Personal data stores to protect key data

As the amount of personal data stored electronically increases, so does the level of identity theft. The situation could lead to...

Estimates suggest that as many as seven million US citizens have experienced identity theft in some way. Most of this is down to the theft of credit card and debit card information, only some of which has happened by the penetration of IT security in companies or on websites.

Legislation has been piling up across the world to deal with the theft of information and most countries that never had legislation before had enacted at least some new law by the end of 2002. Most of Europe did so in 1999.

In the US, the legislation involves a series of federal and state laws. Elsewhere most of the legislation is based on the Organisation for Economic Co-operation and Development's original guidelines on data privacy and protection. If you want to sum up what it all means for corporate IT, then the following sentence from the OECD guidelines tells you most of what you need to know:

"Personal data must be protected by reasonable security safeguards against loss, unauthorised access, destruction, use, modification or disclosure."

An interesting question arises from this, which will ultimately have long-term political and commercial consequences. Data is valuable and thus personal data is also valuable, especially to its owner. This applies whether we are talking about financial information, medical information, or simple personal details.

Most such information is held by others on our behalf, and the consequences of its theft can be expensive, or at the very least inconvenient. It is right therefore that the law should hold those that manage this information responsible for its safe-keeping.

However, the level of the theft of such information is rising, and has been ever since the internet acquired critical mass. As a consequence, the law is likely to become increasingly punitive to those who fail to protect data adequately. Ultimately, perhaps we need "information banks", in the same way that we need banks that keep our money secure.

Consider what a complete inventory of personal information includes:

  • Direct identity information (name, birth certificate, places of residence, etc)

  • Identity documents (passport, driving licence, banking details, etc)

  • Family information, educational history, employment history, medical records and criminal record

  • History of purchases of goods or services throughout one's life

  • Government information such as voter registration, social security records and taxes paid.

But this is not everything. There is a lot of other important information that an individual owns. For example, the title deeds to the house they may own and all other title deeds in respect of ownership (shares, insurance policies, cars, electronic goods, white goods, etc) plus things such as music CDs, videos, software, photographs and all the things that are fundamentally information in their own right. These could be, and to some extent need to be, protected against theft.

If you collect all of this information together into a personal "data store", managed by a trusted third party, an individual could have direct control over their own data and might even benefit from being able to analyse it.

This might seem like a far-fetched notion at the moment, but consider some of the directions that IT has taken in the past decade. Most individuals who are connected to the internet already have an ISP of some kind, which manages some of their personal data (e-mails, for example). Many people have their own websites - more information managed on their behalf. They also have a multitude of information, much of which is poorly secured, on home PCs, as well as the wealth of data managed on their behalf by the government, banks, insurance companies, retailers and other organisations.

Now consider the advent of XML and web services. For the first time, with XML, data can carry its definition with it and possibly be processed by programs that know little of its origin. This, along with the emerging reality of web services, boosts the possibilities of how an individual might manage their own data. For example, in buying something, an individual only needs to provide payment and nothing more - not their name, and possibly not even their address. From a processing point of view there is sense in this idea, because it would be easy to agree standard XML formats for such information-light transactions.

If we moved to such a world it would change many things. In the massive datawarehouses that retailers assemble and analyse, some of that data is personal data concerning one's buying habits. Maybe you don't want a retailer to have that information about you. They have a right to record what they sold, but do they have a right to know who they sold it to? Not, perhaps unless they pay for it.

Naturally there would have to be exceptions to complete data privacy. A person might retain their complete personal health records but would want to make them available immediately to an accredited medical authority in the event of accident. The tax authorities might have a right to access financial information under certain circumstances. The security services would have a right to access such data if given the appropriate authority. And so on.

This may all sound a little futuristic, but I do not think it is. We are gradually moving from a world where ownership is defined by information held on paper (title deeds, proof of purchase, etc) to one where such entitlement will be largely electronic. This cannot happen without the existence of "information banks" that protect such data.

We also have the reality of large-scale identity theft, which will ultimately mandate much more secure data storage. In addition, data ownership is already a political issue and is widely regarded as a basic human right.

If you ask people to vote on whether they want to own their own data, they will vote yes. All we are waiting for is the technology to mature and everything I have suggested will be possible, and this is beginning to happen.

Robin Bloor is chief executive at Bloor Research

Read more on IT risk management