Last month, the White House released its 90-day review of big data and privacy, renewing the call for a Consumer Privacy Bill of Rights along with a number of other policy recommendations.
With the administration and legislators (and regulatory bodies like the Federal Trade Commission) now considering issues of data collection and privacy, how should CIOs advise their organizations about going forward with big data initiatives?
"My advice is people should move very, very aggressively into this area of big data," says Lanny Cohen, global CTO of technology consulting firm Capgemini. "I think, at the end of the day, this is going to become one of the biggest sources of competitive advantage that an enterprise can have. Those enterprises that really have, as a core competency, the ability to gather data, analyze it and act on it are going to have a major advantage."
That said, Cohen says CIOs have an obligation to educate themselves and their organizations about the risks and responsibilities associated with gathering and using data.
"I think the CIO is already kind of taking on more of a role of a risk broker and risk orchestrator in the enterprise," Cohen says. "I think this is a perfect example of how a role like that arises in a topic like big data."
[Related: White House Calls for Big Data and Cloud Privacy Overhaul]
In January, President Barack Obama called upon John Podesta, counselor to the President and former chief of staff to President Bill Clinton, to conduct a 90-day study to examine how big data will transform the way Americans live and work, and how big data will alter the relationships between government, citizens, businesses and consumers.
Together with U.S. Secretary of Commerce Penny Pritzker, U.S. Secretary of Energy Ernest Moniz, Director of the Office of Science & Technology Policy John Holdren and Director of the National Economic Council Jeffrey Zients, Podesta and the Executive Office of the President released its findings, Big Data: Seizing Opportunities, Preserving Values, in May.
"Big data technologies will be transformative in every sphere of life," the group wrote in the report's foreword. "The knowledge discovery they make possible raises considerable questions about how our framework for privacy protection applies in a big data ecosystem. Big data also raises other concerns. A significant finding of this report is that big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education and the marketplace. Americans' relationship with data should expand, not diminish, their opportunities and potential."
Consumer Privacy Bill of Rights: Give Consumers Control of Their Data
One of the major policy recommendations put forward in the report is the advancement of the Consumer Privacy Bill of Rights, first proposed as part of a "privacy blueprint" in a February 2012 White House report, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.
[Related: 17 Steps to Implement a Public Sector Big Data Project ]
Based on the Fair Information Privacy Principles (FIPPs) that formed the core of the Privacy Act of 1974, the Consumer Privacy Bill of Rights is a call for "government-convened multi-stakeholder processes to apply those principles in particular business contexts; support for effective enforcement of privacy rights, including the enactment of baseline consumer privacy legislation; and a commitment to international privacy regimes that support the flow of data across borders."
Specifically, the rights include the following:
- Individual control. Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
- Transparency. Consumers have a right to easily understandable information about privacy and security practices.
- Respect for Context. Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security. Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
Consumer Privacy Bill of Rights Could Harm Big Data Discovery
While those proposed rights may seem sensible and innocuous on the face of it, Daniel Castro, director of the Center for Data Innovation at nonpartisan think tank The Information Technology & Innovation Foundation, says they have the potential to kill a large part of the promise of big data analytics.
[Related: Big Data Collection Colliding with Privacy Concerns]
"It's based on FIPPs, which was designed in the '70s," Castro says. "The reason that matters is that FIPPs was designed with the understanding that all innovation occurs before you collect the data. You figured out what you needed and then went out and collected the data. Big data is very different. All innovation occurs after you collect the data. FIPPs would say you have to know how you're going to use the data before you collect it, and then you only collect the data that you're going to use. It doesn't allow companies to have that experimental approach to data."
Much of the promise of current and emerging big data analytics technologies is the capability to perform discovery on massive and varied data sets to generate new insights. This process is not as much about learning the answers to questions as it is about determining which questions you should be asking in the first place.
Castro argues that if the government limits organizations to only collecting data for a purpose specified at the outset, and only using that data for the specified purpose, a great deal of the power of big data will be lost. Additionally, he says, American organizations will find themselves at a competitive disadvantage against international organizations that are not limited in such a way.
Big Data Regulation Poses Risks
David Keating, co-chair of the Privacy & Security Group and partner in the Technology Group at law firm Alston & Bird has a less pessimistic view than Castro, but acknowledges that there is risk of serious harm if the government gets it wrong.
"Companies should certainly be aware of and paying close attention to the discussion, not only in the White House report but also within the Federal Trade Commission," Keating says. "The FTC has had a loud voice, especially over the past 12 to 18 months, on big data. The risk we run if we get this wrong on the regulatory side is that we shut down innovation and put at risk the competitiveness of our economy."
"In the U.S., we know we have an edge in a number of areas, and one of the areas that we have an edge is in respect to analytics and only services. We have to be incredibly careful not to put that at risk," Keating says.
[Related: The 8 Most In-Demand Big Data Roles ]
"We're far away from really understanding and appreciating what discoveries lie ahead right now," adds Capgemini's Cohen. "If we start to legislate and regulate now, it's not unlikely that 12 to 18 months from now we'll be doing it all over again."
CIOs Should Get Proactive About Data Privacy, Education
The upshot, Keating says, is that CIOs should make sure they are building privacy into operations and new systems they are building at an early stage.
"Are we thinking about data issues from the privacy side so we don't invest $30 million in our customer intelligence system only to find out that we can't do some of the things we were intending to do?" Keating asks. "Are we thinking about ways in which data can be flagged for different treatment, if that's feasible with different systems, such that if there's a need to segregate data, it can happen, if there's a need to screen or obscure or anonymize data, it can happen?"
And Keating says, CIOs should be reaching out to internal privacy offices (or legal departments where there is no separate privacy office) to help them stay abreast of privacy issues. For and maintain those relationships now, he says.
Cohen adds that the best thing CIOs and their organizations can do at this stage is to get proactive. Think about and create a policy for how your organization will collect and use data and work to educate constituents and customers about how data is used to their benefit.
"I think taking a lead is very, very important right now," he says. "I think the private sector and big enterprises have an obligation to do that. All it takes is a few abuses and this will be addressed even more strongly."
"One of the most important things CIOs need to be thinking about is how they can educate people outside their immediate sphere about the benefits of data," he adds.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.