Talk of Peter Cullen, General Manager, Trustworthy Computing, Microsoft at the European Data Forum 2014, 19 March 2014 in Athens, Greece: Data protection frameworks fit for 'Big Data'
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Notas del editor
AbstractData is rapidly changing how companies operate, offering them new business opportunities as they generate increasingly sophisticated insights from the analysis of an ever-increasing pool of information. Today’s technology enabled data analysis and use are providing rich value added scenarios and services to consumers, business and society in general. Businesses have clearly moved beyond a focus on data collection to data use, but users of data and consumers have an inadequate model of notice and consent at the point of data collection to limit inappropriate use or enable appropriate and value added use. A flexible system encompassing a newer public policy model built for a data rich society, paired with an interoperable metadata-based architecture that allows permissions and policies to be bound to data, and a flexible permission system engaging consumers will allow for changing trust norms, help balance the tension between users and business, satisfy regulators’ desire for increased transparency, and still enable data to flow in ways that provide value to all participants in the ecosystem. 2 - Intro slide – goals3 – complexity4 – problem 5 – privacy frameworks considerations6 – evolved privacy model7 - what this does not mean8 – what will we need9 – Polaris10 – Polaris11 - how do we get there
Intro slide – set up & goals• Leverage the economic and social value of data use in this new data world while building a suitable data protection frameworks.• Balance the tension between individuals and business. • Satisfydesire for increased transparency.• Enable data to flow in ways that provide value to all participants in the ecosystem
Complexity slideTechnological advances are changing daily life, andprivacy will only become more important as these advances impact more people globally. Data is rapidly changing how we operate, offering new opportunities as we generate increasingly sophisticated an ever-increasing pool of information. Today’s technology enabled data analysis and use are providing rich value added scenarios and services to consumers, business and society in general. For instance, back at this point in 2006, you needed to be at School or University to use FB, now it’s the 3rd largest country.July 2006 Twitter launched – changing communication & media.Google had bought Android but first phone wasn’t out until 2007.Apple didn’t have the iPhone yet so apps weren’t even there.Wii hadn’t launched and Xbox Kinect would be minority report.Netflix was still physical, streaming of video content from 2007.
Problems slideIndividuals are expected to read and make informed decisions based on the numerous lengthy, complex privacy statements and disclosures of online service providers.Privacy policies are detailed legal documents that are difficult to understand and don’t provide meaningful notice. For example, research conducted in 2012 revealed many privacy policies total more words than Shakespeare’s Hamlet or Macbeth. Individuals no longer have the same level of trust in the disclosures. The net effect is “click thru”.Non-interactive relationship with the data collector.Specification of data use at time of collection. Today’s technology-enabled data analysis and use are providing rich value-added scenarios and services to consumers, businesses and society in general. However, there may be the potential to unlock additional value in data, which was not contemplated at the time of collection.
Privacy frameworks considerations (Problem slide)Today’s trust models are not built for this new ecosystem.Today’s business practices/processes (risk assessment, information management) are not fully aligned with new reality.Today’s technology do not support an accountable ecosystemToday’s enforcement models are not equipped for this ecosystem.Data is rapidly changing how companies operate, offering them new business opportunities as they generate increasingly sophisticated insights from the analysis of an ever-increasing pool of information. Today’s technology enabled data analysis and use are providing rich value added scenarios and services to consumers, business and society in general. Businesses have clearly moved beyond a focus on data collection to data use, but users of data and consumers have an inadequate model of notice and consent at the point of data collection to limit inappropriate use or enable appropriate and value added use.
Evolved Privacy ModelSets up the model and the next slide of what it is NOT.
What this does not meanModels need to evolve but does not mean throw away the old models.Shifting the focus from a "consent" model to a "data use" model does not mean eliminating the concept of consent. Rather, this model adds tools to the data protection arsenal that can help cover gaps which are currently difficult to govern. Individual participation and consent remain critical parts of the privacy model and will become more critical when individuals are confronted with data use or collection requests that are outside of the norms set by societies. Consent as a bedrock not workable but individual control over data use, engagement and even context based consent will still be required.Accountability (responsibility on data users) does not mean ALL other information principles are discarded - rather, this model adds tools to the data protection arsenal that can help cover gaps which are currently difficult to govern. Collectively we should focus on how to enable accountable organizations to leverage the economic and social value of data use in a world of big data, with privacy models in place that protect the individual’s privacy needs. A new privacy model that embraces greater organizational accountability will require new enforcement models that are resourced to tackle the oversight challenges that are emerging in a data rich world.A Risk Based approach does not mean no individual participationLess Consent driven does not mean less Transparency
What will we need?A flexible system encompassing a newer public policy model built for a data rich society, paired with an interoperable metadata-based architecture that allows permissions and policies to be bound to data, and a flexible permission system engaging consumers will allow for changing trust norms, help balance the tension between users and business, satisfy regulators’ desire for increased transparency, and still enable data to flow in ways that provide value to all participants in the ecosystem. Specifically:Evolved public policy models and legislationEvolved business processes (risk based assessment and accountability for data protection and use)Evolved enforcement modelsNew/evolved technologies that will assist management of dataExample: Polaris (next slide)
Technology example (Polaris):An interoperable metadata-based architecture that allows user permissions and policies to be bound to data, enabling any entity handling that data to do so in accordance with a user’s wishes. Represent and honor policy (associate policy with data, describe a policy to be honored, represent and resolve policies from multiple parties, express obligations and special conditions).Reflect changing norms and trust relationships between the individual and user.Help ensure accountability and increased transparency.
Using metadata-based architecture to enable a way to share health data securely. The idea behind it is similar to how we share data across the public Internet today, and can be generalized to sharing data across any collection of disparate systems. Add metadata to each piece of data. Minimally, this is provenance and privacy controls. Data services in the cloud enable data to securely be exchanged between businesses and various constituencies.A robust ecosystem of applications utilizing cloud services can grow to provide specific services for different constituencies.Cloud services can evolve to support interoperability across what is essentially a private medical internet.Example: Most complex health issues involve multiple medical conditions observed over long periods of time. A health system that enables access to a patient’s comprehensive medical history, records and relevant medical analytics, irrespective of the diagnosing clinician or facility, would increase effectiveness and efficiency of patient care and treatment. This could be accomplished via a metadata-based ecosystem. In this ecosystem, once a patient consents to the use of his records, and the doctor’s identity is verified, the doctor could access diagnostics from all prior treatments and facilities, regardless of provider, network or geographic location. At any time, the patient could retract or modify permissions, including to indicate permission to use the data in a de-identified format for medical research. The metadata associated with the records would persist and be accessible to all permissioned parties in the trust framework of entities that have agreed to abide by the policies indicated in the metadata. Data could flow and be used appropriately to benefit the patient and/or society, as deemed valuable by the patient, while at the same time facilitating enforcement of the permissions expressed.
How do we get there?No clear solution, but Collaborative, meaningful and constructive discussion - there are significant unknowns as well as exciting opportunities for the community to come together and design a future of more meaningful data protection.As the dialogue across private and public sectors around the world advances, we will continue to generate innovative thinking about a sustainable data protection model - one that provides utility for organizations focused on innovative data use, contributing to economic growth, value to society and appropriate engagement model with consumers all resulting in more effective data protection.