There’s a post on the ICO website that is supposed to be “A day in the life of the ICO’s information management team” – it is in fact a plug for the accountability framework. It contains a specific claim that ICO has subsequently circulated on social media:
“we must always remember that each piece of personal data we store belongs to a real person”. The concept of data ownership has long been controversial, but it’s important to many DP practitioners. I have a couple of problems with it and I’ll set them out here.
First, if the people who put the GDPR together intended to give individuals ownership of whatever data related to them (whatever that would mean), they made a pig’s ear of it. It doesn’t say so anywhere. There’s only one line in the recitals that you can hang an ownership theory on if you really want to: “Natural persons should have control of their own personal data”.
The use of the possessive ‘their’ could be interpreted as a statement of ownership and there are other references to ‘their personal data’ in the recitals, so it seems to be a consistent theme. But none of this is in the formal definitions or requirements. Nothing concrete backs it up.
Look at the Articles and what you find is very thin. There’s no statement of ownership or reference to data being a person’s property, with just two references to “their personal data” in not particularly significant places.
Even the line from the recitals is undermined by how the GDPR defines the person who has control over personal data – it’s not the individual, it’s the organisation. You can take the recitals as an endorsement of the ownership theory, but I can interpret “Natural persons should have control of their own personal data” as an aspiration in part of the text that has no direct legal force. Prove me wrong.
The other problem with the data ownership theory is that it doesn’t make any practical sense. I own and physically possess the computer I’m writing this post on. Nobody has a right to use my computer for their own purposes without my consent.
The same is not true of my name and address, my date of birth, or any other personal data that relates to me. A wide range of organisations public and private can obtain or create and then use personal data about me *lawfully* without my permission and in some circumstances, without my knowledge.
It’s a strange concept of ownership that says I own data contained in legal advice, or information about my role in criminal offences, or the honours system, or the work of a multitude of regulators, even though I have no control of over it and it’s legitimate for me not to know it exists.
If I can’t prevent the creation, use and sharing of personal data in a huge range of situations, and sometimes I don’t even have a right to know it’s happening, in what sense do I own it?
My answer to this question is simple: I don’t. Data ownership is either an unhelpfully simplistic way of persuading organisations to respect individuals or (ironically) a pitch from people who want to degrade data protection rights to the level of property. I don’t have much time for either camp.
Individuals have limited control and specific but not absolute rights over data that relates to them, and GDPR creates a framework to regulate the use of personal data in a fair and balanced way. That’s an unattractive summary for some, but I challenge anyone to explain to me why it’s inferior to the explanation that I own all the personal data that relates to me.
Of course, I’m not the King of Data Protection so I can’t tell you what to think or say. The above is my case for why it’s unhelpful and unrealistic to describe the relationship between data and subject in ownership terms – GDPR doesn’t say that, and it’s a meaningless idea when you test it.
And here’s one more reason – it’s massively unhelpful to the data subject. Primed with a sense of ownership, a person enters into a subject access request fully expecting to be given all of “their” data.
The use of exemptions doesn’t make any sense because it’s *mine*. You can’t disclose my data to others because it’s mine. You have to delete my data because I own it.
By misleading people into thinking they have ownership and control, proponents of this theory set individuals up for confrontation and disappointment. It’s a soothing, easy way to show how much you care in a LinkedIn post, but it has nothing to do with reality. If ICO is hooked, it’s probably one more battle I’m going to lose, but definitely a hill on which I am willing to die.
This is a link to every possible reference to ownership in the GDPR text that I could find: https://2040training.co.uk/ownership/