• United States

Coming back to ‘who owns the data’

Feb 04, 20043 mins
Access ControlEnterprise Applications

* Can technologies solve the 'turf battles' of who owns personal data?

A couple of weeks ago I brought you the tale of a reader who had “solved” the technology problems of an identity management project, multiple times. Each time, though, the project broke down over political issues.

Virtual directory engines, meta-directories, provisioning systems and federation schemes all allow the “owner” of the data to maintain control of the creation, maintenance and removal of the data. But what this reader and many other identity managers found is that some data owners want more; the owners feel they must also control the use of the data and that ONLY they can decide how and when that data can be used.

Turf battles like this are frequently confused with the issue of data privacy, but the difference, though, is the individual whose identity is described by the data. You should control your personal data such as your name, birth date, phone, address, social security number, credit cards, etc. It is a privacy issue. On the other hand, corporate data such as employee names, numbers, even salaries, medical records, reviews, etc., may belong to, for example, the HR department. However, the privacy involved isn’t that of HR but of the individuals to whom the data describes or relates. It isn’t an HR clerk who should control the use of this data, although that department may retain the rights of creation, modification and removal. Others with a legitimate right to use the data should be able to do so, especially within the environment of a secure identity management system.

I heard from a number of people about this issue and surprisingly, most sought to reassure me that the technology could handle the task. One prominent reader, whose thoughts have graced this newsletter in the past, wrote:

“I have to disagree with you on the point of technology solving the ‘social scare’ you raise.  It is only with the right kind of security, founded in privacy based identity management, that we can eliminate this social scare. We all want simplified identity recognition…[b]ut, I don’t believe we have to ‘give up’ anything – either from a systems perspective or a privacy perspective. I don’t agree that the key is outside of the realm of technology.  The key is a systematic (and recognized) implementation that recognizes individual privacy.  The ‘feared’ directory can also be the repository and enforcer of the policy and rules that protect the individual.”

Most of the responses were in this vein. But I don’t disagree. In fact, what I said was that the technologies to solve these problems and overcome the objections are abundantly available. The problem I presented was overcoming a fear of the technology based on (in part) sensationalized news stories as well as fear of “losing turf.” Most of us, though, are like the carpenter who only has one tool, a hammer. To him every problem looks like a nail. To many of us, every problem can be solved by technology alone.

I was beginning to despair of finding any answers when a new note popped into my inbox and presented a solution to the dilemma. If you’ll come back next time, I’ll share that with you.