Citizens are demanding simpler access to services, executives are demanding operational efficiencies, and the intelligence community is rushing towards highly integrated data profiling.
In response, the CIO community is being pushed to deliver the technical underpinnings for all three in ways that significantly affect how citizens exercise consent.
In the current environment of commercial profiling and newly sanctioned anti-terrorism activities, legal admonitions against exploiting our data stores simply don't work. Modern data sharing can be highly automated, often at a physical level, where legislation holds little sway.
The technology community therefore needs to offer different solutions which bolster or even replace the increasingly ineffective legal admonitions and court proceedings so dear to the privacy and civil rights lobbies.
Information professionals need to design systems that embed accuracy and consent procedures because "that's just the way it works."
Current State
Both public and private institutions currently store citizen data in the form of complete personal records. They often allow endless numbers of copies of those records to be stored in multiple locations. The probability of inadvertent and unauthorized disclosure, no matter how innocent, is compounding at a pandemic rate.
On any given day, we, as citizens, might visit a motor vehicle licensing bureau to obtain a driving permit, stop by the optometrist's clinic to order a new pair of eye-glasses, and run by the neighborhood school to register our six-year-old for the new academic year or a junior sports program. Among the 15 to 20 pieces of data we provide at each of these locations, five or six will be repeated at each location. They will be the ones that identify us as individuals, distinct from any other client or parent. They usually include surname, given name, telephone number, current address and date of birth.
The rest of the information we provide - mostly service-specific data such as our lens prescription, the type of motor vehicle we drive, the children's skate size - is meaningless and anonymous if stored apart from our personal identity.
Democratic societies need to pounce on this simple distinction before it is too late.
Public Sector
As the primary collectors of personal information in the first instance, the public sector can no longer afford to store both personal identifiers and service-specific data in direct juxtaposition with each other. Whether stored as a paper form or in a computer database, or both, this universal warehousing of pubic sector data as identifiable personal information is a direct enabler of mishap and abuse.
If the rush to cross-jurisdictional data integration, known as "interoperability," continues based on current information architectures, these will inevitably produce a "leak" of personal information so inappropriate as to thrust citizens, politicians, law enforcement officials and civil liberties organizations into bewildered and vehement conflict. In that instant, our elected representatives are going to wheel around and demand to know: "Who authorized this?"
Considering the plain language meaning of "Chief Information Officer," combined with our mandate in most jurisdictions over such esoteric gobbledygook as information frameworks, service reference models, data modeling methodologies and meta-data schemas - each with their constituent taxonomies - we are eventually going to find ourselves in the crosshairs of accountability on this issue.
Therefore, as part of our discussions on achieving "practical results" in "interoperability" and information management, we must quickly add clear and robust indications that we are "doing the interoperability piece" with a responsible eye to the very foundations of democracy itself.
The practical question to ask is whether we can provide a technical solution that streamlines services to citizens and detects epidemic or terrorist risk, yet simultaneously protects against undemocratic levels of unauthorized disclosure and personal intrusion.
The solutions are buried somewhere in the pre-emptive principles of Information architecture known as "data anonymization" (or "depersonalization") and "single authoritative source."
Depersonalization of Data
The first step in this new regime is to clearly define the distinction between "data" and "information," something which no information act in Canada currently does. If this were clearly defined, information management policies could then require citizen services to store all data fields which point to personal identification in separate data bases, isolated from any service-specific values like health details, motor vehicles specifications, court proceedings, financial data and the like.
Separating these two types of data, through a process called data "depersonalization" or "anonymization," opens immense possibilities for improved pattern detection and pandemic profiling based solely on the depersonalized service data.
Whether an investigator is looking for pathways of communicable disease during an epidemic, or indications of terrorist agent profiles among patterns of international travel, these searches could be automated and run against the anonymized institutional data without immediately affecting personal information.
Once a significant risk pattern was identified, however - only when such a pattern was identified - permission to "re-personalize" the data by re-combining it with personal identifiers could be made subject to the same judicial authorization and oversight processes as apply to any other search warrant procedure.
Meanwhile, the risk of inadvertent disclosure, or criminal misuse of personal information, would be made immensely more difficult since so many fewer people would have access to the combined, "personalized" information.
Single Authoritative Source
The second element of this proposed information architecture has a similar counter-intuitive potential to both strengthen citizen consent and increase the efficiency of pattern detection.
Duplicating the collection and storage of personal identifiers and service data in every service location is inherently sloppy. None of these data can be updated other than by a laborious and painstaking review at each of the separate locations, at random intervals, by ever changing staff, leading to an exponential risk of unauthorized disclosure and outdated information.
The person whose identity and consent are at stake is the least aware of the number and location of the storage sites, or of their inaccuracies.
The solution must include an information architecture which requires those few fields indicating personal identity to be stored in a single highly secured, robustly encapsulated location, from which they can only be extracted and recombined with otherwise anonymous service-specific data under the most stringent controls, regardless of where they were originally collected.
Citizen Control
By applying our most rigorous identification, authentication and authorization (IAA) regimes at the point of subsequent extraction and re-use, we would have the makings of a nearly impregnable barrier against unauthorized identity intrusion and a powerful new ability to monitor and report each access to the citizen.
Detailed logging tools could be embedded in the identity data base which would allow the citizen, either directly or through an ombudsman role, to review every attempt to re-personalize her or his data into personal information.
Only citizen-authorized, service delivery agents in each domain (health, justice, finance, etc.) would have the authority to recombine single-source identifiers with service-specific data on the citizen's behalf, and the citizen would be able to monitor, trace and review each such access as needed.
The result of this architecture would be an enhanced level of attention to citizen consent by authorized users, and meaningful accountability and recourse for the citizen when errors do occur.
With a single authoritative source for personal identifiers strictly isolated from topical data, the intelligence and public safety communities could conduct much more comprehensive profiling analysis, while still conforming to robust citizen consent requirements and judicial authorization before proceeding to the individual surveillance or monitoring stage.
As the primary collectors of personal information in the first instance, democratic governments and public institutions face an immense new burden that was not anticipated until now.
They have long shared a solemn responsibility for preventing unauthorized disclosure, and they must now increasingly ensure that the data in their custody is accurate!
The CIO perspective must now go far beyond mere "privacy impact assessments". It is time to issue a firm warning.
The benefits of service integration and "interoperability" may seem obvious to our service delivery masters and agencies, but we, as information management professionals, must not conclude that this constitutes implicit consent from citizens for IM to proceed to enable that integration using obsolete data architecture.
If our conscience is to remain clear, we must table a comprehensive citizen-consent impact assessment and an accompanying solution to the demands thrust on us by proposed integrated services and inter-jurisdictional information sharing. 056533
Peter Baril (pbaril@gov.nu.ca) is Director and Corporate CIO with Informatics Planning and Services in the Government of Nunavut.
icon.
