Shrek famously said ‘Ogres are like onions…They both have layers.” In my attempts to work through the different aspects of data sharing, deduplication and governance, I’ve begun thinking about layers. At the moment, I have four. I’m not satisfied with them yet, but hoping it will provoke input from you and help us think about the trade offs between the layers. So here we go.

Model

In essence here I am asking if it is a centralised or de-centralised model. Many centralised models assume or require common data layer through which share data or deduplicate datasets. In a decentralised model, the data is disbursed amongst multiple actors with no single control point. For example, there is no master beneficiary list off of which everyone is working.

Ownership

I’m not sure this is the correct term as I think the idea of ownership is a poor notion, but it’s what I’m using at the moment. Who owns or controls the data or the data layer.

1. Single agency ownership. This is where one organisation tells others to use their system and they assume ownership and responsibility for the data collected.
2. Common or shared ownership. This could take the form similarly #1 but the system is provided by a supplier who has a contractual relationship with one agency. This often happens in consortiums even if there the supplier selection is done jointly. The Data Trust Model would also fall into this category and is a more ‘true’ example of common ownership.
3. Individual Ownership. Instead of the data being ‘owned’ by an agency, it is ‘owned’ by the individual about whom the data is. The individual plays a significant role in who has access to the data.

Access

While the previous layer talked of ‘ownership’ and ‘control’, this layer is about who has access to the data. Is it just the organisation who collected it? The issuer or documenter of the data. Or is a group of organisation working together in a network or consortium for an agreed purpose? Does the individual about whom the data is, have access to the data?

Risk

This is final layer for the moment. And I am not happy with this layer name either. However, here I am thinking of security, liability, and privacy. What are the security issues to be aware of – in the technology as well as in the business process and in operating context. Where does the liability sit? And then privacy. What are the privacy concerns for the people about whom the data is? Does the person have any say over what happens or is done with the data about them?

Those are the four. And as I write, I wonder if another is needed. One about ‘rules’ that looks at how things are done. I’ll have to stew on that for a while. Any feedback on the above or on if a fifth is needed would be gratefully received.