t violate that trust by failing in the dispensation of his or her duties.
- Typically, the custodian is the “face” of the data, the go-to person, and the voice of both the owner and the data’s stakeholders. In addition, the custodian is often the primary communication channel between the owner and stakeholders, ensuring that the voices of all interested parties are heard and understood by the others.