Data flow and the information derived from its attributes are the lifeblood of our successes and failures as individuals, businesses, organisations and governments; making better data protection a top priority for all.
In today’s connected world, data flow is more than a central theme of the global economy; it is a source of wellbeing and public value. Data tells and commercialises our life story as individuals and communities. Data from our cars, mobile devices, and wearables tells our personal story: where we go, our daily routines and habits, our schedules, even when we wake up in the morning and go to bed at night. It identifies the important people in our life: the people we call or text, how long and with what frequency. Others create information about us also with the devices they use.
Unfortunately, our current data paradigms and practices prove year after year that we are unable to keep information safe and secure. 2017 was the worst year recorded in history for data protection breaches. Over 5,200 breaches compromised more than 7.8 billion records; this is a 20% increase compared to 2016.
For the first time since 2008, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusions into networks. Breaches caused by the lack of privacy skills and competencies chip away at our trust in the accuracy of the data flow that we use, the people who can access it and the devices that send it.
Besides being difficult to protect, today information is often disjointed; lost among policies, commercial entities, and governments. Individuals, businesses, governments, and other stakeholders are unable to benefit from the Decision Intelligence available via new ideas, research, technologies, and best practices that accompany trusted data flows.
Current policies allow either all or no information sharing. We lack a universally accepted process to allow for only partial sharing. This “all or nothing” flow of attributes, data and information drives our world and generates significant challenges that must be addressed. These include:
Restrictions on data flow and information sharing
Our society is producing data at a pace that is unprecedented in human history. The internet, with more than 3.2 billion users, is as vital to core business functions and daily life as electricity. More specifically, the flow of digital data is recognised as a critical driver of economic growth and innovation. It enables positive economic impacts, the sharing of ideas and information, the dissemination of knowledge, and the collaboration of individuals, organisations, and governments.
Despite the significant benefits, without the ability to share some but not all data policies, proprietary and legacy systems form an array of barriers that impede the free flow of privacy-protected data. Today information is commonly disjointed, stove piped on different architectures, and lost among standards; leaving organisations and individuals unable to benefit not just from new ideas, research, technologies, and best practices that accompany quality, privacy-preserving data flow but also the innovative goods and services that rely on data.
It is vital to establish new systems to turn privacy-protected data flow into successes and ensure the internet continues to serve as a driver for innovation, economic growth and social development.
Identity theft and cybersecurity breaches
Safeguarding the information and privacy of individuals is the obligation of any person, organisation, or technology accessing personally identifiable information, regardless of the source. The status quo no longer works. For example, over the past several years data breaches have exposed over 179 million U.S. healthcare records, while the legal landscape of breach notification continues to be highly fragmented with little to no accountability for those failing to follow best practices.
Cyber insurance data documents that 90% of all cyber claims stem from human error or behaviour. The highest risks to privacy and security are at the ends of the network, the places where people access and authorise data use. Humans, even those with cyber savvy skills and competencies, are at the mercy of the security systems of the technology they use.
It is necessary to implement new practices for data sharing that allow individuals, organisations and technologies to protect information without affecting the possibility to analyse, link and use the data flow needed to personalise and create economic growth and value.
Fragmented islands of data and functionality
Despite the unprecedented amount of data collected, people and organisations are unable to unleash its true potential. Data is held in multiple records and lost among regulations, contracts, and policies that build fragmented islands of information. As a result, people cannot find, access, and use their own information; while service providers continue to miss out on powerful competitive tools.
A new system based on privacy-preserving, actionable data flow is necessary to transform this disaggregated scenario and to achieve transparency, provide individual control, advance scientific research, improve outcomes, prepare for emergencies, and truly and ethically generate value for individuals and organisations.
Lack of privacy and individual control
Legitimate concerns over privacy and confidentiality affect data flow as a source of wellbeing. Now, perhaps more than ever before, there is ‘heightened consumer anxiety about privacy’ when people realise that they do not know which companies possess their data, what companies know about them and how they are using or misusing their own information.
The traditional enterprise-centric system and its own mechanisms for enforcing security policies have failed to strike a balance between privacy and sharing. Companies control the access to data flow and survey user activity to reliably implement security policies. Yet despite these actions, they are still unable to protect information and worse, unwilling to provide or enforce meaningful individual control.
To address privacy and security, organisations and governments alike must secure information, ensure confidentiality and protect privacy, whilst also giving individuals the capacity to access and aggregate the information they are authorised to use. It is time for the organisations to take greater responsibility on how they protect user data and how they can proactively stop harmful practices affecting people’s privacy. Privacy compliance is more than just a legal requirement, it is also an ethical obligation that imposes real business costs to those not taking it seriously.
Ineffective personalisation
Individuals need and expect personalised experiences and consistency among different systems. According to recent studies, 50% of customers are somewhat likely to switch brands if an organisation does not anticipate their needs, and 75% of them expect consistent experiences across customer touchpoints.
Unifying and leveraging data – so people’s experience is valuable and personalised – cannot continue to be sacrificed. More specifically, this is beginning to be seen in the healthcare area where personalised medicine is opening a bright future of opportunities that lead to better care for patients and ultimately benefit low-income communities with high burdens of disease. However, multiple systems and organisations, each maintaining different patient identifiers, are unable to access comprehensive information, or even agree when they are talking about the same person. A new system that solves the challenges of personalisation, without sacrificing privacy and security, is essential for people and organisations to unlock the full potential of the latest developments.
Complex regulatory compliance
Given the unprecedented amount of data collected and the lack of privacy and security, it is not surprising that information privacy regulations are becoming more complex and comprehensive. Failing to protect sensitive data can lead to regulatory investigations, sanctions and lawsuits. Companies need to comply with a wide range of strict security and privacy rules that come from multiple and sometimes unfamiliar jurisdictions. While legal compliance with GDPR and other privacy regulations is mandatory, today more than ever organisations should see these regulations as the minimum required as they do not always represent companies’ posture and policies to data protection. Going above and beyond these rules is key in order for companies and individuals to feel confident that they are interacting in a legal and secure online environment.
Lack of trust among stakeholders
Widespread “all or nothing” data sharing as a driver of wellbeing is not sustainable without trust and transparency. People and organisations cannot agree on consistent policies or trust each other to share their most sensitive data. Besides the uncertainties about the meaning of privacy regulations, and how proprietary data should be used and handled, today more than ever, there is a need to raise reasonable concerns regarding the privacy and the security of information. As a consequence of the latter, individuals are kept from linking/sharing the data flow needed to advance research, innovation, and wellbeing. Building trust and confidence in the online world is a fundamental challenge to ensure that the opportunities emerging from the flow of information can be fully leveraged.
The new privacy-preserving data flow paradigms
It is time to implement new privacy-preserving data paradigms to safeguard information from unauthorised access, use, disclosure or human errors. This is the mission of the EP3 Foundation – privacy and personalisation via identity and authorisation networks so as to overcome current data sharing challenges.
The EP3 Foundation is a 501(c)3 multi-sector community of non-profits, standards organisations, industry leaders, researchers, and government agencies committed to empowering people with privacy and personalisation. We reduce and eliminate identity theft, fraud, and cybersecurity breaches enabling more secure data sharing. The EP3 Foundation develops and launches a number of networks and tools to address these issues using current and emerging technologies.
The EP3 Networks also leverage new protection paradigms for data flow governance built on trust models and legacy trust authorities.
The privacy and security risks plaguing current enterprise driven “all or nothing” data sharing and click through agreements are mitigated when enforcing policies with protected attributes rather than sensitive personal information or user profiles. Trust models, governing attribute level data compliance, consider each of the five points on the Critical Attribute Provenance for Data Sharing to establish trusted attribute provenance. To ensure privacy and enforce policies automatically, each attribute of the data is digitally signed by its issuing trust authority, and then cryptographically bound together.
EP3 networks are open, vendor-neutral, and support any participants’ rules. They automate privacy and security. The EP3 Foundation collaborates with stakeholders and trust authorities to set the rules and governance, enabling our networks and trust models to:
- Find, access and safely share information and the information one is authorised to use;
- Control policies for privacy, security and personalisation;
- Automate data flow governance and comply with policies, licensing, privacy and cybersecurity requirements; and
- Pseudonymise, obfuscate, crypto-hash, and partition the data to protect it while still leaving it computable.
Currently our networks are operating in the sectors of health, safety and education, with plans to expand into other sectors.
Health and safety
We enable health information interoperability by partnering with the leading health and cybersecurity authorities to establish the accreditations for health systems using new data paradigms. We protect confidentiality because no identifiable information is ever revealed to any organisation or person, except for encrypted privacy-preserving authorisation credentials.
Education
We empower students, parents, and educators with easy access to their privacy protected information. We allow data flow to be analysed and personalised without revealing personal or sensitive information. We partner with leading child safety experts and student privacy advocates to create the privacy and security accreditations when schools use blockchain, distributed ledgers, or smart contracts.
The future: new data paradigms will not only enable better data sharing, enhanced security and decision intelligence, but also data privacy and personalisation
Access to privacy preserving data enables decision intelligence to make evidence-based decisions and not at the expense of individual privacy. Decision intelligence moves beyond machine learning or artificial intelligence and provides the opportunity for people to make better decisions. For the first time comprehensive real-time data flow is available to determine how to create healthy, sustainable communities whilst also respecting the rights and privacy of individuals. People of all ages can understand workforce trends, prepare individuals to succeed in their career, college and citizenship, and connect individuals to resources and opportunities.
In healthcare, we have decision intelligence for personalised networks based on an individual’s location, lifestyle and genome. We have better transparency across the entire ecosystem. For example, with the healthcare ecosystem pooled data resources, managed at the attributes level (not information) includes: insurers, providers of care, hospital systems, and payees. With comprehensive health data we can discover new models that improve treatment and recovery outcomes.
For example, near real-time data improves transparency and accountability across the entire healthcare ecosystem. It also provides public and population healthcare providers the ability to detect, intervene and conduct privacy preserving surveillance. Doctors and providers of care can better co-ordinate comprehensive, integrated care. We can meet the strict privacy protections for patients needing substance use treatment and mental health services.
In conclusion, the implementation of technologies such as the EP3 Networks will allow:
- Decision intelligence that identifies and enforces data safety policies;
- Trust that our data can be protected;
- Enforcement of national and international laws for our personal privacy domains;
- The means to better protect information;
- Data governance that is automated and complies with policies, licensing, privacy and cybersecurity requirements;
- Pseudonymised, obfuscated, crypto-hashed, and partitioned data protects personal information while leaving it computable; and
- Decision intelligence for personalised networks based on an individuals’ location, lifestyle and genome.
Data is now woven into our lives and it is not going to lessen nor will the challenges that come with it. New data paradigms address the biggest data challenges, transforming people’s own information in a source of wellbeing and opportunities without sacrificing privacy and security. It is high time to embrace innovation as the only path to satisfy the demand for trusted data flow.
Marsali Hancock
Co-Founder, President & CEO
Sandra Elliott, Ph.D.
Chief Education Officer
Elinela Perez, LL.M.
VP
EP3 foundation
ep3foundation.org