A couple of years ago I attended the Global Digital Health Forum, where a speaker by the name of Jeff Street said something that has stuck with me ever since: “Whoever owns the data, owns the community.” Since then, I have kept turning that provocative phrase over and over in my head – it seemed to have a spark of truth in it, but it was hard to determine exactly why.
| Debate Data Ownership at GDDF 2022 |
| Join lively discussions about data management, ownership, and privacy with donors and implementers across 100+ learning sessions at the Global Digital Development Forum on May 4-5. Register now for this FREE event and share your experiences and ideas. |
Thinking about data ownership, data access, and data use is at the heart of the Data.FI project, funded by USAID. Our mandate in many places where we work is to support country stakeholders and USAID to scale and optimize health information systems, use available data to drive performance improvement, and create high-impact analyses to support public health decision making.
One of the first steps that we take on almost any activity is the signing of data-sharing agreements with the parties with whom we will work. This step is in line with our broader responsible data use policy on the project, which requires that all staff handling data be trained in best practices in data management, and further, that all data shared with us is covered by a data-sharing agreement. These agreements document who will be accessing the data, and how it will be stored and handled. Furthermore, we take particular care with datasets with personally identifiable information – and avoid accessing this type of data unless it is mission-critical.
While it might sound straightforward to pull together a data-sharing agreement, it leads to lots of questions on who owns the data and who has the right to share data with us. This often results in tripartite or multiple data-sharing agreements to accommodate the multifaceted nature of interest or “ownership” in the data. So, who owns the data?
The government owns the data.
The information systems where data are housed are under the authority of the government of the countries where USAID-supported implementing partner organizations work. The health services that are provided and which comprise much of the data in these information systems operate under the purview of the ministry of health and other government bodies – implementing partners and donors are only able to work under their authority.
To varying degrees, ministries of health and other government departments want to have some line of authority on how data that are generated from their citizens are analyzed, used, and disseminated. They own the data because it would not exist without their authority.
The implementing partner owns the data.
Direct service delivery implementing partners in the countries where we work implement HIV and COVID-19 services that are part of the broader government health response, often with donor funding. They generally report the data of the work that they are doing through government reporting channels and systems, as well as directly to the donor.
The data they produce are a key accountability mechanism for the donor and the government, and their analysis and use of that information is often seen as their “competitive edge,” which makes implementing partners hesitant to share this information with third parties – particularly with competing organizations. They own the data because they collect the data while delivering services.
The donor owns the data.
USAID and other donors fund projects that deliver health services and support the development of information systems and approaches to mine data to strengthen the health response. Donors use the data to hold their partners accountable, to strengthen programming decision making, and to demonstrate impact to host government counterparts, the U.S. Congress, and the global community. They own the data because they fund it.
What about healthcare providers? Clients? The community?
We do not typically sign data-sharing agreements with healthcare providers that supply the data in health information systems, nor do we sign agreements with the clients whose data are in these systems. Yet, are they not the first and primary users and generators of these data?
There are many reasons (and excuses!) for the lack of visibility and use of health data at the health facility or community level. We say that there are no resources for these types of interventions. We say that the communities don’t have the expertise to understand the data, do not have the skill set to interpret it, or that they have no interest in using it.
That said, efforts are increasingly being made in HIV programming, for instance, to reach global goals like 95-95-95 through better data access and use of data for quality improvement at the health facility level.
How could we include all stakeholders?
What could we achieve by including the client and the community in accessing and using the data? We do not know what we are losing by not enabling communities to access their data and use it, or even if the data in the systems we have currently address their needs. Without access to data, communities cannot advocate for services, monitor health system services, or develop community-level responses to health challenges they face. Furthermore, without access to their information, clients may not be able to understand their health condition or seek second opinions with their patient records.
I conclude that ALL the stakeholders I’ve described have a role in generating and using the data, and thus “own” the data, and yet none of them do so exclusively. We have multiple stakeholders with a strong vested interest in the information, and yet not all the parties described have equal access to it. Given that health data has distributed ownership, should we as a community be working to encourage open data, in the same way many are promoting open-source technology solutions? How can we make data access and ownership more equitable?
The global health field is rapidly evolving in terms of understanding data privacy, data access, data sharing, and data use. I look forward to contributing to this conversation and seeing how it progresses. In the meantime, as I am drafting up my next data-sharing agreement, I will continue to ask who owns the data and whether those who produced the data have the same rights to it as I.
By Nena do Nascimento, MPP, Senior Technical Advisor for Monitoring, Evaluation, and Learning (MEL), Data.FI, Palladium
Thank you for this excellent article. As you note, data ownership can be tricky. It is often helpful… and even important… to be able to tease out the distinctions between the data “owner” (which may be the client or patient)… one or more data “custodians” (who will maintain data holdings for defined purposes of use, such as care delivery, or health system management, etc.)… and data “network providers” (who will faithfully convey data, but not become custodians, themselves, by creating data holdings). In some jurisdictions, different legal rights, rules, and governance apply to each of these three “actors”.
Thanks, Derek – I really like that language to tease out those distinctions from those three groups.
Thank you! Very insightful piece for writing.
An excellent article showing how ownership and ‘custodianship’ still impact data use. Custodians sometimes whirled enormous power. A data sharing/access agreement is definitely the first step in guaranteeing order.
Thanks for sharing, Elizabeth. This is a tricky and important topic. Sathy Rajasekharan of Jacaranda Health recently highlighted an important gap in this space, between GDPR legislation (which has inspired data protection laws in many countries in Africa) and how that conflicts with the demands we face from donor and government stakeholders in practice. GDPR enshrines that health data belongs to the individual, but in practice many stakeholders believe and act as if the rights to the data belong to them.
Would be great to hear more dialogue on how we can ethically reconcile policy and practice.
GDPR is a strong piece of legislation, to be sure — but it cannot be taken out of its context. An important key in operationalizing data protection rights is the ability to define “purpose-of-use” for the data holdings of any custodian (other than the “owner”). This is crucial when it comes to consent management for data exchange, too. We can expect implied consent (opt-out) to share data for the purpose of care delivery… but require explicit consent (opt-in) for other purposes, like marketing, for example.
Interesting. In my opinion, there is really no conflict, as long as all stakeholders (government & non-government) adhere to the extant laws and regulations of the jurisdiction in which they operate. What we need to do is strengthen in-country governance mechanism to develop appropriate fit-for-purpose regulatory regimen and the enforce compliance by all players.