How the Law Weighs In on Ownership

Information ownership is a topic lawmakers have skirted since the invention of the database. Perhaps it could be a simple issue. But when we remember that information can be integrated, moved, stored remotely (even across borders), copied, modified, updated, and deleted without a trace, the issue becomes wildly complex.

The Australian Computer Society’s Data Taskforce working paper clearly and concisely articulated the challenge and the solution:

How Accountants Account for Information

Since laws are lacking and courts around the world are confounded by the concept of information as property, perhaps we should attempt to determine whether information is, could be, or should be considered a formal asset. The accounting definition seems to provide more guidance around the potentiality of information as something which could be considered owned, because it is more precise than an array of random rulings by men and women in robes.

Dictionary definitions range from an asset being a positive characteristic or benefit or advantage, to something of value or piece of property. And “asset” is a synonym for a variety of other words. But as discussed earlier, the accounting definition of an asset is more precise, comprising three conditions or characteristics to designate an asset:

1. Something owned and controlled by an entity,
2. Something exchangeable for cash, and
3. Something that generates probable future economic benefits which flow to that entity.

Owning the Usage of Information

This question of information “ownership” proves to be a bit unsettled. There’s a catch-22: If information isn’t considered property according to a lack of legal consensus, how can it be owned? And if you can’t own information according to accounting standards, how can it be considered an asset? Chicken, meet egg.

As we have seen, for the most part information cannot be protected like other forms of intellectual property, but how information is created or used can be considered property in the eyes of the law.¹⁵ Specific use contracts among two parties, such as social media site user agreements, can offer some protection, but a particular collection of data rarely can receive the kind of blanket protection copyrights or patents afford. While most information assets cannot be protected as intellectual property, the way you use information can be legally protected.

The business method patent offers a vehicle for defining and securing the ownership rights to almost any unique and useful process you develop. This includes algorithms. Algorithms are used to create information and make use of information. But are organizations actually taking advantage of this kind of legal safeguard? Absolutely!

Patent applications for algorithms have grown 30x over the past fifteen years. Nearly 17,000 patents applied for in 2015 mention “algorithm” in the title or description, versus 570 in 2000. They jumped from 2,400 applications in 2011 to 8,000 in 2012, and to 12,000 in 2013. Including those mentioning “algorithm” anywhere in the document, there were over 100,000 applications in 2015 versus 28,000 five years ago.¹⁶¹⁷ At this post-recession pace, plus considering the increasing interest in protecting algorithmic intellectual property (IP), by 2020 there could be nearly half a billion patent applications mentioning “algorithm” and over 25,000 patent applications specifically for algorithms.¹⁸

Perhaps consternation over being able to legally protect and formally account for information should be redirected into efforts to obtain patents for the algorithms you develop that rely on your proprietary information assets.

It’s not that simple, cautions Nolan Miller, professor of finance at the University of Illinois. He suggested that patenting algorithms may not provide the level of real-world protection one assumes they might:

Miller also suggests there is a set of interesting questions around the option value of using an algorithm, not using it, or using it sparingly when you know or suspect competitors are watching. Similarly, Andrew Ng, a Stanford professor, co-founder of Coursera and now chief scientist at Baidu, reportedly has said: “No one can replicate your data. It’s the defensible barrier, [but] not algorithms.”²⁰

Personal Ownership of Your Personal Information

Personally, most of us are concerned about owning or at least controlling information about ourselves—particularly our financial information, and also our emails, telephone records, and anything that could be used to steal our identity. It’s important to note that like information, one’s identity cannot be “stolen,” per se. Rather it can be electronically copied and used to steal other things. The distinction is subtle but important no less. It manifests in a fixation and improper focus in stymying access to our information, instead of us being mindful and disciplined about establishing rights and responsibilities for others who we want or need to have access to our personal information. Either way—clamping down on our personal information or taking the time and effort to define in all the apps we use who gets which of our data, how much and when—tends to lead to security and privacy fatigue.

In most cases the fine print in software, website, and online business user agreements obtusely specifies that you retain “ownership” of whatever you post, but the company behind the agreement (or notice) retains unlimited, perpetual, and transferable rights to it. And in some cases, as with Uber, its U.S. user agreement indicates it can even modify your information before doing whatever they want with it.²¹ This is the main reason behind Face-book’s $19 billion acquisition of WhatsApp: unfettered access and ability to monetize the content of thirty billion messages and seven hundred million images each day. Not necessarily to gain customers. Customers don’t meet the criteria of a monetizable asset; information does. Remember, customers, like employees, cannot be owned or completely controlled.

Information ownership can be a legally moot concept. As part of these agreements, such language is merely an attempt at pacifying prose. Given the aforementioned lack of consensus and maturity in information property law, I’d rather have unlimited, perpetual, survivable, and transferable rights to some information than to “own” it. Still, we’re usually happy to agree to these terms in return for being able to use the app, participate in some community, or shop online. It’s the price we pay. We’re exchanging information about ourselves in return for some free or discounted online service.

This confounding matter of ownership applies to genetic matter as well. We like to think that it’s “our” health care record, but it actually belongs to those who collect and maintain the data. For example, in the U.K., a court ruled in favor of the National Health Service, allowing it to use data it collects from individuals during medical exams for alternative purposes. Similarly a U.S. district court ruled that individuals did not own the biological samples (and therefore the genetic information within them) that they had willingly provided to a researcher.²²

Then there’s the matter of one’s metadata. Recently, an Australian federal court refused to hear a case in which Telstra claimed account usage data was not data about a customer, and therefore believed it was not required to relinquish it to the customer. Telstra claimed such information was “not information about an individual whose identity can reasonably be ascertained from the information in isolation,” even if the owner is inextricably linked to the account. Therefore, the Australian Privacy Commissioner’s ruling requiring Telstra to release the information stands, for now.²³

In short, organizations seem cavalier about claiming legal ownership (or at least control) of information they collect from others, whereas the rights of individuals to control information about themselves is still in limbo where industry regulations fail to plug legal lapses.²⁴

Internal Ownership of Information by Departments or Individuals

We have already explored the notion of information ownership across organizational borders, but now let’s look inwardly. In almost any book or paper on information management or data governance, you will read about defining “data owners” as a key component of any information strategy. Generally these are business people who are responsible and accountable for the definition and policies for one or more types of information, e.g., customer records, transaction data, manufacturing process documentation, maintenance data, etc. However, as indicated throughout part II, the idea of internal data ownership manifests in a variety problems, including:

• Information politics—Information ownership creates a culture of contentiousness and propriety with regard to creating, defining, and using information. It puts some on the inside and others on the outside.
• Lack of shared responsibility—Information ownership implies that one individual or group is solely in charge of, accountable, or liable for the information.
• Reduced data quality and governance—Information ownership discourages others from participating in governing information or helping to enhance its quality and value.
• Lack of information sharing—Information ownership tends to reduce how readily information is shared with others throughout the organization.
• Lack of information availability—Information ownership results in architectures that restrict the flow of information throughout the organization.
• Increased expense—Information ownership often forces departments to source the same information another department does, duplicating the time, effort, and costs to do so.
• Limited information value generation—All of the above consequences of information ownership limit how readily information is put to work for the organization.

Barb Latulippe, the chief data officer at Dell EMC, agrees. When I spoke with her recently, she said:

Latulippe said she prefers the term “data trustee.” It may not have the authoritative connotation “data owner” does, but in the context of a fiduciary, as discussed in chapter 8, it carries both legal and ethical weight.²⁵

Similarly, in his book, Data Driven Leaders Always Win, Jay Zaidi asserts that “The question of data ownership is critical to governing data since it deals directly with accountability.”²⁶ But Zaidi follows up this point by acknowledging reality. He writes that asking the question “Who owns data?” throughout your firm elicits many interesting answers, including: data producers, data consumers, business units, the owner of the system on which the data resides, the first system that receives the data and processes, the owner of the data warehouse, and so forth. Zaidi makes the poignant observation that, “None of these answers is correct on an individual basis. Data is neither owned by a single business area nor an individual system owner, but is an enterprise asset that is owned by the corporation.”²⁷

Ultimately, the idea of an “information owner” is difficult or impossible to ascribe, and more important, sets the wrong tone about information as something other than an enterprise asset. Even renowned data quality consultant and author Tom Redman, avoids the term “data owner” throughout his several instructive books on data quality. He exclaimed to me recently, “It’s one of the scourges of the Earth. It implies I have something that I don’t have to give you. And if I do decide to give it to you, you have to pay for it. Inside any organization, that is unconscionable.”²⁸

That said, the idea of a “data trustee,” as Latulippe, Zaidi, and others suggest, establishes information as a shared resource with shared responsibility. Moreover, it acknowledges that the same information can exist in multiple places at the same time (or is non-rivalrous in economic-speak). Along the lines of our earlier foray into supply chains and physical asset management procedures, Redman prefers guiding his clients to think more about information consumers and information producers within the organization, and how they can better communicate and collaborate with one another.

Sometimes, it’s not that simple. Take McDonald’s, for instance. Gokula Mishra, McDonald’s senior director of global data & analytics and supply chain, shared with me how McDonald’s pan-geographic franchise model can make it difficult to get access to some data. He referred to this as a data sovereignty challenge in which getting corporate access to customer, supplier and employee information in various parts of the world requires an approval process and adherence to various data protection regulations. For example, he said: “From some of our markets in Europe, data regulations dictate how a subject’s personal information can be collected, used, shared, and transferred across borders. As such, certain steps need to be taken for a European market’s data to be transferred to McDonald’s Corporation in the U.S.”²⁹

Information sovereignty conundrums exist within tighter organizations, as well. Many U.S. states have legislated open data mandates, requiring agencies and departments to make data available among one another, and externally for citizens and businesses.

According to Liz Rowe, the State of New Jersey’s CDO, even following the law can be confounding: “The mindset among agencies is that ‘This is my data and I don’t have to share with you.’” Relating a meeting she was in with two different agencies, she said conflicting regulations don’t help at all:

Rowe shared that it sometimes takes many months and many lawyers to sort out if and how to share information among agencies, and how this hampers the state’s efficiency and abilities. One of her goals is to help everyone understand and start behaving as if they and their information are all part of the same organization.³⁰

The challenges of sharing information across internal and external borders within an organization also puts an interesting twist on ownership for one automaker whose head of information innovation admitted to me, “Due to regulatory restrictions and the challenges of requesting data from another part of the organization, it’s sometimes easier and cheaper for me to buy from a data broker or elsewhere, even if we already have it.”

Loaded semantics aside, the definition of an information owner as someone who is responsible and accountable for the definition and policies related to a particular information asset makes sense—just as the earlier Generally Accepted Information Principles in chapter 5 state. It is the “owner” moniker itself which causes problems.

You and Your Information Are on Your “Own”

Ultimately, attempts to define and execute on the concept of information ownership, either outside the organization or inside the organization, simply may be fruitless. Even worse, they may be a meaningless impediment to what is really important.

Inside the organization, information should be considered an enterprise asset. Information generates more value and reduces costs for the organization when there’s a culture of sharing and internal information availability is maximized. Therefore, instead of a fixation on ownership, focus on information stewardship, responsibilities, accountability, governance, definitions, and advocacy.

Outside the organization there is little precedent, exist few laws, and there is questionable support from the courts, accounting standards bodies, or insurance companies on recognizing information as legitimate property or a formal asset. So instead of blindly assuming you or someone in your organization owns your information, focus on specifying the contractual rights and responsibilities for anyone from whom you collect information or with whom you expose information: Who has the ability to create, read, modify, copy, share, or delete which data, how, and when? What are the penalties for a breach of contract? Is the contract transferable or assumable? How is it to be enforced?

Perhaps the idea of information ownership should be supplanted with an unusual idea from New Zealand, and in line with the metaphor in chapter 6 of information as an “organism.” The Kiwi government has taken an outlandish approach to land ownership. A statute passed in 2014 transformed the Te Urewera National Park into a unique entity which nobody owns, but with “all the rights, powers, duties, and liabilities of a legal person.” Now, more than 200,000 hectares of remote wilderness on New Zealand’s North Island is able to go to court. With help from any concerned citizen, particularly designated trustees from the land’s traditional settlers, the Tūhoe tribe, Te Urewera can defend itself from misuse by corporations or individuals.³¹ What if information itself could be imbued with certain rights, and the means to be legally protected? Perhaps someday.

For the time being, let’s turn our attention to ascribing a measurable value to information. All assets are measured. As illustrated in chapter 7, most physical assets are tracked at points along their supply chain. The flow of money is meticulously recorded. And even non-assets like employees are assessed. So why not information? Whether it’s an acknowledged asset or not, it makes perfect sense that information’s quality should be measured to ensure its functional utility, and that its financial value should be measured to ensure its economic benefits. In the next chapter, we will review recently developed methods for generating these metrics, and examples of how they are already being implemented by organizations today.