Data in health: who really owns it?

Johan Ordish

16 March 2018

Data may be the new oil when it comes to value, and it is certainly a hot topic in relation to health, as well as elsewhere. One of the hottest questions right now is - who owns data? Surprisingly, the answer in England and Wales is no-one; that is, a person cannot legally own data. Still, the assumption that you can own data persists. This blog sets out why the language of data ‘ownership’ is destructive and details what you can own and what you can control, even though you can’t own data itself.

Why data ownership matters

In law, ownership is said to be composite, meaning that it implies a bundle of rights: the right to possess, use, manage, derive an income from, and so on. If data subjects think they own data, they may seek to rely upon rights they do not possess.

A more useful approach would be to consider what kinds of control we should have over which data. As access to health data becomes increasingly central to drive advances in medical research and practice, a more nuanced debate is essential

As things currently stand, many of the controls we have over ‘our’ data arise only in certain circumstances, or are subject to heavy exceptions. An individual possesses discrete controls over their data, but not ownership or control over data as such. To assume data ownership compresses debate over data control to a binary question: to own or not to own. But a more useful approach would be to consider what kinds of control we should have over which data. As access to health data becomes increasingly central to drive advances in medical research and practice, a more nuanced debate is essential if the Government proposed model consent and opt-out is to be implemented effectively by March 2018.

The following analysis sets out the current legal position in England and Wales in regards to control over data (leaving out contractual controls).

EU Database Directive

While data cannot be owned, a database can be. Specifically, Directive 96/9 - the Database Directive - creates a sui generis database right, which the Copyright and Rights in Databases Regulations 1997 (CPRD) implements into UK law. Sui generis here refers to the idea that this database right is a unique right unto itself: it does not rely on other forms of protection offered to databases, for instance, copyright protection. The right protects the investment that goes into the gathering, verification, and presentation of data. In short, following British Horseracing v William Hill, the right protects the structure of data, not the individual datum itself.

The test found in Art 7(1) requires that the maker of the database must show qualitatively or quantitatively a substantial investment in the obtaining, verification or presentation of the contents. If the maker can show that a database right subsists in their database, they receive protection from extraction for the next 15 years.

Databases and copyright

Databases may also be protected under section 3A of the Copyright, Designs and Patents Act 1988. According to the CPRD, the sole test for such protection is that the database must be original and ‘constitute the author’s own intellectual creation’. Since the Database Directive, this right has been narrowed. Indeed, one can only copyright the selection or arrangement of the contents of the database, not the content itself. This shrinks the copyright protection to be in line with the sui generis Database Directive protection, although databases may be copyrighted according to the particular format they take, for example as a literary work.

The General Data Protection Regulation

The GDPR offers rights to a particular class of data, that is, personal data. Article 4(1) defines ‘personal data’ as ‘information relating to an identified or identifiable natural person who can be identified directly or indirectly by reference to an identifier or factor.’ The GDPR has as its base a number of principles that dictate how personal data ought to be treated. Moreover, the GDPR also dictates that lawful processing of data requires a valid legal basis. In addition, the GDPR stipulates a number of rights that attach to personal data and their data subjects. None of these principles, legal bases, or rights grant a property right in personal data. The closest the GDPR comes to ownership is the right to data portability - Article 12 and 20 detail that individuals have the right to obtain and reuse their personal data across different services. Despite this, the idea of property in data does not sit easily with the GDPR - it grants specific controls, yet not a property right in data.

Is there such thing as ‘data theft’?

Theft requires that a person dishonestly appropriates property belonging to another with the intention to permanently deprive the other. The word to note here is ‘property.’ Section 4(1) of the Theft Act 1968 defines property to include intangible property. Data is one form of intangible property. However, in this context, information (by analogy to data) is yet to be recognised as a form of intangible property that one can misappropriate. Oxford v Moss recognises that confidential information is not the subject of theft. Moreover, Fairstar v Adkins recognises that there is no proprietary right over emails as information. Accordingly, legally, there is no such thing as a data thief.

Confidential information

Additional protections might be available for some specific types of information. For example, the law recognises that data (more accurately information) in some specific contexts merits protection, here are three contexts where this protection might arise:


Following the case of Faccenda Chicken [1984] I.C.R. 589, an employee must not disclose confidential information to a third party during the term of their employment. If the data is confidential, and disclosed in the course of one’s employment, the law allows one to restrict its dissemination.

Confidential information

If recipients of data ‘know or ought to know it is to be regarded as confidential, then a duty (of confidence) is imposed. If this data is disseminated contrary to this duty, then the person may find remedy through a claim of breach of confidence.

Trade secrets

Data will have protection as a trade secret if the information is a) used in trade and business, b) if disclosed to a competitor would be liable to cause significant damage, and c) the owner has sought to limit its dissemination. Given these limitations, only a small subset of data can be protected as a trade secret.

Informing the debate over data

In summary, then, it is possible to own databases, and control the use of the data in that database by other means, but no-one actually owns the data!In both public debate and policy making, the commonly used language of ownership (‘your data’) where none exists is clearly well intentioned, but in fact does not empower data subjects, but rather only confuses. To structure the debate solely in terms of data ownership is not only legally inaccurate, but also more importantly fails to ask the real question: what controls should individuals have over ‘their’ data?

This blog is intended to provide general information and understanding of the law. This blog should not be considered legal advice, nor used as a substitute for seeking qualified legal advice.