Compliance & Research Ops
Who owns your research data
Written by: Phil Hesketh
Published on:
I’ve spoken with a lot of people over the last two years about privacy, data protection laws and people’s rights and specifically, what that means for us as researchers.
One of the core principles that comes up often is this notion of ownership of data: Who owns it?
There are primarily two schools of thought:
The organisation or individual who invested time and money into collecting, refining and analysing that data owns the data
The person whom the data concerns (typically referred to as a “data subject”)
What does the law say?
The law depends on where you’re researching in the world. Let’s take GDPR as an example - not a bad place to start as the growing number of global privacy laws use this as a template to define laws in their own countries or states.
GDPR does not actually give us a specific answer to this question of ownership. What it does specify, however, is that people (aka “data subjects”) should be in control of their data.
What “control” means is simply this:
They can access any data you have about them
They can ask you to change it if it is not right
They can ask you to delete it
With GPDR, if you’re not able to fulfil these rights, you’re staring down the barrel of a €20 million fine, or 4% of your global turnover - whichever is greater. You can see how thinking that data is owned by the organisation or individual that invested in its collection could quickly become problematic.
Moving beyond ideas of ownership
I think it is helpful to re-frame this idea of ownership to something more like a relationship between an individual and a custodian.
GDPR states that people should be in control of their data. So, organisations as custodians of that data inherit a responsibility to support people to realise that control should they choose to.
After the point of collection, this includes things like giving the individual access to that data should they want it, allowing them to amend it should they want to and allowing them to delete it.
Before the point of collection, they should be given enough information about what you intend to use the data for. How you will look after it, who else might see it and how people can exercise the control that they are entitled to should they want to.
All of that information should be given ahead of time so a reasonable decision can be made about whether or not they want to give it to you in the first place.
As researchers, informed consent is typically how we share this information ahead of time. If you look after the point of collection (ie when the data is captured, like recording audio from an interview), you can see that our responsibilities as custodians of their data don’t stop with the consent form.
In-house vs working with clients
This question of ownership gets a little bit more complicated when you’re working on behalf of someone else, such as a consultancy doing research on behalf of a client.
Looking through this lens of “the custodian” the consultancy is initially responsible for the data, but it needs to be made clear in the consent form that you are doing the work on behalf of someone else. At the end of the project, those responsibilities might be transferred to the client - or, as is often the case, the responsibilities (and raw data from the research) remain with the consultancy, and they just hand-off the insights from the work.
This largely depends on the relationship you have with the client and what is handed over when you’ve finished the project.
The shifting sands of design research
As organisations look to get more value out of research, new ways of working, organising and sharing become more and more prevalent.
Things change, people leave or move onto different projects, responsibilities fall by the wayside - because the mechanisms we have put in place do not address the challenges that we face in practice today.
What I’ll call here “traditional” consent is transactional. Too broad and it makes people uncomfortable. It’s a one time use - we need your data for this purpose.
What if there was a way to open up a conversation about re-use of the data with participants, without offering up their rights in return?
We built Consent Kit to build on the great things about informed consent, but to enable organisations to continue to utilise the data they invested in without shirking their responsibilities to the people they are learning from. We call it managing data around relationships.
Managing data around relationships
The approach we’ve streamlined is to firstly, put a human at the end of the consent form and not an organisation or catch all email address. We encourage people to ask questions if they’re not sure about something. We’ve automated the personalisation and streamlined the messaging so you can do this without any additional operational overhead. If that person leaves, or moves onto another project, all of those responsibilities are reassigned to whoever takes over - without a lengthy handover process.
Secondly, any research data captured is linked back to the permission you have to use it. Audio from interviews, or a screen recording from a usability test. You can see where all of the research data you have collected is - no matter where you want to store it.
This link is important, because if you find that you need to use something for another purpose than outlined in the consent form, you can easily get back in touch with them and see if they are comfortable with its new intended use.
Finally, having this link between the data and the consent form helps us to fulfil our responsibilities under data protection laws. Remembering to delete the information within the time agreed by the participant and being able to generate a report showing all of the data you have on a participant should they submit a data subject access request (DSAR).