Note: This post is part of a series on the Mid-Atlantic Privacy Compass. Over the following weeks, Commissioner White will explore each of its Compass Points in greater detail.

Abstract:

• An organisation, and people in general, should be a steward in all things. This principle extends to communities, the natural environment, and to data.

• When individuals provide personal data to organisations, the entity must take the mind-set that the data is only temporarily in their care and they are acting on the individual’s behalf, as a formal agent or otherwise.

As we travel on our various journeys - through time, space, or life itself - we are transitory. In business or otherwise, we have the opportunity to make use of the resources in front of us, but must always act responsibly, conserving common goods for the benefit of the community now and in the future.

These sorts of arguments are often used for natural resources: in various philosophies, and even Biblically, humans are considered to be the caretakers of the world, not necessarily its owners. This form of thinking shifts the balance away from a sense of entitlement. We should be stewards in all things.

As with other resources, framing the discussion around personal data as one of stewardship, as opposed to ownership, changes the way we intuitively understand its exploitation or protection. An owner is free to sell or consume a resource, but a steward has a duty of care to preserve it. A steward acts on behalf of the individual, in their best interest, ensuring that the data retains its value while also bringing a benefit to the data subject.

An organisation that uses personal data must take the mind-set that the data is not theirs, but only temporarily in their care. Ideas around agency can be very useful in this regard: the organisation should not consider themselves an outside third-party who has triumphed in a negotiation to win data rights - this mind-set is oppositional, winner-take-all. When using personal data, in fact they are carrying out the instructions of the data subject, and should consider the duties of care and otherwise that such a role implies.

Individuals provide data to organisations so that it may be used in ways they prefer, for a benefit they decide is worthwhile. The organisation must consider themselves a steward - or even an agent - of the individual, acting on their behalf and seeking to preserve the resource.

It is common in business parlance to use the word "owner" as the ultimate expression of responsibility, implying that people will surely treat their own property with the highest care and reasonableness. I would argue that is not the case: I am free to use my own property frivolously if I want, if I deem the goal worthwhile.

On the contrary, the highest duty of care arises when one is a steward, charged with protecting property on behalf of someone who has placed a great deal of trust in them. There is a certain amount of humility to this mind-set, but humility is needed from organisations charged with protecting individuals' rights - in other words, any organisation using personal data.

Alexander McD White

Privacy Commissioner

Nota bene: If you'll indulge me, a few additional thoughts for clarity:

When speaking about data and ownership, discussions can go down many, complex roads. If an individual is an owner, does that mean they can sell or lease their data, even for a poor deal? Should we evaluate these agreements for unconscionability? What would be the fair compensation for a perpetual license to process data to make judgments about an individual's preferences for targeted advertising? How could the many, online, micro-transactions possibly equate to matters of rights and principles?

For such reasons I am not yet convinced by arguments regarding data-as-personal-property. Yet, as we have been told so many times in recent news, data has a value and can be exploited. In many ways it is analogous to common areas or natural resources, matters that could profit those who would exploit them, with consequences to be borne by the community. The unfortunate result of this type of structure is the tragedy of the commons, with our privacy the spoilt resource.

On the contrary, I would argue that the inherent harms to rights and freedoms that may come from unchecked data use place an extra responsibility on those who would collect it to act in the best interests of the subject.

Certainly, the organisation may still create something of value for themselves as part of the process of providing a service to the individual, but by shifting the mind-set to the context of stewardship, their duties to the individual become more clear.

They are not to exploit the resource, but to engage in careful management of it for the benefit of the individual. Their duty is not solely to make a profit, but must be balanced against the duties of care or otherwise that they would owe as an agent or caretaker. This shift in perspective provides an important focus, orienting the organisation towards the individual and counterbalancing other incentives. It would be anathema for a steward to exploit data to the point that it harms their charge. It would be violating their duties.

To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.