A handful of recent developments have cast a strong light on the sustained tension between privacy and data services.
Last year's revelations about the surveillance activities of the US National Security Agency made many worry about who could be looking at data they thought was secure. In February, BSA The Software Alliance published a report warning that measures taken in the name of privacy could impose barriers to the growing cross-border trade in digital services, notably cloud computing. Then in March the European Parliament agreed on a draft for a new EU Data Protection Regulation, a measure regarded by some as over-prescriptive and which could yet meet opposition in the Council of Ministers.
These all reflect the trade-off between the security of personal data and the potential to use it in consumer and business services. The NSA revelations have given privacy activists the upper hand and some countries are taking steps to curtail the flow of personal data outside their borders.
The desire for privacy is understandable, but it is unrealistic to think that people will retain 100% control over their data unless they don't share it at all with others. Also, advances in technology such as quantum cryptography will make it easier to break cryptographic systems and get at sensitive data. It's impossible to see how as technology continues to evolve that data that is pretty safe now may not be so in five years' time.
For now, the UK has the balance about right. The Data Protection Act has served pretty well over the past 26 years, largely because it is based on principle rather than being over-prescriptive. The country also benefits from an open market with the rest of the EU and a good relationship with the US.
But there are fears that it could become more difficult if the EU regulation becomes law in its existing form, making it harder for organisations to get operational efficiencies from the cloud, for businesses to develop new data services, and for the UK economy to grasp the benefits of high quality business intelligence. The only way to respond is with a flexible approach that maintains the balance between privacy and data services as circumstances change.
CIOs can play their part by helping to build the right type of environment for that flexibility, and a big part of this is going to be in winning and preserving the trust of the public. As people become more aware of how personal data can be misused, they are more likely to share it with organisations that are honest about the risks but take the appropriate steps to minimise them.
Organisations should ask why someone would want to share their data. This can create a framework in which the emphasis is on the organisation to really demonstrate to individuals the benefits of their sharing data providing a real opportunity for engagement, which in turn makes it easier to win their trust. A transparent organisation would also be ready to stand back when it can't find a viable answer and drop a plan that might promise money in the bank but wouldn't do anything for people who provided the data.
BCS addressed the issue last year in its Privacy v Intelligence white paper, which highlights a number of steps that can help to manage, if not completely resolve, the tension between the two. These include simplifying the choices through which people give their consent for the use of their data, making it easier to revoke this consent, updating it more regularly, paying close attention to the context in which data is collected and used, and providing for regular privacy impact assessments.
CIOs should be taking the lead in all for all of these measures, ensuring that the resources are available, procedures are in place and that they are designed to match the way their organisation works and uses the data. They also need to make clear that everyone in the organisation appreciates the importance of the procedures, and follows good practice in handling personal data.
There is also guidance in the BCS Personal Data Guardianship Code, which helps organisations to ensure that everyone knows their responsibilities. It outlines eight principles, including that people know who is holding their data, that others only have access to it with their consent, that there are audit trails within organisations, and that those collecting data are aware of their duty of care.
This will not provide conclusive solutions – technology and circumstances will change, and what works over the next year or two may be insufficient in five years – but the guidelines will help CIOs to build the right mindset within their organisations to manage the tensions in the long term.