02 March 2013

WEF Privacy Waffle

The World Economic Forum, which you'll be reassured is "committed to improving the state of the world", has released a document - produced by the cheerleaders at Boston Consulting - titled 'Unlocking the Value of Personal Data: From Collection to Usage' [PDF] regarding "an ongoing multistakeholder dialogue on personal data".

"Key messages" from that dialogue, which emphasise privacy as a commodity rather than human right (and broadly reflect the unwillingness of stakeholders such as Microsoft to move to global best practice) are
• The world has changed, which creates new opportunities but also risks [no surprises there, albeit the Bostons are relying on buzzwords such as "hyperconnected" rather than dead pronouncements that the "world is flat"]
• A new approach to personal data is needed that is flexible and adaptive to encourage innovation, but also protects the rights of individuals. Notice and consent need to be reconsidered to be equipped for this changing world.
• Key aspects of this new approach include:
– Shifting from governing the usage of data rather than the data itself
– Context is key in a world of increasing shades of grey. Black and white solutions won’t work
– New ways to engage the individual, help them understand and provide them the tools to make real choices based on clear value exchange
• A number of potential ways forward emerged from the dialogue:
– The importance of establishing an updated set of principles and the means to uphold them in a hyperconnected world
– Technology can be part of the solution
– allowing permissions to flow with the data and ensuring accountability at scale
– Need to demonstrate how a usage, contextual model can work in specific real world application
The WEF indicates that
Our world is changing. It is complex, hyperconnected, and increasingly driven by insights derived from big data. And the rate of change shows no sign of slowing. Nor does the volume of data show any sign of shrinking. But, the economic and social value of big data does not come just from its quantity. It also comes from its quality – the ways in which individual bits of data can be interconnected to reveal new insights with the potential to transform business and society. Fully tapping that potential holds much promise, and much risk. By themselves, technology and data are neutral. It is their use that can both generate great value and create significant harm, sometimes simultaneously. This requires a rethink of traditional approaches to data governance, particularly a shift from focusing away from trying to control the data itself to focusing on the uses of data. It is up to the individuals and institutions of various societies to govern and decide how to unlock the value – both economic and social – and ensure suitable protections.
As part of the multiyear initiative Rethinking Personal Data, the World Economic Forum hosted an ongoing multistakeholder dialogue on personal data throughout 2012. This dialogue invited perspectives from the US, Europe, Asia, and the Middle East and involved representatives of various social, commercial, governmental and technical sectors, who shared their views on the changes occurring within the personal data ecosystem and how these changes affect the collective ability to uphold core principles. The dialogue also addressed key regional legislative and policy approaches, particularly the proposed European Commission Data Protection Regulation and the US Consumer Privacy Bill of Rights. The global dialogue centred on a set of foundational principles that are familiar across a broad range of cultures and jurisdictions.
The dialogue was based primarily on three clusters building on the 1980 Organisation for Economic Co-operation and Development (OECD) Privacy Principles:
  • Protection and security
  • Accountability 
  • Rights and responsibilities for using personal data 
This document captures some of the key outcomes of the dialogue. It highlights areas that need to be resolved in order to achieve a sustainable balance of growth and protection in the use of personal data.
Protection and Security
Issues of protection, security and the overall stewardship of personal data remain central to the ecosystem. While the complexity of operating in a decentralized and distributed networked environment poses new challenges, ensuring data security remains crucial.
Accountability
Ensuring stakeholder accountability is a task that is increasingly challenging. Unlike the case 30 years ago, when the OECD principles were established, the questions of “Who has data about you?” and “Where is the data about you located?” are impossible to answer today. The challenge surrounding accountability focuses both on which principles to support as well as how to effectively uphold and enforce them, particularly given the lack of resolution on means of accountability. This contributes to a lack of trust throughout the ecosystem. However, technology itself has the potential to be part of the solution in ensuring accountability at scale through appropriate controls and auditing functionality. Privacy by Design which has been widely adopted around the world is key to ensuring privacy is proactively embedded into the technology itself.
Principles can serve as a global foundation for creating an interoperable, flexible and accountable framework for coordinated multistakeholder action. Codes of conduct, technological solutions and contract law can all help translate principles into trustworthy practices that enable sustainable economic growth.
Rights and Responsibilities for Using Personal Data

Participants from the public and private sectors shared a variety of perspectives on how the rights and responsibilities for using personal data might evolve. One common concern was that policy frameworks that constrain how data can be linked, shared and used (such as collection limitations, purpose specifications, and use limitations) are increasingly less effective and anachronistic in today’s hyperconnected world.
It was also pointed out that as data moves through different phases from collection, to usage and disposal, the weighting of the different principles may need to change. This approach is similar to how incremental advancements in the study of the human genome are being accomplished. Scientists explore and discover the human genome under one set of guidelines; a different set applies when those insights are put into action. The dialogue also addressed the changing role of the individual. Three subthemes emerged:
From transparency to understanding: There is a need for new approaches that help individuals understand how and when data is being collected, how the data is being used and the implications of those actions. Simplicity, efficient design and usability must lie at the heart of the relationship between individuals and the data generated by and about them.
From passive consent to engaged individuals: Organizations need to engage and empower individuals more effectively and efficiently. Rather than merely providing a binary yes-or-no consent at the initial point of collection, individuals need new ways to exercise choice and control, especially where data uses most affect them. They need a better understanding of the overall value exchange so that they can make truly informed choices.
From black and white to shades of gray: Context matters. Given the complexity of applications, the idiosyncrasy of individual behaviours and the speed of change, there is a need for flexibility to allow different approaches to using data in different situations.
To keep pace with the velocity of change, stakeholders need to more effectively understand the dynamics of how the personal data ecosystem operates. A better coordinated way to share learning, shorten feedback loops and improve evidence-based policy-making must be established.
The document is decorated with the inevitable examples of enthusiasm about e-health. All will be well, it seems, if we heed the advice from a handful of very large (and mainly US-based) corporations.