To facilitate collaboration, it is necessary to clarify each organisation’s rights, responsibilities, tasks, expectations, and decision-making powers in relation to collaborative information management. For example, while one organisation may host a collaborative information management system – hence becoming the managing authority and data controller, responsible for things such as system maintenance, data security – in a collaborative setting, some of these responsibilities may be shared across organisations.
Guiding Questions
What does it mean to take responsibility for data in collaborative situations?
Who is responsible for notifying all parties concerned in case of a data breach?
Are any data sharing agreements and joint data controller arrangements revisited on an on-going basis to determine how they should be updated to reflect any changes in relationships?
Examples
Ferrãos and Sallent (2015:237) describe how the use of private Access Point Names (APN) is common between Mobile Network Operators (MNO) and the dedicated or private infrastructure pf PPDR service providers hosting PPDR communications services. The connection between the commercial MNO and the PPDR operator is based on dedicated resources, such as leased lines. This prevents risks related to security threats or traffic congestions. End-to-end security services like encryption remain within the responsibility of the PPDR organisation.
In their report of how a Hastily Formed Network (HFN) was designed to support the response to the European Refugee crisis led by humanitarian agencies, Maitland and Bahrania (2017:12) explain how “the network design for this implementation required collection of significant amounts of traffic data for telemetry or network management.” This posed challenges of data protection. To comply with the EU Data Protection Directive, “the providers of cloud-based network management act in the role of “data processors,” with NetHope [the NGO] as the ‘data controller’. To ensure privacy of individual users, the network analytics and management were designed for automatic analyses. … the network design [also] did not require user registration or other mechanisms to tie a device identifier back to an identifiable person. As described by the NetHope network manager, this configuration ensured that even if Greek authorities pursued proper channels to access network traffic analyses, only general patterns of networks usage, and not an individual’s network traffic or communications, would be accessible.”