It makes no difference whether you are designing the next generation of jet transport or trying to figure out how to monetize what you observe about consumer behavior, data combined with advanced mathematics creates the pathway to the future. Collectively we generate about five exabytes of data every two days, which equals the data generated by mankind during the first 8,000 years of recorded history. Much of that data directly or indirectly links to individuals.
The data that links to individuals is subject to privacy governance. The key concepts of privacy governance were developed in the 1960's and 1970's, and were based on individual control by an informed consumer. In 1967 limited data was collected and used for fairly simple purposes. Today we live in a world where each curser pause over a pixel is a data collection that will be interpreted by an algorithm. In 2011 concepts of notification and consumer action as a stand-alone system are an unworkable governance solution.
In recent months the United States Department of Commerce, the Federal Trade Commission, and the Commission of the European Union have all published papers on stressed privacy governance structures, and requested public guidance.
The following is a thumbnail sketch of the direction the Centre for Information Policy Leadership provided back to all three discussion papers: To maintain the individual control paradigm one would have to adopt a governance system based on strict collection minimization-only collect what the consumer perceives as necessary, and/or strict limitations on uses to those the consumer truly understands. In simple terms: don't collect the fact the consumer paused over a pixel, and don't use that knowledge to predict future behavior. Such an approach pops the information-led innovation revolution. No more Google or Facebook. No more sites on social networks for respected brands. No more brilliant young men and women reinventing the market in a continuous manner.
There is an alternative governance model. The alternative is based on organizations being responsible data stewards using a foundation of accountability.
Accountability is not new; it is the eighth OECD Privacy Principle. However as a principle it lay dormant for nearly thirty years. For the past three years the Centre for Information Policy Leadership has been working with privacy protection agencies, companies and academics from Europe, North America and Asia Pacific to discover and describe what accountability means in practical terms for the privacy debate.
From a structural perspective, accountability reflects quality management approaches to assets and risks. The assets are the data you touch and process, while the risks are the matters that could cause harm to you or the individuals the data touches. The big change in an accountability model is, rather than just complying with laws, regulations and rules, you must anticipate the risk to others related to your collection and processing of data. The key factor in accountability is shifting that risk analysis from the individual to the organization.
The shift to accountability has already begun in regulated financial services companies.
Banks are building programs to assess the risks that data use creates for customers, and explaining those programs to their regulators. For those the paradigm shift should be smooth if the public policy process is managed effectively.
The Article 29 Working Party of the European Union has already issued an opinion on accountability that says the EU Data Protection Directive should be changed to require that every organization have a program to put privacy principles into effect. It will no longer be sufficient to mechanically adhere to principles, but rather the organization must understand its data processes and the unintended consequences that might come from that processing. WP 29 goes on to say programs should reflect the size and complexity of an organization, and the organization should stand ready to demonstrate the privacy programs to privacy enforcement agencies and others.
Accountability was mentioned in all three recent government policy papers. The Centre's responses begins the process of educating policy makers about accountability and how it would work in effect.
All three papers also discuss Privacy by Design (PbD), a concept first described by the Ontario Privacy Commissioner Anne Cavaukian. The Centre supports PbD as part of a quality accountability program. PbD is a mechanism to discover the risks the organization is creating for individuals when using information in a new and innovative manner, and mitigate those risks in the design stage of building new products and services.
There is a great deal of work that needs to be done so that all stakeholders feel comfortable in moving from governance centered on individual control to a regulatory framework based on stewardship.
That work, however, must be done quickly. The Centre is beginning to see accountability language appear in draft legislation in the United States based on the Galway essential elements, and revamping the EU data protection directive is already under way.
While change in governance paradigms may have risks, the status quo is riskier. Innovation will be driven by robust data collection and application through advanced analytics.
