1 October 2024

The Data Protection Officer’s Guide to Data Ownership

Sofia Carroll, Information Governance Manager, clarifies some of the confusion surrounding data ownership in the context of DP law and intellectual property.

The UK General Data Protection Regulation (UK GDPR) sets the rules for processing personal data, but “ownership” is sometimes included in the meaning of having “control” over this data.

Since the implementation of the UK GDPR, people have been more proactive in asking for explanations from organisations about how they use their personal data and for what purposes. Because of the language used such as ‘my personal data’ and the ‘personal data we (controllers) use’ brings in the notion of ‘ownership’ of this information, which is not a question to which data protection has the answer. Specifically, UK GDPR “lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.”[1]Furthermore, the definition of personal data doesn’t suggest that personal data belongs either to the data subject or the organisation using it- just that it qualifies for such if it can identify someone, and it relates to them in some meaningful way.[2] It is the responsibility of the controller to show they have a lawful basis to use it.[3] However, the accountability principle has no relation to ownership. Controllership does not automatically bring ownership.

Instead, data and information ownership is an issue that is dealt with by Intellectual Property (IP)  law. It is often  the DPO’s task to make this subtle but important distinction when responding to personal data complaints, managing processors and reviewing contracts.

The distinction between personal data ownership and control

So, whilst data protection law is clear about setting the parameters for lawful personal data use but it is silent on ownership, by contrast

information ownership is something IP law protects in the form of human creativity, expressed in a material form, attracting different IP protection depending on its characteristics.

The most relevant legislation in the overlap between data protection and IP is the Copyright, Designs and Patents Act 1988 (CDPA). Practice shows that usually copyright is the most frequent IP that intersects personal data because copyright is an automatic right that arises easily and as soon as a qualifying work is produced – a work which can be anything from writing an original email to taking a photograph. So, some key points to remember:

• Data about a person is not necessarily “theirs” in IP terms. This is often a concern expressed in personal data complaints when the data subject doubts the legality of the controller using their data by questioning the correct use of a lawful basis.
• Owning an item does not equate owning the IP in it. For example, if the article was published in a newspaper, the actor can own a copy of the newspaper because they have bought a copy of it, but they still would not own the copyright in any of the published articles, unless the actor wrote the article themselves.

How to deal with the overlap between data protection and IP

These are some practical points about how DPO’s can manage this complex relationship:

• Increase the DPO’s own knowledge. Expanding the DPO’s own knowledge of IP basics with specialist training will benefit their development and protect the organisation from unnecessary risks relating to information.
• Explain ownership and control of personal data to complainants. The DPO can address people’s comments like “this is data about me, I own it” in personal data complaints once they have increased their own knowledge.
• Implement IP protection. The law is clear that the employer is the owner of any work created by a staff member in the course of their employment,[4] which is also covered in employment contracts. Organisations however also need to arrange for a copyright assignment when they work with freelancers because paying for their services does not automatically transfer the IP in the work created to the organisation.

Why not take a look at our latest relevant courses, including:

• Information Sharing, Data Processors and Contracts (15 October 2024, 9:30am-1pm, 3 CPD Points from CPD UK). This course will benefit participants looking to understand the requirements of Data Sharing Agreements and Data Processing Addendums, and explore the relationship between a Data Processor and a Data Controller.
• Lawful Digital Marketing (23 October 2024, 9:30am-1pm, 3 CPD Points from CPD UK). This course explains the regulatory framework for conducting lawful marketing via electronic means. Participants will gain knowledge of key laws (the Privacy and Electronic Communications Regulations and the UK General Data Protection Regulations) and understand their relationship in a marketing context. 
• Data Protection Rights (focused on Data Subject Access Requests) (7 November 2024, 9:30am-1pm, 3 CPD Points from CPD UK). This course will benefit participants seeking a practical course to help understand their responsibilities when individuals exercise their rights under data protection law, exploring the management of Data Subject Access Requests with scenarios that guide participants through the steps involved in handling requests compliantly.

Each of our intermediate courses can be taken as an individual course or as part of our Intermediate Certificate (available in Data Protection or in Copyright).  Book any of our courses via our Online Training page or contact our Training Manager. at info@naomikorn.com.

Originally published in the Privacy Laws and Business UK, September 2024

[1] UK GDPR, Article 1(1)

[2] UK GDPR, Article 4(1)

[3] UK GDPR, Article 5(2)

[4] CPDA, s11(2)