Personal Data Ecosystem Overview (TH1H))
Session Topic: Personal Data Ecosystem Overview (TH1H)
Notes-taker(s): Judi Clark
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Good attendance, very diverse industry representation! Thanks Joseph from Broadridge for his chair in our crowded room, allowing me to take notes. Kaliya showed a slide of PDEC landscape: Personal zone overlapping with Accountability “Trust” Frameworks which contained Personal Data Zone, also overlapping with the Market. At bottom of this landscape view: Governance through Legal, Code, Identifiers, and Peers–who act as framework creators.
Slide of PDEC Startup Circle. Joining is a peer-reviewed process, what open standards are they using, what’s their value space/where are they coming from. Leaders consider if group qualifies; trying to cultivate “an industry collaborative, engaging with technologists and business leaders from banking and finance, telecom, cable, web, advertising, media and other industries seeking to understand opportunities, launch pilot projects and ultimately offer service in the ecosystem.”
Discussion about who “manages” your data as your IDP, and what personal control individuals have over that data. Is this like a bank, where you go in to withdraw all your money and get the Bank’s response “that’s our money?” Or can you withdraw your funds and walk across the street to another institution and open a new account, because your money is portable? Why would a telco worry about risk? This is a most important concept for them. Similarly in banking: board-level view is that they’re not going to be the first ones to jump. Either all jump at once or they get killed. Risk in the US of having all your funds in one institution is higher than distributed accounts. Same thing with different kinds of data, e.g., health data vs spending.
Fair Information Practices (FTC standard used for enforcement): framework when they started back in the 1970s worked, but now systems are more complex, no notice and consent about which databases we’re now part of. About time for a FIPS refresh? Kaliya is working on a paper, what are core principles and guidelines that government could adopt? Where does the thinking need to be? We have more powerful devices in our pockets. Lots of privacy conversations are about do not track/store. OECD principles are not regulations, are technology neutral (data minimization, etc.) but they don’t make assumption about individual ownership & agency over own data.
Refreshing principles is a good exercise, but one thing missing from principles is concept of fairness. Control is about fairness, fair trade and equality. Striking assymetry today. Notice and consent is not working, people can’t do much about it.
Mary quickly reviewed Organizations stewarding user driven personal data and ID. Slide includes: ProjectVRM (an ethos and conversation), WEF, PDEC, Kantara Initiative, IDCommons, UMA, Information Sharing Working Group, Open Identity Exchange, The Data Portability Project, W3C, and microformats.
Shift in focus back to PDEC’s work: What’s personal data and what’s not? What’s self-asserted data?
Kaliya showed a map of personal data (link to come), then reviewed briefly what some of the companies do in the Startup Circle. Question about business models and how those companies plan to make money. (Some uncertainty here.) What are they hoping to do, how do they see working together? Respect, collaboratively working toward interoperability, for big players to adopt or use emerging standards. Faster adoption. Is this policy or protocol standards? PDEC is about conversation, discovery and education, document activities, and catalyzing an interactive collaborative market. Paint common pictures, evolve common language.