There are many terms thrown around these days such as information governance, data governance, cloud storage, app development, and information silos. While there are plenty of methodologies on how to address challenges with all of the above, one problem is consistent. Who owns the data? What you will find is who is often subjective, and may change based on certain events.

We have broken it down to internal and external data and the various ownership concerns that may come up and tips on how to address the issues*.

*Note the items and tips below are best practices and do not constitute legal advice.


Finding the owners of the information inside the organization is relatively easy. First, the organization typically owns the data you create, unless there are obligations you have made to clients. There is also a responsible person group within your organization who owns or manages the information. Ownership and management are very different. Once ownership is defined, it is important to work with the owner to ensure all are aware of how the data is managed. Below are some examples with tips on how to work with various departments internally who may own and manage the information.


If the legal department or general counsel own or manage the information, it is common they have a “keep everything” mentality. Verify why the information needs to be kept and, if not, apply your retention rules and guidelines to the information. Having an attorney or general counsel sign off on holds, destruction or disposition actions is a best practice to ensure you aren’t keeping anything longer than what needs to be.


If the IT department or CIO own or manage the information, it is very likely they know where the information is, but not why it is there, or they may not manage the day-to-day data flows. Their mission is likely to keep the systems up, fix what is broken, protect from threats, and work on IT projects. By removing data that is no longer required and archiving data that doesn’t need to be on disc one can help the IT department save on storage and help the organization mitigate risk.


Often the facility group has oversight of physical records storage. They may oversee a record center or work with an outside vendor who stores records. If they are the owners and managers, it is important to know who has and owns the index or metadata associated with the records. What happens if bills aren’t paid or if access to a facility is needed? Facility operators are likely focused on access and space, and not retention or data management, so by working with them and possibly IT, retention best practices can be used to mitigate risk, save on space, and reduce storage expense.


Vendors who manage your data externally can provide much-needed relief for data and information owners. Saving space, lower cost storage, and better protection are often vital benefits of using a vendor to store your physical or digital records. However, the risk changes over to the vendor, and if you own the information, it is up to you to ensure the vendor is compliant with the agreement and best practices.


If you are using an external vendor one should have an agreement. That agreement should outline the term, pricing, confidentiality, limitation of liability, assignment, and other key provisions. It is important to understand what the vendor believes is their responsibility and what is your responsibility. It is also important to understand what both parties agree to regard data ownership. For example, if you fail to pay your bill, does ownership of the data transfer. Further, does the vendor have the right to send your information to third-parties?


By transferring risk to a vendor, it is imperative to ensure they have insurance coverage to protect your information. General liability, errors and omission, and cyber insurance policies should be discussed with your vendors before you send them information. Further, talk to outside insurance experts to ensure you have the right coverage on your information and data.


If something goes wrong, it is important to know who is going to be notified and when. Often, an agreement will state who is notified, but that information can change over time. Also, how someone is notified could be important. If a record is lost, stolen, or a breach has occurred it is important to understand what the vendor will do with notification, so you can take the necessary steps to ensure the incident is handled properly.


Information posted on social media sites is often not owned by the person or organization who posts the information. It is important organizations understand the user agreements of social media companies. It may be better to post information on an organizationally owned medium such as a website versus a social media medium.


Robin Athlyn Thompson is a double lifetime-achievement award winner for her subject matter expertise in information as an asset, including Cyber Security, eDiscovery, Information Governance, and corporate buying teams. She is a leading industry micro-influencer and was the recipient of the first ACEDS lifetime achievement award for her groundbreaking work in identifying emerging buyers, was honored by the Executive Women’s Forum as a woman of influence in Risk Management. She blends practitioner work on MDL litigation and governance, with sales and marketing experience today as a market strategist and brand manager.