Data 'ownership'


#1

Hi
I am struggling a little bit to wrap my head around this particular scenario:

  1. I trained our partner organizations (in Cambodia) on how to collect data using mobile devices
  2. My organization decides to give the handset/tablet to the partner organisation and signed a memorandum of understanding, whereby the partners now own and maintain the tablets.

I am struggling to understand the full implications of doing so in the sense of data ownership, security/data, device lost/stolen… In your experience how do organization go about digital data collection? Do they maintain the tablets themselves or do the partners use their own tablets to collect data.

In the second case, if the partners use their own tablets, who owns the data? the partners or your organization?


#2

I think I’m only getting at one part of your question here, but one way to think of it is similar to how the new EU regulations (see GDPR) do. You would be the “data controllers” - in other words, you’ve asked them to collect data for you. They would be the 'data processers" who are doing the job. So you’d want to have an agreement in place that stipulates how they will manage and secure data that’s collected, and who has access to its use. You very well may agree that it’s both of you, but it should be in writing. According to GDPR, I believe (but you should double check), the data controller has the responsibility to require that the “data processer” has up to par security and privacy protocols. Some ways you can do that are by working together with the partner to better understand privacy/security (if they don’t already) and having a data sharing agreement in place along with the memorandum of understanding for the devices (which you mention you’ve already got). You can find a sample data agreement here and some more thoughts on data sharing http://elan.cashlearning.org/wp-content/uploads/2016/06/Data-sharing-tipsheet.pdf. The data sharing agreement should cover element like data ownership, privacy and security, and where the data will be stored, and for how long (and when might it be destroyed or aggregated and archived), and what kind of protocols they have in place with regard to a possible data breach. If you only trained them and they are collecting data for their own purposes (not to give to you) then I would think you’d want to still do some training (if they are not up to speed - I have no idea if they are or not) so that they are not putting people at risk by collecting personal or sensitive data, or by not having good data security in place.


#3

@PerCa - Welcome to the forum! Your question is excellent - you’ve come to the right place. Perhaps give folks a bit more background

@lindaraftree - very thoughtful response - thank you for your clarifying comments.

All - if you need to learn more on the EU’s General Data Protection Regulation (GDPR), check out this link.

Other thoughts out there about the relationship between “gifted” devices and data ownership? @Josh_Woodard?