Information accountability at a scale that matches the scale of Big Data

Malcolm Crompton's picture

We need a different approach to how organisations are held to account for their management of information if we are to have effective privacy protection in the era of Big Data and the Internet of Things. Malcolm Crompton says we should have accountable systems that are as scalable as the growth of personal information about us.

Danny Weitzner has been thinking about ‘accountability at scale’ for some time. Along with Tim Berners-Lee he founded the Decentralized Information Group in MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL).

In a new blog “Real Privacy Tools for Big Data” for IAPP’s Privacy Tech, Danny writes that:

“A new approach to privacy management is necessary in order to enable organizations to handle data at scale and simultaneously remain consistent with the high standards of privacy protection.”

He then goes on to set down in his blog “four key features necessary for any information accountability solution:

  1. Common and simple language to create data use rules. Data users and privacy professionals should be able to create and implement rules, without the need for IT support. Changes must also be easy to make and apply automatically to all data. A change in government regulation need not cause major disruptions to the business line owners.
  2. Shared repository of policies and rules that apply to data held across the organization.
  3. Automated, real-time reasoning of data usage against these rules. Manual, point-in-time, procedural audits are not sufficient anymore, no matter how automated the audit reporting might be.
  4. Continuous monitoring and reporting. If privacy adherence exceptions arise, real­-time alerts should be accompanied by an easy-to-understand explanation of why the behavior in question is inappropriate. Privacy professionals should be able to view compliance status at any point in the monitoring.”

Any discussion about Digital Enlightenment will have to consider ways of effective, enforceable, scalable Information Accountability. CSAIL is making a valuable contribution to developing it.


Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a company that works with public sector and private sector organisations all over the world to help them build customer trust through respect for the customer and their personal information. He was also foundation President of the International Association of Privacy Professionals, Australia New Zealand. In 2012 he received the Privacy Leadership award in Washington DC for his global contribution to the privacy profession. His Open Forum blog is at http://www.openforum.com.au/blogs/malcolm-crompton.

This blog was first published on the Digital Enlightenment Forum blog.



Information accountability

I would not argue against "accountable systems that are as scalable as the growth of personal information about us?" I'm interested to learn how this would feed back in ways that build customer trust as a matter of course. Perhaps I've just missed the point.

Scalable information accountabilty: impact on trust

Max - that is a great question and requires equal attention to the basic question: the importance of building accountable systems that scale.

If individuals don't know that management of the information about them is being properly held to account even if in fact it is, only some benefit has accrued.

So ways in which this can be displayed are essential.  And we have analogies in the real world that point the way.

For example, it is both illegal and impossible for the ordinary shareholder to inspect the books of a large listed corporation or even conduct an audit.  Instead, an accountability agent does the job for them against published standards.  The accountabiliity agent in that instance is the auditor.  Hopefully, the agent is trustworthy and the standards effective.  As with anything else in life, Gaming the Rules is one of the Rules of the Game so there is an endless tussle between those being held to account and those who are doing the holding to account and some massive failures (Enron for example is a standout from the last 20 years, but there are plenty more).  But overall, society thinks it is better off with these arrangements and with fine tunig them than if it threw it all away.

Hence the signal to the shareholder is the audit report attached to the annual financial reports of the corporation

Or another example:  all motor cars in Australia must have a compliance plate attached.  It is illegal to sell a new car without one.  That simple plate is the way in which the purchaser can have some (very good) assurance that the car is safe.  And a LOT safer than before such requirements - just read Ralph Nader's Unsafe at Any Speed.

So, yes, some form of Seal or Trust Mark or other annotation will be needed for those organisations that do implement scalable information accountability systems after they are developed (and, eventually, made mandatory - but that is another story).


Scalable information accountabilty

Thanks for your reply Malcolm. It was the 'dodgy' audit question that arose from the GFC I had in mind. It does appear that some progress has been made, but the reluctance to 're-regulate' shows that some of the players prefer Rafferty's rules and they do seem to influence policy makers. As with any quality system, there has to be genuine commitment at the top to avoid a drift back into box-ticking and compliance fudging. As I'm sure you're well aware, sometimes it's not so easy as the display of a compliance plate. Results of non-compliance may not be measurable for some time and may appear some distance from the source. Environmental managers have to deal with this routinely even with ISO14000 systems in place. Many organisations just want the 'ticks' in the foyer and on the letterhead.

Scalable information accountability: devil's in the detail

Max - I couldn't agree more. The approach we have discussed is a classic case of 'least worst'.  It may not be perfect, but it is the best we have and implementation is key.  Even the best systems degrade over time and often we see cycles of regulate-de-regulate-re-regulate.  The cycles may be years long or decades long.  In such circumstances, it is important to make sure that the extremes of the cycle aren't too extreme - this is a better and more likely to be successful model than trying to dampen out any cyclical activity at all.  In fact, the cycle is often a very good way of refreshing everything.