Mixed-Rights Data Products: Practical Data Accessibility with Controls
October 4, 2023
Art Morales, Ph.D.
In the ever-evolving landscape of data science and artificial intelligence, we often must balance technology advancements with legal/regulatory concerns. Traditional data products generally assume that rights to the data are homogenous and generally concern themselves with just protecting PHI/PII data. This is often handled in two ways, one is to just prevent anyone that can’t see PHI/PII data from accessing the whole product or, preferably, implement controls and obfuscation for specific fields such as Social Security numbers/etc. This column-based control solves many problems and keeps most regulators happy. Lawyers on the other hand, must concern themselves with the right to use the data that make up the data products. Many of these products are assembled from multiple sources and the rights associated with those sources often vary, raising potential regulatory and legal concerns that require risks assessments to understand the potential exposure to the company.
One approach to minimize legal and regulatory risk is to adapt the approach of “most-common rights”, where the data product is designed to only provide data that shares similar access rights, leaving other fields/records out of the product. This approach often leaves knowledge and potential insights out of reach unless multiple, related data products are built, each addressing data inclusion decisions based on the expected audience.
As data products grow and become more complex, maintaining multiple related products can get not only expensive but also overly complicated and impractical to manage.
One potential approach to this ever-growing problem is the notion of "Mixed-Rights Data Products."
At its core, a mixed-rights data product is a dynamic solution that addresses the complex tapestry of data rights and permissions. Unlike traditional data products with uniform access, mixed-rights data products acknowledge the multifaceted nature of data permissions. The data that constitutes such products is sourced from diverse origins, each laden with its own set of rights and permissions. What sets mixed-rights data products apart is their innate ability to seamlessly manage, allocate, and enforce these rights based on the role and needs of the data consumer.
Navigating the Logistics
Picture a scenario where data originates from multiple sources , each with specific data rights attached. This data amalgamation results in a rich mosaic of insights that can potentially empower various stakeholders. Mixed-rights data products are designed to shoulder the intricacies of this process, orchestrating the dance around user roles and the peculiarities of each dataset.
In a Mixed-Rights Data Product, data rights can be managed at varying granularities. This can be as simple as row and column levels access but can also dig into individual fields within a record. This calls for the integration of smart contracts—a blockchain-inspired technology—into the very fabric of data products. These digital contracts serve as the guardians of data access, ensuring that only authorized parties can interact with specific portions of the data, and should provide an audit log that data owners and producers can verify.
Data Accessibility: Bridging the Gap
Mixed-rights data products bridge the divide between data availability and data control. By catering to diverse data rights, these products empower organizations to make more informed decisions. Data consumers can tap into a wealth of information that was previously fragmented due to access constraints. This democratization of data fuels collaboration and innovation, propelling businesses toward more insightful strategies.
Granular Insights: Navigating the Maze
The beauty of mixed-rights data products lies in their ability to unleash granular insights while upholding data privacy. Suppose a healthcare organization is analyzing patient records. With mixed-rights, researchers can access anonymized patient data without compromising sensitive information. At the same time, administrators can retain control over more sensitive fields, ensuring compliance with data protection regulations like HIPAA.
Regulatory Compliance: Shaping the Future
In the era of GDPR, CCPA, and evolving data protection regulations, mixed-rights data products emerge as a beacon of compliance. These products align with the principles of data minimization and purpose limitation. The role-based access approach conforms to the "need-to-know" principle, reducing the risk of data mishandling and unauthorized access.
Commercial Opportunities: Unlocking Value
Enterprises thrive on data monetization. Mixed-rights data products unlock a new dimension of commercial opportunities. By aggregating data with different rights (For example, data coming from multiple business partners), businesses can offer tailored datasets to partners, customers, and third parties. This not only generates new revenue streams but also fosters strategic partnerships, thereby enriching the data ecosystem.
A Glimpse into the Future
The concept of mixed-rights data products is a glimpse into the future of data science and AI. The integration of smart contracts into data management becomes more seamless. This opens the door to even more sophisticated data sharing models, where data rights can be dynamically adjusted based on real-time events and conditions.
Mixed-rights data products are a symphony of innovation and pragmatism. They showcase the marriage of data accessibility with data control, all while adhering to regulatory standards. As we embark on this data-driven journey, we must remember that data is not just a resource; it's a responsibility. Mixed-rights data products lay the foundation for responsible data stewardship, where insights can be gleaned without compromising on privacy and compliance.
Are you interested in exploring Mixed-Rights Data Products for your organization? At XponentL, we’re leading the way to build them, manage them and consume them through our industry expertise and technology accelerators. Get in touch and we’ll be happy to discuss potential approaches to navigating technology, legal and regulatory aspects of data products.