The Information Accountability Foundation (IAF), a nonprofit organization headed by Marty Abrams, was created in 2013 to act as an independent center of development for the Global Accountability Project. This week, the IAF announced Peter Cullen, CIPP/US, formerly GM and chief privacy strategist for Microsoft’s Trustworthy Computing Group, would augment those efforts, joining the organization as executive strategist, policy innovation.
He will be tasked with leading the IAF’s work “in developing a Holistic Governance Policy Model,” which Abrams called “an essential building block of Information Accountability 2.0.”
And just what is that? “It’s a continuation and an expansion of the issues that the Accountability Project took on six years ago,” Abrams said, in an interview with The Privacy Advisor. Back in 2008, the concept of accountability was already being baked into privacy regulation, yet there wasn’t yet a firm definition of what accountability actually was in a practical sense. Trying to solve that problem, Irish DPA Billy Hawkes facilitated a first meeting of privacy thinkers in Dublin to begin hashing out a working definition.
The meetings continued, across the globe, and eventually became the Global Accountability Project, which developed for its core the five essential elements of accountability. And while these concepts have already begun to be applied in a number of scenarios to issues like big data, data obscurity, wearables and the Internet of Things, “we’re at a point where the pieces need to be brought together within a holistic view of data governance,” a view that not only considers potential privacy harms but also “the drivers of good decisions, the interests of the organization and the interests of society as a whole,” said Abrams.
The IAF aims to create a framework that an organization can use to make the daily decisions that are far too numerous to constantly be brought before some kind of data specialist or privacy professional for a blessing or ruling. This framework is intended to support a 21st-century data policy model.
“More and more companies are finding new ways to use information to create value … It’s very exciting, but it only works if it’s accompanied by a commensurate view and mitigation of the risks." - Peter Cullen
“It’s a broadening and deepening of the understanding of accountability,” agreed Cullen, former IAPP board chairman and CEO of consulting firm Global Information Governance Solutions. “More and more companies are finding new ways to use information to create value … It’s very exciting, but it only works if it’s accompanied by a commensurate view and mitigation of the risks. We want to both advance new governance structures to help companies deal with that risk more effectively but also provide guidance to policy-makers, allowing for innovative uses of data without jeopardizing fairness.”
“We’ve talked about the theory of accountability for a number of years, and the work the accountability project has done has advanced the way organizations need to implement this essential building block of governance,” Abrams said. “Now it’s time to build out decision-making tools in organizations and begin to think about how a regulatory system oversees a decisioning process based on integrity in the organization.”
For example, he points to the IAF’s recent paper on big data ethics, which first set forward an outline for what ethical use of big data might look like but now will soon release a way to interrogate a project or product to see if it meets the ethical standards an organization has created for itself.
“That goes beyond compliance,” Abrams said. “It’s looking at whether the project is not just legal, but is it fair? That builds out a process of governance that involves not just the privacy officers—though the officer is a key player, who checks to make sure there is integrity in the process—but that involves everyone who’s managing and making decisions about the data and how it is used.
“The foundation believes it’s time to take these key concepts and build them into decision-making and oversight tools that support an implementable policy model, and that’s what we mean by the holistic process. Let’s take it and use it for the organization as a whole.”
This will be an increasing necessity, Cullen said, as policy-makers begin to focus more on the use of information as opposed to the simple collection. “You have to define a public policy framework, and then governance-enabling, decision-making tools to enable that,” he said. “The work that we’re doing fits into that.”
He pointed to work the IAF has done on data obscurity as but one example. “We need solutions or a tool that allows information to create value while providing data protection,” Cullen said. “We need an umbrella framework that allows for implementable data innovation and fairness.”
How does a researcher or engineer know when to obscure data, how to obscure, whether it’s been effectively obscured?
An overarching data governance framework for an organization can make the answers to those kinds of questions much easier to arrive at.
“You can’t do accountability without wrestling with this question of when data should be available and what it should be available for,” Abrams emphasized. “So that’s what we mean by a holistic question.”
As part of this work, the IAF will hold an invite-only meeting in DC this week on the concept of dynamic data obscurity; Abrams will lead a session on the topic at the upcoming CPDP conference in Brussels, and the IAF will present its big data ethical framework at the IAPP Global Privacy Summit in March.
The work is obviously continuing and not easily completed.
“These were never meant to be simple issues,” Abrams said. “Ethics issues are meant to bring in multiple interests and concepts and feelings and this all comes into play in information governance. But we’re dedicated to information being used to create real innovation that benefits people. And at the same time, we’re trying to maintain a world where digital predestination isn’t the only answer, where people have rights to seclusion where they can make decisions about their future.
“That’s part of why we need Peter involved,” Abrams continued. “We need more experienced heads to make these equations work.”
“This isn’t just for organizations that populate the IAPP,” Cullen emphasized, “but for individuals, organizations, society as a whole, for everyone. We think that information governance is absolutely a necessity for the society we’ll have tomorrow.”