Evolution of data privacy handling
The traditional data-protection approach, based on 1970s
computing architectures in which governments and large
organizations (private and public) operated in discrete silos, was that the individual
is involved in consenting to data use at the time of collection.
The organization that collected the data then used it for a specified
use, based on user consent, and then deleted the data when it
was no longer needed for the specified purpose. That approach
was appropriate when the data collection was often related to
a specific service, a single organization or single use and when
the computer data systems were not highly interconnected. Now, however, with the advent of big data techniques and skills the walls of enterprise computing have opened
up along with the data flows across traditional silos.
Reasons why old regulatory approaches no longer work
- They fail to account for the possibility that new and beneficial uses for the data will be discovered, long after the time of collection.
- They do not account for networked data architectures that lower the cost of data collection, transfer and processing to nearly zero, and enable multi-user access to a single piece of data.
- The torrent of data being generated from and about data subjects imposes an undue cognitive burden on individual data subjects. Overwhelming them with notices is ultimately dis-empowering and ineffective in terms of protection – it would take the average person about 250 working hours every year, or about 30 full working days – to actually read the privacy policies of the websites they visit in a year.
Requirements for a New Approach
So, it is clear that the policies of old will not work going forward. What are the requirements for a new approach since "wild wild west" or "one-size-fits-all" approach will not work. Here are some of the suggested requirements for a new approach:
- shifts from controlling data collection to focusing on data usage. Lastly permissions, controls and trustworthy data practices need to be established that enable the value-creating applications of data but prevent the intrusive and damaging ones.
- implements a shift from focusing on protecting individuals from all possible risks to identifying risks and facilitating responsible uses within those boundaries. It also requires acknowledging that not all data and situations are the same.
- distinguishes between using data for discovery to generate insight and the subsequent application of those insights to impact an individual. Often in the process of discovery, when combining data and looking for patterns and insights, possible applications are not always clear.
- allowing data to be used for discovery more freely, but ensuring appropriate controls over the applications of that discovery to protect the individual, is one way of striking the balance between social and economic value creation and protection.
- obsoletes the blind and "brute force" approach of deletion of data after a regulation period or specific use
Please note that very few countries or legislative bodies are either taking up this agenda item or planning to do so in the short term. Hence please exercise your best judgement before data cross-pollination, cross-indexing effort to create richer data sets.