Saturday, February 26, 2005

Momentum Building Against Database Aggregation of Personal Data?

In his blog today, Canadian technology lawyer Rob Hyndman asks: "Momentum Building Against Database Aggregation of Personal Data?"

I'm very interested to see how the latest round of incidents are going to play out in the United States. Apparently the Bank of America incident specifically involves the personal information of US legislators who carry a special Visa card for government employees. This may hit a little close to home for those with their hands on the levers of power.

There's an interesting dynamic in the United States at the moment. Consumers are increasingly worried about identity theft. The growth of this sort of crime is spurred by the inadequate security of personal information and security breaches (such as Choice Point and BoA). Agglomerating all this sensitive financial information by data aggregators dramatically increases the risk of significant consequences if security is breached.

But, at the same time, there is pressure to have higher quality personal information available to so-called legitimate businesses, such as credit grantors.

This data is also used to prevent credit fraud (see PIPEDA and Canadian Privacy Law: Identity-verifying questions are getting personal). Biometrics and big databases can also be used to positively verify the identity of those applying for credit. If, for example, there were a reliable database of biometric identifiers available to financial institutions, a credit card company can make sure that someone applying for credit in the name of Bob Smith is the Bob Smith and not someone who happened to snatch a pre-approved credit card mailout from Bob's mailbox.

(As an aside, I think that ID theft would drop dramatically if it were illegal to open a credit facility for anybody whose identity is not positively identified.)

There's also a sense that these databases are useful to prevent terrorism and lesser crimes. They are routinely used to run background checks and, according to Choice Point, law enforcement are significant customers of these systems. There will be continued pressure to make these databses available for such use.

We will never see the end of these databases, but I am waiting to see how the contrary pressures will eventually play out.

So what's the solution? I think the ten principles from the Canadian Standards Association Model Code for the Protection of Personal Information are a good start (see the Code as Schedule I to PIPEDA), coupled with a positive obligation to report any breach of security related to one's personal information.

  • Individuals should have a right to know what their personal information will be used for.
  • Organizations should not be able to collect information (from any source) unless the individual consents. For example, a credit grantor should not run a credit check without the consent of the individual and a data aggregator should not relese the credit report unless it has confirmation that the individual has consented.
  • Public records should not be "mined" for collateral uses unrelated to the purpose of the original record unless the individuals concerned have consented.
  • Individuals should have access to all their records, including information about to whom they have been disclosed. This should be provided free of charge by data aggregators as a cost of doing business.

The exceptions to the ten principles of the CSA Model Code that are in PIPEDA are generally sensible, recognizing that there are circumstances where consent should not be required or where access can be denied.

But will the US implement anything like this on a national basis? Probably not, but if they want my opinion they are welcome to it.

No comments: