The Liberty Alliance Project has started developing technical specifications for how companies can protect sensitive personal data within their IT systems and securely share that data with other organisations.

Liberty, a consortium that develops identity management standards, completed a market requirements phase where it asked businesses questions including how they use customer data when a person consents to give up the data, such as a credit card number.

Those market requirements will be used to develop technical specifications for the Identity Governance Framework (IGF), a set of standard protocols that can be widely used in applications that handle identity information, said Amit Jasuja, vice president of product development for identity management at Oracle, one of Liberty's members. Technical specifications should be finalised next year.

As those specifications are developed, vendors such as HP and Oracle will begin building applications based on the market requirements and preliminary IGF information, Jasuja said. After six to nine months, a Liberty technical group will work with those vendors to refine that development and close the gaps.

Eventually, IGF will also be compatible with other identity management specifications such as OpenID and WS, and systems such as Project Bandit, Project Higgins and Microsoft's CardSpace.

Liberty is also encouraging identity application development projects through openliberty.org, its open source development site that uses an Apache licensing model, said Brett McDowell, executive director of Liberty.

IGF will eventually be able to incorporate policies and regulations, such as the European Data Protection Initiative and Sarbanes-Oxley in the US, into applications that handle identity information.

"Users have been waiting to know there are some real teeth behind the policies that they agreed to with their data," McDowell said.

Identity management has become a hot issue among enterprises in light of data breaches and the increased sharing of sensitive information.

Last week, in one of the latest examples, memory manufacturer Kingston Technology admitted that sensitive data of up to 27,000 online customers may have been exposed in a 2005 security breach. But the data held by point of sale credit card terminals is also under the spotlight.