Data ownership model

Question 1

1. Introducing the data ownership model

Accepted Answer

Government data assets are vital to the nation because they support the formulation of evidence-based policy making, economic growth and public accountability. Their wide-ranging impact fuels innovation, enhances transparency, enables better public services and empowers citizens. This means it鈥檚 essential that the government manages its听assets听effectively to fully realise their value in a legal,听ethical听and secure way.听

The government needs a consistent framework around data ownership. The lack of a shared understanding of roles, accountabilities and responsibilities is most deeply felt around critical data which multiple public sector organisations may rely on. This lack of a shared approach prevents effective cross-government data sharing and our ability to reuse data for public good.听

Data governance maturity levels vary across government. Some organisations already have data ownership policies and implementation plans in place,听whereas听others are at the听early stages听of creating an enterprise-level model. This model helps public sector organisations understand the importance of data ownership behaviours and principles and ensure they have the policies and plans in place. Where public sector organisations already have ownership policies, it鈥檚 an opportunity to assess, update where needed and reinforce the message about its importance.听

This guidance formalises the roles of the people in government responsible for managing data throughout its life cycle. The guidance explains best听practice, and听encourages a consistent and standardised approach to data ownership across government.

Question 2

2. What data ownership is

Accepted Answer

Data ownership does not deal with 鈥榩ossession of data鈥�. It鈥檚 about formalising the roles of people responsible for the management of data throughout its life cycle. It听establishes听accountability for data access and usage, solving issues, iterating and versioning access and ensuring compliance with legislation,听regulations听and applicable guidelines.

Question 3

3. Why data ownership is important

Accepted Answer

Data is one of the most valuable assets in your organisation.听It鈥檚听also a liability with significant risks if not guarded, such as theft,听loss听or misuse. It must be protected and managed to:听

be fit for purpose听
be used lawfully and ethically听
provide maximum value to your organisation and the rest of government听

It鈥檚听critical that your organisation has people with the right data ownership roles. This will ensure that you:听

comply with听regulations, legislation,听policies听and standards听
define and implement data controls to manage risk and data security听
have data assets that serve their intended business purpose and realise their full potential value through enhanced cross-government data sharing听
have confidence in your data, and can make reliable decisions based on its integrity听
reduce data duplication and inefficiencies

Question 4

4. What we mean by data

Accepted Answer

The Government Functional Standard for Digital defines data as 鈥榠nformation that has been translated into a form that is efficient for movement or processing鈥�. When we talk about data ownership, we听generally mean听ownership of highly structured data sets (often听containing听personal data) of the kind which are vital to departments working together to deliver effective services. An information asset is a body of information, defined and managed as a single unit so it can be understood, shared,听protected听and exploited effectively.听听

There is no single, correct way to segment your data into logical groupings or data domains. Each organisation will have its own way of doing this, based on its business needs or areas of strategic interest.

Question 5

5. Principles of data ownership

Accepted Answer

Adopting this data ownership model will help you follow these principles.听

1. Data is recognised as a valuable resource听

Your organisation鈥檚 data has听great potential听value to the digital economy. Assess your data whenever possible to support decisions about:听

investing in it听
encouraging data sharing听
realising its wider commercial and societal value through protection and exploitation听

2. Data is managed throughout its life cycle听

You must handle data in line with policies,听standards听and legislation.听

This includes:听

3. Data is secure听

Protect your data from unauthorised access 鈥撯€痺hether malicious,听fraudulent听or accidental.听

4. Data is defined听

Clearly and consistently define your data for common interpretation.听

5. Data is FAIR听

Ensure your data is听FAIR听鈥� findable, accessible,听interoperable听and reusable.听

6. Data is standardised听

Apply common data standards wherever possible.听

7. Data is fit for its intended purpose听

Your data should be of the quality听required, depending on how you intend to use it.听

8. Data is authoritative听

Share your data from a qualified authoritative source wherever possible.

Question 6

6. Data ownership roles and responsibilities

Accepted Answer

An important听objective听of data ownership is shifting the view of data as an asset to data as a product. This is about government, and the wider public sector, defining and proactively measuring how and where data is听actually used听and adds value.听

Finding ways to define and measure value is an important part of the roles of data owners,听stewards听and custodians.听

Data owners and information asset owners (IAOs) are accountable for assets as they ultimately 鈥榦wn鈥� the asset, making decisions on major changes and being answerable for them. Data stewards and asset managers are responsible as they are experts on what is held within the asset and responsible for its听day-to-day听management.听

Data owners听

A data owner is a senior individual听with dedicated accountabilities听for听data, and in-depth insights of the overall business strategy in their data remit.听This may include the overall accountability听for the meaning, content, quality and management of a logical grouping of data, or distribution of a given set of data.

By听liasing听with a team of operational data stewards,听they are empowered to steer and ensure the data is fit for its intended purpose and used appropriately.听听

Data owners:听

act as the strategic points of contact for the data within their remit听
should have a position at the leadership level 鈥撯€痜or example,听a听senior听civil servant (SCS) particularly where the data sets are large or complex (for smaller or medium-sized data sets with less impact, a Grade 6 or Grade 7 level might be more听appropriate)听
need to be able to use their authority and knowledge of business strategies and processes underpinning the data to make decisions听
do not need a granular understanding of the data听

Using their knowledge of data applications, data owners:听

liaise with a team of operational data stewards to ensure data is fit for its intended purpose听
influence the strategic direction of data听
approve changes to data听
support data governance practices in their area听
allow organisations to make faster decisions around data to achieve business outcomes听

What data owners are accountable for听

Data owners have accountability for:听

understanding how their data is being used, who by and where, data lineage and flow of data, and whether it鈥檚 controlled properly听
working with business requirements to define centralised data definitions for their subject areas听
providing guidance to data stewards to ensure definitions are managed and adopted consistently听
strategic data decisions and approvals around business requirements and modifications to their data听
ensuring听appropriate identification,听protection听and exploitation of data assets for wider governmental,听societal听and economic value, in collaboration with the organisation鈥檚 knowledge asset senior responsible owner (SRO) where there is one听
ensuring that their data stewards听maintain听agreed data definitions in the data catalogue听
ensuring that the quality of the data they听are responsible for听is known, considering all critical data users听
the management,听monitoring听and reporting of activities to improve their data through their data stewards听
ensuring security measures,听in accordance with听the organisation鈥檚 policies, are in place to protect data that is in transit, data received, or data transferred to another organisation听
ensuring听an appropriate retention听schedule is in place outlining storage periods for all data (particularly personal data), which is reviewed regularly听
ensuring their data assets听comply with听legal requirements for archival, disposal and preservation听
limiting access to data (particularly personal data or data of significance to national security) to those authorised to do so听
ensuring that data sets听comply with听licensing agreements and that the data is used appropriately听

Skills that data owners need听

Data owners should:听

have a strong 鈥榙ata mindset鈥� 鈥� this means they should:听
- be data literate听
- understand the benefits of data governance, and be able to implement a data governance strategy听
- understand how data is governed,听managed听and exploited within their data domain, so they can maximise the value of their data assets听
- be experienced leaders with a proven ability to deliver results and drive change 鈥� this includes:听
- persuade colleagues to adopt a data governance framework,听standards听and workflows听
embed data governance at pace to help their organisation deliver on its timelines and commitments听
ensure there is operational and governance reporting听
ensure that key performance indicators (KPIs) are appropriately set and approved听
solve problems, removing听barriers听and ensuring issues are听identified听and remedied听
be strong communicators 鈥撯€痶hey should be able to communicate complex ideas to non-technical audiences听
have experience working effectively across the听different functions听in their organisation, such as business and operations听

Currently in some organisations the data owner may be a dedicated data role, whilst in others it may be just one of several responsibilities held by individuals with limited data听expertise. Given the strategic importance to government of听critical data assets, we recommend that those responsible for听critical data assets听develop their data capabilities in line with this model.

Data stewards听

Data stewards听are responsible for day-to-day operational activities in their data domain that support data owners鈥� decisions, and for implementing policies,听standards听and processes.

As subject matter experts (SMEs), data stewards should have a deep knowledge of their business area, including its rules and requirements. They need strong communication听and collaboration skills to help ensure that data flows smoothly in their organisation.

Having operational points of contact with data听expertise听will help your organisation to embed data-related policies and strategies, and set up sustainable data governance processes.

What data stewards are responsible for

Data stewards have responsibility for:听

handling data governance queries, and asking data owners for tactical guidance when needed听
facilitating data governance processes, including:听
- data access听
- data archival听
- data deletion听
facilitating data quality governance processes, such as:听
- monitoring听
- investigating听
- communicating听
- triaging听
- remediating听
- reporting听
reporting to the data owner and other forums on activities including:听
- compliance听
- issues听
- fixes听
- changes听
maintaining and implementing data standards and process documentation, for example a business glossary, in the data catalogue听
creating processes, procedures and standards for their data domain that is aligned to their organisation鈥檚 policies听
relationship management and understanding data flows to understand the impact of anything that may change听
contributing to the development, maintenance and implementation of agreed data standards and reporting measures听
working with data custodians to听facilitate听discussions around听听
discussing technical requirements with data custodians, including changes to data governance standards听
assisting听with periodic data maturity assessments听

Data custodians听

Data custodians听are responsible for听capturing,听storing听and disposing of data in line with the data owner鈥檚 requirements.听

They work closely with data stewards to:听

ensure data quality听
operationalise data decisions听
support data governance implementation within the tools they听are responsible for听

Data custodians should be technical SMEs for the system听containing听their assigned data.听

They should:听

have in-depth knowledge and听expertise听around the system听
be able to explain how to design and execute technical activities related to data governance听

What data custodians听are responsible for听

Data custodians have responsibility for:听

assisting听data stewards with technical and system-related queries听
identifying听and reporting data governance issues to the data steward and data owner听
producing impact assessments for implementing system changes led by the data steward听
implementing technical requirements according to data standards and rules within their systems and data types 鈥撯€痜or example, adding a character limit on a field听
guiding other technical teams to use standards and definitions听
implementing user access policies specified by the data owner, including the听appropriate physical听and technical safeguards to protect the confidentiality,听integrity听and availability of the data asset听
ensuring that data quality is sustained during technical processing听
resolving data quality issues in partnership with data stewards听
ensuring that changes to data content and controls can be audited听

Executive leadership roles听

The following roles are also likely to be involved when you adopt this data ownership model.听

Chief data officer听

A senior, executive-level role with responsibility for the organisation鈥檚 enterprise-wide:听

data and information strategy听
governance听
control听
policy development听
effective exploitation听

This role combines accountability and responsibility for information protection and privacy, information governance, data听quality听and data life cycle management, along with the exploitation of data assets to create business value.听

Chief data and information officer (CDIO)听

A senior executive role responsible for managing an organisation鈥檚 data and information strategy. The CDIO is accountable for digital transformation, data governance, technology听infrastructure听and information assurance. Though information and data governance are distinct responsibilities they are combined here into a single role.听

Data protection officer (DPO)听

A specified role defined in data protection law under the UK GDPR. DPOs work in an independent manner to:听

monitor their organisation鈥檚 internal compliance听
advise on their organisation鈥檚 data protection obligations听
advise on Data Protection Impact Assessments (DPIAs)听
act as a contact point for data subjects and the Information Commissioner听

Chief technology officer (CTO)听

A senior, executive-level role with responsibility for the organisation鈥檚 technological infrastructure. CTOs ensure that the technology aligns with the organisation鈥檚 goals.听

Chief digital officer听

A senior, executive-level role with responsibility for driving digital transformation within an organisation, using the potential of online technologies and data.听

Chief information security officer (CISO)听

A designated individual responsible for the security of information in electronic form. CISOs听advise听the board on how best to exploit technology to deliver the organisation鈥檚 strategic听objectives.听

CISOs also provide strong strategic leadership for the organisation鈥檚 IT community and its investment in technology.听

CISOs听are responsible for听their organisation鈥檚:听

IT strategy听
IT architecture听
IT policies and standards听
technology assurance听
IT professionalism听

Board-level executive or senior information risk owner (SIRO)听

Someone听with听particular responsibility听for information risk.听

Process owners and enterprise data owners听

In larger, more complex organisations, you might need a process owner role.听

You should also consider听establishing听an enterprise data owner (EDO) if:听

data is being shared across government departments or other public sector organisations听
you鈥檙e听using听additional听processing to transform the data听

EDOs听are responsible for听specific, logical groupings of data or data domains (such as entities and attributes). EDOs ensure a consistent and common approach across data assets within and beyond their organisation.听

How process owners and EDOs work together听

EDOs:听

define data attributes听
establish business rules around the validity of the data听
set thresholds for others to follow听

They might also define the conditions for how data is used.听

Process owners must work closely with the EDO to ensure the integrity of the original data is not compromised听in the process of:听

transformation听
enrichment听听
aggregation听

In this type of arrangement, EDOs need to ensure the necessary policies and standards are in place. However, they do not necessarily need to have accountability for the accuracy,听security听and protection of the data听that鈥檚听outside their direct sphere of influence.听

In addition to their day-to-day role, process owners听are responsible for:听

managing data risks, and assuring IAOs and EDOs that risks are mitigated听
enforcing data policies and standards to improve the data involved in their processes听
building awareness in their organisation so that managers,听staff听and contractors understand their areas of responsibility in relation to data protection, security,听quality听and capability听

Data protection roles听

The听UK GDPR听defines the role of a data controller as the natural or legal person, public authority,听agency听or other body which, alone or jointly with others,听determines听the purposes and means of the processing of personal data. Public sector organisations act as the data controller for UK GDPR purposes.听

A data controller is a person or organisation that:听

decides how personal data is processed under the UK GDPR听
is responsible for听complying with听the UK GDPR听

Public sector organisations often decide that the organisation as a legal entity is the data controller for UK GDPR purposes.听听

In the context of the UK GDPR, data owners are accountable for the quality,听integrity听and protection of their data domain.听

To cover the accountabilities of the data controller, data听owners听partner with their organisation鈥檚:听

data stewards听
data protection officer听
chief data officer听
chief technology officer听
chief digital officer听
senior information risk owner听
chief information security officer (where there is one)

Question 7

7. Merged data sets and data services

Accepted Answer

For any model where data is processed, you must clearly define and attribute accountabilities for data to individuals or institutions.听

Example use cases of merged data听

These use cases pose challenges to the traditional model of data ownership of a data asset:听

data merged or linked from听different sources听to become a new data set听
data being drawn from听different sources听into a data lake, from which analysis and insights are听drawn听and data repurposed for multiple needs听
data being held in a trust or a cooperative where an institution, or individuals, steward the use and potential repurposing of data in the interests of those it听represents听

In these cases, data is one of the following:听

transferred to an individual,听institution听or platform for usage听
consumed at source via an Application Programming Interface (API) or other method, such as secure file transfer听

In these scenarios, the source data owner must agree to the conditions for how the data is provided. This includes:听

transfer of ownership or听retained听ownership听
how access will be managed听
defining the decisions that data stewards and custodians can make on behalf of data providers

Example of handling data ownership for shared data sets across multiple organisations听

In these scenarios, it鈥檚 essential to听establish听a collaborative approach:听

designate a primary data owner in the originating organisation to听be responsible for听the overall data set(s)
designate local data owners 鈥撎齟ach organisation using the data should have their own local data owner who officially records the data and coordinates with the primary data owner for any issues or queries
have clear communication channels 鈥撎齮here should be regular communication and听coordination between the primary and local data owners
develop and adhere to shared data governance policies so that you maintain听consistency and quality

Data platforms and services听

Where a data platform or service is involved, your organisation will usually need a new role of product or service owner.听

This person will have specific accountability for:听

developing and听operating听the platform or service听
who accesses and uses the service听
how data is used within the terms and conditions provided by the source data owner听

Data licensing impact on data owners听

While data stewards handle the day-to-day management of licensing, data owners need to understand the importance of data licensing and its implications. Data owners听are responsible for听ensuring that data sets听comply with听licensing agreements and that the data is used appropriately.

This includes:听

overseeing the application of licenses 鈥撎齟nsuring that the correct licenses are applied to data sets
ensuring compliance with usage restrictions 鈥撎齧aking sure that all data usage听complies with听the terms of the licence
addressing licensing issues 鈥撎齢andling any issues related to licensing promptly and effectively
handling sharing requests 鈥撎齯nderstanding licensing terms to correctly address and manage data sharing requests

Example:听

If an organisation releases data under a specific licence, the data owner must ensure that the terms of the licence are respected and that users understand their rights and obligations when accessing or using the data.

Data from a third party听

When data is received from a third party (like a university or external research institution) or from an ALB, the receiving entity becomes the data owner for the copy of the asset they hold. This means that once the data is transferred to the organisation or its ALBs, they听are responsible for听managing and听maintaining听that copy.

This includes ensuring data quality, compliance and proper usage. However, the original sender听retains听ownership of their version of the data and continues to govern it unless explicitly听stated听otherwise.听

Does open data require a data owner?

Open data requires a data owner. Data ownership for open data is crucial because it ensures the data听remains听accurate, current and properly听maintained听even when made publicly accessible. A data owner听is responsible for听overseeing the data set(s), ensuring it meets quality standards, and resolving any issues that may arise. This accountability helps听maintain听the integrity and usability of open data.

Question 8

8. The relationship between data ownership and information asset ownership听

Accepted Answer

The data owner role and听the听IAO role are both important in managing data, including personal data, within government.听听

Information asset ownership is well听established听in government.听IAO guidance听aims to ensure information assets are managed effectively so it can be understood, shared,听protected听and exploited effectively. Responsibilities for the role are primarily focused on safeguarding and managing the overall information asset (including compliance and physical or digital security).听

Data ownership looks more broadly at the quality, clarity and value of the data, and owners act as a bridge between business needs and technical听expertise.

Data ownership in context听

Introducing new activities is an opportunity to review the wider approach to data and information management within your organisation.听听

It鈥檚听important to apply data ownership in the wider organisational context, which may include an existing information asset ownership approach. Some organisations may choose to integrate data ownership into听their听existing听information asset ownership approach. Others may choose to wrap information asset owner activities into their data ownership approach.听

What鈥檚听important is that you undertake all the relevant activities.

Taking an integrated approach to data ownership and information asset ownership听听

Given the close relationship between data and information, there could be significant value in taking an integrated approach to data and information ownership. Being joined up could help to ensure the overall landscape is coherent, avoid unnecessary pressures on resources and听double-tasking听of staff. There may be existing support mechanisms,听communities听and frameworks that data ownership could dock into 鈥撯€痜or example, an IAO handbook or training module.听听

Adopting a model听

Your organisation should think carefully about the following questions before deciding which model to adopt:听

will there be different teams overseeing data ownership and information asset ownership, and if听so听how will you achieve a joined-up approach?听听
who in the organisation holds ultimate accountability for data assets, and is this the same person as for information assets?听
are听your information asset听owners听senior enough and skilled enough to implement changes to data management?听听
how does your organisation use the terms 鈥榙ata鈥� and 鈥榠nformation鈥� and how might they be interpreted by staff? These terms may be used interchangeably or there may be scenarios where a distinction is important听听听听

Your organisation has 3 choices when it comes to deciding how to ensure there is听an appropriate ownership听model in place to meet its needs. However, you must ensure you meet the specific actions mandated of IAOs in the听IAO guidance.听

The options are:

continue with the information asset ownership model but ensure data ownership accountabilities and responsibilities are absorbed into your existing IAO roles
adopt the data ownership model, ensuring that you cover mandatory information asset ownership actions with听appropriate roles
adopt a hybrid model in which IAOs听are responsible for听core information assets 鈥撯€痵uch as databases or ICT systems that hold personal data 鈥撯€痓ut are supported by data owners responsible for specific data assets such as reference or master data

If you choose the first option听

You should consider the听additional听accountabilities and responsibilities of data owners, stewards and custodians and map these to听appropriate roles听such as information asset managers and local information asset managers.听

It鈥檚听essential that when you apply the model, it extends to all your data assets including those that do not relate to personal data. When incorporating data ownership activities into an existing information asset ownership model, your organisation should consider the following questions:听

does your organisation consider data assets to be subsets of information assets? How are these data sets linked to information assets? Do all data sets need to 鈥榖elong鈥� to an information asset?听
if your IAOs are also data owners, do they have the right skills and support to meet their data ownership responsibilities? Data owners do not necessarily need to have a granular understanding of the data they are accountable for, but they do need to be data literate, with a strong 鈥榙ata mindset鈥橽u003c/p>
can you avoid unnecessary granularity and duplication in the recording of data assets and information assets?听
can you improve consistency between your organisation鈥檚 information asset register, data catalogue and register of processing activities?

If you choose the second听option听

You should ensure that your data owners fulfil the mandatory actions听required of听IAOs. There鈥檚 training on Civil Service Learning to support the IAO role, which is recognised as a specialist role with the听GovS 007 Security Functional Standard.听听

Whichever听option听you choose听

Your organisation should ensure there is听appropriate governance听in place to support your chosen model.

The governance must define:听

where accountability lies for data and information assets in your organisation 鈥撯€痗larify if there are different governance processes for data and information听听
who your data owners and IAOs are accountable to 鈥撯€痜or example, a chief data officer or SIRO听
how your accounting officer will be assured that the right data ownership activities are being undertaken at the right level听
how data quality is factored into your organisation鈥檚 existing governance processes听

Can a data owner and an IAO be the same person?听

Yes, in some cases, the roles can overlap, especially in smaller teams or projects. However, combining these roles requires careful management to ensure neither responsibility is neglected.听

The difference between a data owner and a project manager听

A data owner focuses on the strategic management and quality of data, while a project manager oversees the planning, execution and delivery of specific projects. Their responsibilities intersect when data is a critical听component听of a project.听

The difference between a data owner and a portfolio manager听

A portfolio manager oversees a collection of projects or programmes to achieve strategic听objectives, while a data owner ensures the quality and governance of data used across these projects.听

The difference between a data owner and a programme manager听

A programme manager coordinates related projects to deliver broader organisational goals, while a data owner ensures the data used within these projects is reliable and well-governed.听

The difference between a data owner and a product owner听

A product owner is accountable for maximising the value of the product resulting from the work of the scrum team, while a data owner will听be responsible for听ensuring the data is听accurate,听secure听and complies with privacy regulations.听

Can a data owner have multiple roles, such as being a project manager or portfolio manager?听

A data owner can hold multiple roles, but this requires clear boundaries and prioritisation to avoid conflicts of interest or overstretch.听

The process of becoming a data owner听

To become a data owner, the typical process involves:

- identification 鈥撎齣ndividuals with relevant听expertise听and roles are听identified听by their managers or teams

- nomination 鈥� suitable candidates are nominated, and their responsibilities are clearly defined

- training 鈥撎齨ew data owners are provided with guides, manuals and workshops to ensure they understand their roles and responsibilities

- formal acknowledgment听鈥撎齞ata owners confirm they have read the training materials and understand their obligations

- support and review 鈥撎齩ngoing support is available from the relevant team in the organisation responsible for data (such as the office of the chief data officer), and periodic reviews are conducted to ensure compliance and data quality

Promoting and ensuring a culture of data ownership within the organisation听

Promoting and ensuring a culture of data ownership within an organisation involves contributions from everyone, with important initiatives actively led by the chief data officer:

- leadership support听鈥撎齟nsure that senior leaders endorse and promote data ownership initiatives

- awareness campaigns 鈥撎齝onduct campaigns to highlight the importance and benefits of data ownership

- training and workshops 鈥撎齪rovide continuous training and workshops to keep teams informed and engaged

- recognition and incentives听鈥撎齬ecognise and reward teams and individuals who听demonstrate听exemplary data ownership practices

- clear communication听鈥撎齧aintain听open channels of communication to address concerns and share best practices

- individual accountability听鈥撎齟ncourage everyone within the organisation to take personal responsibility for the data they handle, ensuring its accuracy and integrity

When to think about听allocating听data assets a data owner听

The best time to听allocate听data assets to a data owner is at the beginning of any data-related project or initiative. Establishing clear ownership from the outset ensures that data quality and management are prioritised throughout the project鈥檚 life cycle.

However, if you have not done so yet, do not worry 鈥撎齣t鈥檚听never too late to start. Assigning data ownership at any stage can still bring significant improvements to data management and lead to better-informed decisions as there is someone now accountable for ensuring that the data is the best it can be.听

Steps to transition data ownership when someone leaves the organisation听

When a data owner leaves, the following steps can help ensure a smooth transition:

- identify听a successor well in advance 鈥撎齞esignate听a new data owner as early as possible to听facilitate听a smooth handover

- ensure proper handover of responsibilities听鈥撎齮he departing data owner should comprehensively brief their successor on all responsibilities

- update relevant documentation and records听鈥撎齟nsure all records and documents reflect the change in data ownership

- inform the chief data officer of the听change so that you听maintain听updated records within their current scope (critical data assets, QFAIR assessments, etc)听

How often data ownership should be reviewed or updated听

Data ownership should be reviewed or updated periodically to ensure continued relevance and accountability. A recommended frequency would be on an annual (once a year) basis, or whenever there are significant changes in roles or responsibilities within the organisation.

Regular reviews help ensure that data ownership听remains听aligned with current organisational goals and that any transitions of responsibilities are handled smoothly.听

What support the data owner needs from their team听

Data owners听require听several types of support from their team and the wider organisation to effectively manage their responsibilities:

- collaboration and engagement听鈥撎齮eam members, such as data stewards, must actively听participate听in data management practices and ensure data quality

- resources and training 鈥撎齮he organisation (usually from the office of the chief data officer) should provide necessary tools and training to data owners so they can fulfil their roles effectively

- clear policies and guidelines听鈥撎齟stablish听and communicate standards and procedures to guide data ownership practices

- communication with the chief data officer鈥檚 team听鈥� ensure data owners have access to听additional听support and guidance from centralised resources as needed

Measuring the success of data ownership initiatives听

Success can be measured through several indicators, including but not limited to:

- improved data quality metrics听鈥撎齛 notable improvement in assessments such as the QFAIR assessment scores听indicates听better data quality

- enhanced compliance with data policies听鈥撎齣mprovements within听critical data asset听assessments, where the provided information becomes more comprehensive and includes both recommended and optional details, enhancing users鈥� understanding of available data

- increased stakeholder satisfaction听鈥撎齪ositive feedback and higher satisfaction scores from data stakeholders reflect successful engagement and effective data management

- reduction in data-related issues听鈥撎齛s highlighted in data maturity assessments, a reduction in data duplications and improved data storage efficiency听demonstrates听better data practices

- effective processing of data sharing requests 鈥� a successful data ownership initiative enables the organisation to confidently and efficiently handle data sharing requests, ensuring that data is shared in compliance with licensing agreements and promptly addressing any related queries or issues

Question 9

9. A checklist for your organisation

Accepted Answer

Your organisation must:听

have an enterprise-level data ownership model and supporting guidance in place that recognises that:听
- data ownership is the responsibility of the business and not the technology domain听
- the responsibilities of ownership are not exclusive to a single person and require close collaboration across organisational levels, including the delegation of responsibilities from the senior owners听
ensure that enterprise-level ownership policies include monitoring and reporting arrangements as part of their organisation鈥檚 broader risk management practices (for example,听identify听and counter any internal or external potential vulnerabilities and threats, which may be incorporated into the broader information asset risk management processes)听
ensure data assets are included in their organisation鈥檚 asset registers and considered in their organisation鈥檚 asset and knowledge asset management strategies听
consider where data assets may have value to wider government, society and the economy, and the protection and exploitation approaches听required听to realise it听
have named owners for all data assets determined to be critical at an enterprise level听
have a nominated accountable individual data owner for each data asset determined to be a听critical data asset听(as defined in published guidance)听
ensure every听critical data听asset has听accurate听metadata, which must include the name and roles of responsible data owners and data steward(s)听
include information about critical data assets (cross-government and enterprise-level) and any critical data elements they include within a central register or catalogue managed by the enterprise, linking the name of the owner with the asset听
ensure that each听critical听data听asset (cross-government and enterprise-level) has an owner who understands what they are accountable for听鈥撎齩wners must ensure that stewards and process owners understand their responsibilities
ensure that where data is shared between public sector organisations and with other sectors it includes agreed roles,听accountabilities听and responsibilities in line with this model听
ensure the interoperability (the ability to share and use between different computer systems and software) of all its data, with its critical data prioritised, through common standards and practical steps such as data owners recognising the importance of听maintaining听good quality听reference data
- where common data is used across business processes, services, products and systems, organisations should consider听establishing听an enterprise data model with data ownership agreed at a conceptual data model layer

Question 10

10. Appendices

Accepted Answer

Appendix A: Comparing accountabilities and responsibilities of data owners and IAOs

Area	Data owner	IAO
Overall accountability	Accountable for the value, quality, life cycle and strategic use of a data asset	Accountable for protecting, managing, and governing an information asset
Understanding of data	Understand how data is used, who uses it,听lineage听and flow of data	Maintain understanding of information asset: what is held, added, removed, how it moves, who accesses it and why
Cultural leadership	Promotes culture of data ownership, value realisation and cross-government sharing	Fosters a culture of information protection, lawful processing, compliance
Data or information asset governance	Approves strategic changes to data; influences governance practices	Ensures information asset is governed according to security policy, risk frameworks, data protection legislation
Ownership scope	Logical grouping of data or data domain (data as product)	Entire information asset (including data, documents, records, ICT systems, paper assets)
Business strategy alignment	Aligns data use with business strategy; influences strategic direction of data	Ensures information asset supports business needs, ensures legal and security alignment
Merged or shared data sets	Defines ownership and sharing rules for merged or shared data sets; manages value realisation	Approves shared use of information asset; ensures ongoing compliance with data-sharing policies
Responsibility for third-party data	Accountable when data is received from third parties; becomes owner of the copy held	Accountable for information asset when third-party data forms part of it; ensures听appropriate controls听are in place
Responsibility for third-party data	Accountable when data is received from third parties; becomes owner of the copy held	Accountable for information asset when third-party data forms part of it; ensures听appropriate controls听are in place
Data product听life cycle	Accountable for continuous improvement and iterative evolution of data as a product	Focus is on听maintaining听integrity and protection of information asset across its听life cycle听(does not treat information asset as a 鈥榩roduct鈥�)
Data sharing	Approves conditions for data sharing; ensures licensing terms are respected	Approves sharing of information asset data; ensures data sharing is lawful, proportionate, necessary
Data standards	Ensures data is defined, FAIR (findable, accessible, interoperable, reusable), standardised	Ensures information asset听complies with听policy and process standards
Engagement with enterprise data models or reference data	Leads alignment with enterprise data models, ensures authoritative sources	Not typically responsible for driving enterprise data model alignment (information asset manager or technical roles may support)
Security and protection	Ensures data security (in transit, at rest, when shared); ensures security measures are implemented	Maintains and monitors information asset security: access control, physical and logical protections, incident response
Data definition	Defines centralised data definitions; provides guidance to stewards to manage definitions	Not explicitly accountable for data definition
Data quality	Accountable for quality of data across听life cycle; monitoring and improving quality	Not explicitly accountable for data quality
Training and awareness	Embeds data governance awareness, promotes data culture	Must complete IAO training; responsible for fostering culture of protection and compliance in business area
Working with stewards / information asset manager	Provides听strategic guidance to data stewards who manage day-to-day data activities	Appoints information asset manager to manage day-to-day information asset management and听monitoring (including training听and culture)
Collaboration with custodians	Works with data custodians for technical implementation of governance	Information asset manager works with information technology systems and information asset governance for technical controls on information asset systems
Engagement with SIRO / chief data officer / DPO	Collaborates with SIRO, chief data officer, DPO for UK GDPR and strategic data governance	Accountable to SIRO; works with DPO, chief data officer, information asset managers, information asset governance for compliance and reporting
Innovation and value realisation	Actively drives opportunities for data innovation, re-use, cross-sector value	Typically focused on safeguarding, not exploitation of value
Licensing	Accountable for ensuring the use of the data asset听complies with听licensing agreements	Accountable for ensuring any data shared from information asset听complies with听legal or licensing terms
Incident management	Works with stewards on incident prevention and response; ensures data breach processes exist	Accountable for data incident investigation and reporting; ensures staff awareness of incident policies
Risk management	Understands and manages data-related risks; ensures risk management is part of governance	Undertakes risk impact assessments on information asset; manages and reports risks to SIRO, ensures mitigations are in place
Access control	Limits access to data (especially personal or sensitive data); monitors data access practices	maintains log of information asset access; ensures authorised access only; monitors handling activities
Retention and archival	Ensures听appropriate retention听schedule;听complies with听legal requirements on archival or disposal	Sets information asset retention or review period; ensures disposal mechanisms are approved and lawful
Audit and monitoring	Ensures monitoring and reporting of data management activities	Ensures compliance monitoring is conducted on information asset;听participates听in regular assurance processes (information asset governance, SIRO)

Appendix B: RACI matrix for data owners and IAOs

Legend:听

R听= Responsible (does the work)听听
A听= Accountable (owns the outcome)听听听
C听= Consulted (provides input)听听听
I听= Informed (kept up to date)

Responsibility area	Data owner	IAO
Define data ownership model and data domains	A	I
Define information asset structure and register	I	A
Understand data flow, lineage, usage	A	C
Understand information asset flow, movement, and access	I	A
Ensure data compliance with the UK GDPR, the Data Protection Act 2018 and licensing	A	A
Ensure information asset compliance with the UK GDPR, the Data protection Act 2018 and licensing	C	A
Approve strategic changes to data	A	I
Approve information asset -related changes (systems, processes)	I	A
Define and听maintain听data definitions and standards	A	C
Maintain information asset register	I	A
Implement data security measures (logical)	A	C
Implement information asset security measures (physical and logical)	C	A
Approve data sharing agreements	A	C
Approve information asset data sharing agreements	C	A
Data risk identification and mitigation	A	C
Information asset risk identification and mitigation	C	A
Monitor and report data quality	A	I
Monitor and report information asset compliance	I	A
Define and听monitor听data retention and disposal	A	C
Define and听monitor听information asset retention and disposal	C	A
Lead data governance forums	A	I
Participate in information asset governance forums	C	A
Drive value realisation from data	A	I
Safeguard integrity of information asset	I	A
Respond to data incidents	R/A	R/A
Respond to information asset -related incidents	I	R/A
Ensure training and awareness for data management	A	C
Ensure training and awareness for information asset management	C	A
Engage with SIRO, chief data officer, DPO	A	A
Promote a culture of data ownership	A	C
Promote a culture of information protection	C	A

Summary of patterns

Data owners are typically听A for:听

data definitions听
data quality听
strategic direction听
data sharing听
value realisation听
data governance听
data risk听

IAOs are typically听A for:听

compliance and legal obligations听
physical and logical information asset security听
information asset retention and disposal听
information asset sharing approval听
risk and incident management (information asset-level)听
oversight of information asset register