Who Owns the Data?

  • Comments posted to this topic are about the item Who Owns the Data?

  • The devils advocate in me just thought of something:  If the court rules that data in another country is inaccessible, then me as a crime boss, can keep my data in 3 countries. When country A wants to investigate me, I just delete my data in country A. 🙂

    5ilverFox
    Consulting DBA / Developer
    South Africa

  • Ownership depends upon what was agreed in the EULA that was not read by the person who agreed to it.
    To be perfectly honest, I don't really care who owns the data. It's not mine, certainly. I just look after it and query it as requested. Our product managers decide what is done with the data internally. If it needs changing, they request it (with the exception of everyday requests from the ticketing system).
    What's more important to me is access. Who may request what data? If anyone comes to me looking for data that is not within their product range, then we both go to the product manager in question and ask if the requestee may have the requested data.
    We have had discussions in the past about the data for the developers. We had started the new version of our main product. I wanted the developers to have production levels of data and wanted to deliver to them anonymised data from the current DB. This was rejected as unnecessary and so I left it at that.

  • Who can access data is a collective responsibilty. When I worked with sensitive data I would not just hand it out to whoever asked for it. As a data professional of course you need to be aware of who can see what. You don't have to do what you are told - you have to do what you can within the bounds of data protection law.

  • Well done Microsoft.

    Under GDPR with limited exceptions I own the data about me.  Companies have to ask my permission to use my data for purposes other than those that are both implicit and obvious from my use of their services.
    GDPR applies to any company holding data on EU or UK citizens, offering services and products in EU or UK,  operating out of the EU or UK or subcontracted from such companies.

    Other countries are recognising GDPR as a suitable template on which to build their own regulation.

  • It will be nice to have posts about the progress of this case.

  • Hey Steve,
    I'm not convinced by the "I just did what my boss told me to do" model.
    If we want to be taken seriously as a profession - rather than a bunch of craftsmen/women, then we need at least a concept of professionalism and ethics.  You might enjoy Uncle Bob's take on it.  It is somewhat targeted at developers and I see no reason why the basic ideas would not apply to data professionals too.

    http://blog.cleancoder.com/uncle-bob/2015/11/18/TheProgrammersOath.html
    http://blog.cleancoder.com/uncle-bob/2015/11/27/OathDiscussion.html
    ...and finally - people going to jail.
    http://blog.cleancoder.com/uncle-bob/2017/08/28/JustFollowingOders.html

  • If data residency matters, then do we need to start thinking about where our data is stored?  If data is treated like physical property, are we going to start having customs enforcement whenever it crosses a national boundary?  Are we going to have excise taxes / tariffs when it is imported? 
    I think saying that data belongs to a person (as in GPDR) rather than to a company or country makes sense, but physical items in storage units belong to people not the owners of the storage units and they are stilll subject to the property laws and warrants of the countries where they physically reside...

    I googled tariffs for software, and only the UK had a good definition, but it was simply: "Programs and data are classified according to the media they’re recorded on." - What if the bits cross the border on a wire? (https://www.gov.uk/guidance/classifying-computers-and-software)

    I think the ITA (Information Technology Agreement) applies to this:  http://web.ita.doc.gov/ITI/itiHome.nsf/8a463e0c5fef335685256ccb006184ab/56c5c43580267d2285256cf70069b2a0!OpenDocument

  • So if this goes the wrong way, soon the Chinese government will be able to demand documents and private emails from 'dissidents' living in the US. This is a really bad thing.

    There already IS a mechanism to deal with this. The prosecutors can file for a warrant from the country involved (in this case Ireland/EU) , however the US DOJ insisted that was too much trouble.

    [Related point: Recently there was a problem with Google docs locking people out of because an algorithm decided the content was 'inappropriate'. Google apologized for the overly aggressive algorithm, but not, apparently for policing the content of private documents. Documents judged by algorithm? Does a human judge follow up? BOTH options are really really bad.

    I've had zero respect for them since the 'diversity' memo, which clearly showed a strong (and scientifically unsupported) ideological bias.  How can we trust them at all?]

    ...

    -- FORTRAN manual for Xerox Computers --

  • jay-h - Monday, November 13, 2017 7:36 AM

    So if this goes the wrong way, soon the Chinese government will be able to demand documents and private emails from 'dissidents' living in the US. This is a really bad thing.

    They have tens of thousands of people working on that right now.

  • Robert Sterbal-482516 - Monday, November 13, 2017 7:43 AM

    jay-h - Monday, November 13, 2017 7:36 AM

    So if this goes the wrong way, soon the Chinese government will be able to demand documents and private emails from 'dissidents' living in the US. This is a really bad thing.

    They have tens of thousands of people working on that right now.

    True, but currently they have to hack it. 

    Getting to look like the cloud is not our friend.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Interesting points. And even though the US Supreme Court will hear this case, that isn't going to dictate what other countries might decide. I can see the possibility of the US Supreme Court deciding in the favor of Microsoft, but then in the future some data that's stored in the US on Azure, AWS or Google's cloud being subpoena by an Indian, Irish, Chineese judge. Wonder what will happen then?

    Kindest Regards, Rod Connect with me on LinkedIn.

  • Rod at work - Monday, November 13, 2017 8:33 AM

    ... then in the future some data that's stored in the US on Azure, AWS or Google's cloud being subpoena by an Indian, Irish, Chineese judge. Wonder what will happen then?

    I can see some companies and individuals pulling information off the cloud.

    ...

    -- FORTRAN manual for Xerox Computers --

  • richard-674310 - Monday, November 13, 2017 7:20 AM

    Hey Steve,
    I'm not convinced by the "I just did what my boss told me to do" model.
    If we want to be taken seriously as a profession - rather than a bunch of craftsmen/women, then we need at least a concept of professionalism and ethics.  You might enjoy Uncle Bob's take on it.  It is somewhat targeted at developers and I see no reason why the basic ideas would not apply to data professionals too.

    http://blog.cleancoder.com/uncle-bob/2015/11/18/TheProgrammersOath.html
    http://blog.cleancoder.com/uncle-bob/2015/11/27/OathDiscussion.html
    ...and finally - people going to jail.
    http://blog.cleancoder.com/uncle-bob/2017/08/28/JustFollowingOders.html

    I know it's not a great answer, but I also don't know what I'd do. Each situation/case might be different, with nuanced interpretations. If someone said "get the data from Server X", which is in Ireland, am I supposed to somehow validate this as a request I should or should not fulfill? I can imagine this coming to a data professional, in the middle of many similar requests, and just completing it. 

    It's not that I don't feel responsibility, or that I think someone shouldn't, but that this is complex and it's not easy to keep up with what we should be doing.

  • I guess in Uncle Bob's example it's pretty hard to imagine that the dev's didn't know what they were doing and that what they were doing was surely against some rules somewhere.  Even if they didn't foresee billion dollar fines and jail terms.

    Suppose in your example ("get the data from Server X") it were phrased more like "Grab all the emails that Steve Jones sent/received; in the period X to Y, off server X"?  It's now a lot harder to imagine that the recipient of the request doesn't know what's going on!

    Like you - I don't know what I'd do.  I'd like to think I'd do the principled thing.  But would I?  Right now I think I could afford to lose a job - although maybe I am wrong.  In different economic circumstances I might not even think that.

Viewing 15 posts - 1 through 15 (of 23 total)

You must be logged in to reply to this topic. Login to reply