As some of you may be aware, I'm launching a corporate membership body with the objective of identifying, developing and propagating best practice in privacy management. The forum (called Enterprise Privacy Group) will consider a broad spectrum of privacy and freedom of information issues.
Over recent weeks I've been talking with quite a number of potential member organisations, and one of the challenges has been explaining how we intend to cover a range of privacy issues, from very basic data protection through to some advanced identity management concepts. I had some difficulty explaining this spread, and from this I got round to thinking about the concept of a maturity model for privacy.
My first ideas are in the diagram below:
As the organisation develops through the maturity scale, it goes the following stages:
- Data Protection: at the earliest stages, the organisation understands that it has valuable personal information, and that there is a legal requirement to protect it in certain ways. However, there is no executive recognition that legal compliance does not necessarily protect the organisation from the consequences of misuse of that data.
- Privacy: the organisation recognises the moral imperative for ethical use of personal data, and that a proper usage policy - that applies greater controls than necessarily required by law - may reduce information risks and lead to better relationships with the individuals whose data is being stored and processed.
- Identity / Data Sharing: these issues are two sides of the same coin. In the private sector, organisations begin to recognise that data needs to be linked to an individual, rather than an asset. For example, a bank may start to link multiple accounts to the same account holder, and treat that holder as an individual in accordance with their privacy wishes. Data Sharing is the equivalent issue in public sector, where (contrary to common perception) most civil servants know that they already respect privacy of the citizen, and are seeking mechanisms to share data with other government departments without compromising that respect. Identity is crucial here if data is to be shared accurately and efficiently.
- 'Data Rejection': The top of the scale is Anonymity - an understanding that much of the personal data held by the organisation is simply unnecessary, and could in fact be more of a liability than an asset. For example, a bank does not (in theory, ignoring financial regulations) need to know who an account is, but simply how to check their credit score and how to contact them if necessary. The same bank faces heavy costs for compliance and risks of misuse whilst it holds that personal data. This has worked perfectly well for the Swiss banking industry for a very long time. When organisations start to minimise their personal data assets, then they are pushing to the top of the maturity model.
Of course, 'Data Rejection' should be the goal of any true federated identity scheme. Once organisations and their clients realise the value of anonymised credentials, and the opportunities for new revenue streams based upon the trust that can be created this way, we should finally see someone reach this level in the maturity model (or maybe there's an organisation out there that's already done it?)
I'd welcome comments on this idea, since it clearly needs lots of work before I start to back it up with hard survey data. Please feel free to let me know what you think.
9:40:07 PM 
|
|
