Data Protection: Can there be trust without control?
Updated: Jan 26, 2021
The COVID-19 pandemic has urged Canada's biggest province to ask its citizens how personal data should be collected, protected, and operationalized. But can citizen consent really be given without a guarantee of control?
In August of 2020, the province of Ontario, a jurisdiction comprising 14.5 million people, issued a press release announcing the launch of consultations aimed at improving data privacy for its citizens. The timing of this effort has been driven by the volume of people who are having to use "digital replacement" services which are the hallmark of the new contact-less economy.
"With the increased reliance on these platforms, there is a strong need to build public and consumer confidence and trust in the digital economy. I encourage all Ontarians to participate in these consultations as privacy is critically important to everyone."
- Lisa Thompson, Ontario Minister of Government and Consumer Services
Can there be trust without control?
The focus on trust comes at a time when millions of people throughout the World are being asked to support public initiatives with their private information. Perhaps the most widely-known example are the contact tracing apps which are intended to help contain the spread of the COVID-19 virus.
However, the relatively low adoption rate of these technologies speaks, at least in part, to the level of mistrust that currently exists between data owners and service providers. In fact, a recent survey by researchers at Cornell University found that just 42 percent of American respondents support using so-called contact tracing app:
"Furthermore, the survey research found no significant difference in people’s willingness to download an app based on whether it was developed by the Silicon Valley tech giants Apple and Google, by the U.S. Centers for Disease Control and Prevention (CDC), by a state government, or by university researchers."
So despite the recent advancements in privacy policies and regulations (e.g. CCPA, GDPR, PIPEDA) to provide the end users of technology with some level of confidence that their data will be protected, it seems that not even an app that helps people avoid a potentially lethal pathogen can overcome them overcome their feelings of mistrust.
The bottom line is that there's no trust for people to give, because there's no genuine control being offered.
Over the years, the ability of service providers (and, by extension, regulators) to control how end user data is access and operationalized has become increasingly difficult due in large part to a process known as "integration".
This technology (aka Data Sharing, Data Virtualization, API Hubs) is used in order to combine/re-combine data from the hundreds (or even thousands) of applications that large organizations now maintain. The result is that thousands of copies of end user and partner data are regularly generated in order to support entirely legitimate outcomes like analytics and business intelligence, customer service systems, and new product delivery.
Integration is a huge barrier to data protection
The practice of integration is absolutely routine and it is important to recognize that service providers are not intending to do any harm via integration, but the negative side-effects of making "copies-at-scale" should be obvious to anyone concerned with offering end users increased control and transparency.
For things to change, we need to agree that the data we create is in fact a digital version of ourselves, and start to manage it with the respect it deserves
If one examines the experiences of people who have had their identities stolen, or those who have had to fight for months simply to gain access to the information, it becomes increasingly clear that the future we need is one where new technology is built without copies and where data ownership controls are considered an essential feature of the end user experience.
In this future, the control of data starts and ends with its rightful owner, whether they are a private citizen, small business, nonprofit, or commercial company - it shouldn't matter. If you create it, you should be able to control how it is used within 3rd party applications, and that right should never be taken away from you.
Control means granting access, not chasing copies
The pandemic has put a spotlight on data privacy and protection, and for good reason - for millions of people and small businesses the only way to receive financial, medical, and social support services is through online applications.
As such, COVID-19 presents us with the perfect opportunity to support collaborative technologies, standards, and methodologies that will enable service providers to build new technology in "copyless" data management environments where owner-defined access controls are supported and enforced.
Let's seize this generational moment to advance data ownership and open the floodgates to collaboration from a foundation of genuine control.