Search This Blog

Saturday, 16 June 2012

Rethinking Personal Data

On Thursday I joined a World Economic Forum 'tiger team' focused on rethinking personal data, a process that aims to build on reports revealing personal data as a new asset class, and meeting the challenges this evolution brings. My thanks to Liz Brandt at Ctrl Shift for inviting me along. Apparently, as one non-legal delegate put it, "there are not enough lawyers at these sorts of events."

In essence, we are moving from a world where data about each of us is compiled into large national databases by corporations and governments (since they are the only ones with the vast resources required to do it); to a world where personal data is highly distributed and grows with every interaction with or about each of us, so that no one can keep up with it, let alone store it in a single place. 

It's therefore important to understand that a "personal data store" is not envisaged as your own personal database of all personal information about you. "Store" is not used here in the sense of 'storage' but in the retail sense of controlling what is offered or sold (which is also not exactly appropriate but does the job for now). So a 'personal data store' is really just a set of rules that determine whether and how data about you can be used - wherever that data sits. It's another type of 'personal information management service'.

The WEF process involves first 'unpacking' the big notions of 'identity', 'privacy' and the imagined benefits to be gained from sharing personal data. These concepts are too static, theoretical - and too emotive - to use as the basis for establishing detailed rules for the responsible use of personal data. The significance and value of personal data can't be captured in a single dollar amount or 'yes'/'no' answer to whether it can be used. Instead, the value and utility of personal data is a hugely complex dynamic that varies by: 
  • the context or the activity we are engaged in, 
  • which persona we are using at that moment, 
  • the actual data being used or provided, 
  • the permissions given, 
  • the rights that flow from those permissions, and 
  • the various parties involved.
So in order to ensure that our transactions and other day-to-day activities are as frictionless and seamless as possible, we need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. And those rules must be readable at various levels by humans, lawyers (legislature, courts, regulators, governance panels) and machines (computers, microchips).  

A previous tiger team session identified business, legal and technology as the three primary stakeholders or perspectives in agreeing such a set of rules. The business rules must first be established clearly at the outset, then vetted from a legal and governance standpoint, then coded in such a way that everyone can be confident machines will handle the data in accordance with the rules.

The current ambition is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.

The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that doesn't represent a deal-breaker for anyone in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.

An earlier tiger team had proposed a useful set of rights and duties from the standpoint of the data subject. So we focused on the rights and duties of the service provider operating the personal data store on that data subject's behalf. We also made a start on the rights and duties for the governance role. The full write-up is due in the next few weeks, but some of the key issues we covered were: 
  • the need for transparency as to whether the provider of a personal data store is acting as a full agent in the fiduciary sense or as a lesser form of agent or broker; 
  • the need to ensure co-operation in the timeliness, accuracy, integrity and authenticity of the personal data accessible via the service; and
  • security protocols for data access and sharing. 
From a governance standpoint, it seemed critical to have both the public and private sector represented on the governance panel - just as they were both represented in the tiger team process itself - to ensure not only that the public laws are obeyed at a minimum, but that official guidance can support the additional contractual standards that are agreed to 'fill in the gaps'.

The most immediate next steps would be to flesh out the governance aspects and to address the rights and duties of businesses relying on the data. Having allocated all the necessary rights and duties amongst each of the participants should make the final step of determining the liability and accountability for each of the participants a far less combative process than I've seen in other forums ;-)

Overall, I'm very optimistic that a cohesive global framework for the responsible use of personal data is achievable. Specifically, it was very encouraging to witness how much easier it is to address the overall personal data challenge when you commit to 'unpacking' the big notions of identity, privacy and public benefit, as described above. It was also a huge relief to hear that it is considered feasible by those who've introduced data standards previously to implement a personal data mark-up language to link the flow of personal data to a set of permissions and rules. I'm also hoping this can help achieve dynamic, momentary user identification that minimises the need for large, vulnerable repositories of personal identity material.

Of course, political and commercial acceptance and 'take-up' are where all this rubber hits the road. But the fact the discussions are taking place globally via the WEF is clearly very helpful.