Addressing Challenges in Legislative Policy for Data Governance

Addressing Challenges in Legislative Policy for Data Governance
Slide Note
Embed
Share

The Information Accountability Foundation (IAF) aims to establish effective global information policies to utilize data wisely in the digital age. The IAF emphasizes the importance of accountability, responsibility, and risk-based frameworks in promoting data-driven innovation while safeguarding individuals and society. It critiques current legislative models, such as the GDPR, for their limitations in balancing individual rights with beneficial impacts. The IAF advocates for implementable risk-based legislation aligned with fair processing principles to create a trusted digital ecosystem.

  • Data Governance
  • Information Accountability
  • Risk-Based Legislation
  • Digital Age
  • Fair Processing
langley
langley Follow

Uploaded on Sep 28, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. CAN WE SOLVE THE LEGISLATIVE QUAGMIRE? BARB LAWLER & MARTY ABRAMS wirewheel Spokes Conference, June 30, 2021

  2. WHAT IS THE IAF? The Information Accountability Foundation (IAF) is the preeminent global information policy think tank, creating collaborative scholarship and education on the policies and processes necessary to use data wisely in an observational age, while enabling a trusted digital ecosystem that serves people. We believe it s critical that organizations are able to think with data and engage in knowledge discovery in order to have a trusted global digital ecosystem. We believe that organizations must be accountable, responsible and answerable, and be prepared to demonstrate. We believe that frameworks based on risk assessment and effective information governance enable beneficial, data-driven innovation while protecting individuals and society from the potential harms that may arise from data processing in the digital age.

  3. AGENDA Why we undertook this effort and why it may be important to you Data should serve people not create a bureaucratic mess Fair Processing Principles Approaching the chaos from a risk-based perspective Implementable Risk-based Legislation Aligned with Fair Processing Principles What s Next IAF dialogs on the Model Legislation Resources

  4. DEEP DISSATISFACTION WITH CURRENT MODELS What is on the table or has been enacted so far is not working for anyone Consensus that legacy privacy law structures are ineffective in protecting both innovation and people. GDPR makes knowledge creation almost impossible Focused on individual control in an observational world that drives highly complex analytics. Places onus on consumers to manage fair processing, not the responsible parties. Legacy models target individuals being able to exercise rights --- not bad outcomes. Discounts people s interest in beneficial impacts in favor unachievable individual control. Claims to be risk-based, but risk of what? Documentation for documentation s sake --- does that really abate risks to people?

  5. LEARNING FROM THE GDPR: REVISITING 2016 GDPR written to be risk-based legislation consensus by all key players Never a discussion of what that meant Impediments related to individuals ability to exercise their rights? Unfair outcomes from the processing of data? Reticence risk from not processing data related to the full range of stakeholders and interests? The absence of that discussion has impacted the effective implementation of the GDPR Has the GDPR turned out to really be risk-based?

  6. CHAOS EXAMPLES Has the pandemic taught us how to balance risk to individuals and societies? Has vendor oversight become a risk management infinite loop? Do we have a pathway to a trusted AI future? Can an observational digital ecosystem achieve effective governance? Is government interception of HR data by the national security agencies a real risk to employees?

  7. WHAT IS THE PUBLIC AGENDA FOR PRIVACY LEGISLATION? Better implement of notice and choice systems, which are widely acknowledged to be inadequate? Give individuals control over their information, through rights of access, correction, restriction, portability and deletion? Prevent discrimination against individuals or protected classes, or other harmful uses of data? Fundamentally change the profiling-based, attention-capture, observational business models of online services? Set boundaries for permissible and impermissible data uses? Are the goals the same for an offline business, an online store, a B2B cloud service, an IOT device, and a social networking site?

  8. WHAT WOULD YOU, AS A BUSINESS LEADER, WANT FROM PRIVACY LEGISLATION? Create more legal certainty or more flexibility? Enhance trust? Reduce operational burdens from inconsistent state legislation? Align with global standards? Facilitate knowledge creation by stabilizing rules related to analytics and AI?

  9. OUR APPROACH IS TO DESIGN ACCOUNTABILITY AND RISK-CENTERED LEGISLATION A risk-centered approach to fair data processing -- necessary to achieve shared goals for beneficial innovation, trust and fairness -- bases decisions on the likelihood and the severity of harm and the degree of benefit to people, groups of people, society and organizations if data are processed or not processed. The risk to stakeholders from processing The risk to stakeholders of not processing societal opportunity cost Fair Data Processing means: Organizations are Accountable and Measured Organizations Inform and Empower individuals Organizations are evaluated for Competency and Integrity, and by capable Enforcement

  10. Note: Slide has a build for each principle FAIR PROCESSING PRINCIPLES AS A FRAMEWORK TO UNDERSTAND THE MODEL LEGISLATION To be risk-centered, the legislation applies accountability elements and Fair Processing Principles. The principles are color coded. The Model Legislation sections have the same color coding to reflect the risks being addressed. Accountable and Measured. Organizations must be responsible for how data are used and be answerable to others for the means taken to be responsible. Decisions must be explainable to others based on objective measures. Informing and Empowering. Organizations have a proactive obligation to inform stakeholders about the data processed, the processed used to assess and mitigate risk, and an individual s ability to exert control and make choices. Competency, Integrity and Enforcement. Organizations are evaluated by the competency they demonstrate in reaching decisions to process data pertaining to people, their honesty, and disclosures and actions. Organizations are responsible for outcomes, but the IAF Model contemplates that there is a difference between systematically bad decisions and anomalies. A well-resourced and capable regulatory enforcement mechanism is necessary.

  11. Note: Slide has a build for each principle THE MODEL LEGISLATION TABLE OF CONTENTS Article IV. Accountable Processing Article VI. Enforcement by Commission and State Attorneys General Article I. Short Title and Table of Contents Section 6.01 Enforcement by Commission Section 4.01 Accountable Processing Management Program Section 1.01 Short Title and Table of Contents Section 6.02 Enforcement by State Attorneys General Section 1.02 Findings and Purpose Section 6.03 Safe Harbor Programs for Responsible and Accountable Covered Entities Section 4.02 Ethical, Trustworthy, and Preventative Design Section 1.03 Definitions Section 6.04 Safe Harbor for Accountable Small Business and Non-Profit Orgs Section 4.03 Accountability for Automated Decision Making Section 6.05 Accountability Reports and Assessments Article II. Fair Processing of Personal Data Section. 6.06 Implementing Regulations to Support Accountability Section 2.01 Lawful, Responsible, and Fair Processing Section 4.04 Accountability for Processing by Service Providers and Third Parties Article VII. Commission Education, Guidance, Outreach, and Reports Section 2.02 Restrictions on Processing Section 7.01 Consumer Education Section 4.05 Workforce Accountability Section 7.02 Guidance and Outreach for Covered Entities Section 2.03 Unethical and Reckless Processing Section 4.06 Oversight: Demonstrating Trustworthiness, Compliance, and Ongoing Commitment to Responsible Processing Section 7.03 International Cooperation for the Protection of Personal Data Article III. Responsibilities of Accountable Covered Entities Section 7.04 Report Article VIII. Commission Resources and Authorization of Appropriations Article V. Processing Risk Management Section 8.01 Appointment of Additional Personnel Section 3.01 Open and Transparent Processing Section 5.01 Risk Management Strategy Section 8.02 Authority to Establish New Bureau or Office Section 3.02 Meaningful Control Section 8.03 Authorization of Appropriations Section 5.02 Assessment of Processing Risk Article IX. Preemption Section 3.03 Data Quality, Accuracy, and Retention Section 5.03 Categorization of Processing Risk Section 9.01 Preemption Section 3.04 Access and Data Portability Section 5.04 Processing Impact Assessments Section 9.02 Effect on Other Laws Section 3.05 Responsible and Accessible Redress Section 9.03 Government Accountability Office Study and Report Section 5.05 Enhanced Processing Impact Assessment to Assess Implications of Automated Decision Making Article X. Effective Date and Savings Clause Section 3.06 Data Security Section 10.01 Effective Date Section 5.06 Bad Faith Section 3.07 Procedures, Exceptions, and Rule of Construction Section 10.02 No Retroactive Applicability Section 5.07 Rulemaking Section 10.03 Savings Clause

  12. WHY A RISK-BASED MODEL IS SUPERIOR It is different from everything else on the table Empowers organizations to think with data And based on sound concepts that have worked It does require change, but the change has implementable guidance and steps Documentation is intended to flow from risk assessments based on clear risk concepts Most of all IT ALLOWS YOU TO TRULY THINK WITH DATA !

  13. SUCCESSFUL LEGISLATION INVOLVES ALL STAKEHOLDERS Stay tuned for IAF dialogs on the Model Legislation Please contact us to be involved and learn more

  14. IAF RESOURCES The FAIR and OPEN USE Act (IAF Model Legislation), May 2021 Fair Processing Demonstrable Accountability Elements AI and the Road to Expansive Assessments Membership or other inquiries: info@informationaccountability.org

  15. REFERENCE SLIDES

  16. WHAT IS THE CURRENT PROPOSED LEGISLATION SOLVING? To better implement notice and choice systems, which are widely acknowledged to be inadequate? Is it to give individuals control over their information, through rights of access, correction, restriction, portability and deletion when control isn t meaningful? Is it intended to prevent discrimination against individuals and protected classes when models are developed? Is it intended to fundamentally change the profiling-based, attention-capture, observational business models of online services?

  17. LAWFUL, RESPONSIBLE, AND FAIR PROCESSING (SECTIONS I-III) Eleven legitimate uses for lawfully processed data Includes knowledge discovery as a legitimate use paves the way for flexible innovation Includes important table-stakes fundamentals for individual rights, data security and data integrity

  18. ACCOUNTABLE PROCESSING AND RISK MANAGEMENT (SECTIONS IV-V) Requires a strategic, implementable and operational Accountable Processing Program that: Is measured Properly resourced Includes trustworthy design Requires accountability for automated decision-making Requires assessments based on levels and types of risk Defines Risk Management criteria Defines categories of processing risk to individuals, considerations to vulnerable populations, and assessment criteria Requires ability to stand ready to demonstrate

  19. ROBUST OVERSIGHT AND ENFORCEMENT (SECTIONS VI-X) FTC primary oversight and enforcement agency Comparable size to a data protection agency Mandatory rule-making for certain provisions State Attorneys General may enforce as well

  20. RISK- CENTERED A risk-centered approach to fair data processing, necessary to achieve shared goals for beneficial innovation, trust and fairness, bases decisions on the likelihood and the severity of harm and the degree of benefit to people, groups of people, society and organizations if data are processed or not processed. The risk to stakeholders from processing The risk to stakeholders of not processing

  21. ACCOUNTABLE AND MEASURABLE Such a risk-based approach requires organizations be accountable, with accountability defined as organizations being responsible for how data are used and being answerable to others for the means taken to be responsible. While organizations have primary responsibility for fair processing, individuals still have control where uses are impactful and individual controls are effective. A decision is not risk-based unless there is a measurement of the risks and benefits at issue and the integrity of the assessment is demonstrable to others. Risk/benefit decisions are not always intuitive. They require assessments that identify the parties that might be impacted by the use of data, how they might be impacted, and whether the risks and benefits are mapped to the people, groups of people and society. The matching of risks to benefits might not be one-to-one, but discrepancies must be understood and reasonable. Decisions must be explainable to others based on objective measures. While loss of individual autonomy is a risk factor, risks and enhancements to other fundamental human interests like health, employment, education and the ability to conduct a business must also be part of an assessment.

  22. INFORMING AND EMPOWERING Organizations have a proactive obligation to inform stakeholders about the data processed and the processes used to assess and mitigate risk. While fair data processing is less dependent on individuals decisions, where individuals do have rights, they should be transparent and easily exercisable. This relationship between individual rights and fair data processing facilitates organizations being held to account.

  23. COMPETENCY, INTEGRITY, AND ENFORCEMENT Organizations are evaluated by the competency they demonstrate in reaching decisions to process, their honesty in making decisions that serve stakeholders that are impacted and the alignment of their disclosures and actions. All organizations will make mistakes, and some of those mistakes will impact people, groups of people or society. Organizations are responsible for those outcomes, but there is a difference between systematically bad decisions and anomalies. A well-resourced regulatory enforcement mechanism is necessary for a risk-centered, accountability- based governance system to be trusted.

  24. KEY FINDINGS The United States information ecosystem is the world s most innovative. The rapid evolution of lifechanging digital products, services, and consumer applications, has produced equally awesome and complex challenges for individuals and society. These complex challenges require equally complex protections. Organizations that get value from data must be responsible stewards of that data and be held accountable. United States needs a new twenty-first century paradigm that incentivizes organizations to optimize beneficial uses of data while simultaneously minimizing adverse consequences for individuals and society as a whole. A national framework based on accountability and risk assessment, backed by robust enforcement and oversight, meets this objective.

  25. IMPORTANT DEFINITIONS Adverse processing impact Benefits to individuals and competition Personal data Provided data Observed data Inferred data Third party provided data

Related


Data Governance and Security in Higher Education Institutions

Data Governance and Security in Higher Education Institutions

lucius
Grand Rapids Government & Legislative Affairs Summary 2023-2024

Grand Rapids Government & Legislative Affairs Summary 2023-2024

plum
TVET Colleges Governance Report Summary June 2023

TVET Colleges Governance Report Summary June 2023

mollie
The Shift from Government to Governance

The Shift from Government to Governance

princess
Legislative Compensation Board

Legislative Compensation Board

murphy54
Legislative Drafting and Bill Analysis Workshop Overview

Legislative Drafting and Bill Analysis Workshop Overview

amias
Data Governance and Data Analytics in Information Management

Data Governance and Data Analytics in Information Management

donnie
Data Governance and Data Privacy in Grade XII Data Science

Data Governance and Data Privacy in Grade XII Data Science

lillie
Legislative Drafting in Somali Federal Parliament

Legislative Drafting in Somali Federal Parliament

dior
The Praia Group on Governance Statistics Handbook

The Praia Group on Governance Statistics Handbook

cross
Governance Reform Update and Priorities Summary for PMNCH

Governance Reform Update and Priorities Summary for PMNCH

kgirt
The Process of Legislative Referrals in AS Committees

The Process of Legislative Referrals in AS Committees

kena_218
Legislative Updates and Governor's 2017-19 K-12 Budget Proposal

Legislative Updates and Governor's 2017-19 K-12 Budget Proposal

allis
Participatory Governance Assessments in REDD+ and Global Democratic Governance Programmes

Participatory Governance Assessments in REDD+ and Global Democratic Governance Programmes

manto
Ohio Public Opinion on Redistricting and State Legislative Issues

Ohio Public Opinion on Redistricting and State Legislative Issues

gnay
Future Role of State Governance through Meta-Governance and Political Leadership

Future Role of State Governance through Meta-Governance and Political Leadership

lbra
Challenges and Proposals in Data Governance for the Sidewalk Toronto Smart Cities Project

Challenges and Proposals in Data Governance for the Sidewalk Toronto Smart Cities Project

matt515
Highlights from Texas Legislative Session 2023

Highlights from Texas Legislative Session 2023

jate683
Enhancing VET Governance for Effective Policy and Data Utilization

Enhancing VET Governance for Effective Policy and Data Utilization

dlil
Washington State Legislative Intern Program Details

Washington State Legislative Intern Program Details

dtha
Challenges and Governance Models in Healthcare Board Leadership

Challenges and Governance Models in Healthcare Board Leadership

lflin
Early Childhood Data Systems Governance and Data Quality Assessment

Early Childhood Data Systems Governance and Data Quality Assessment

kali_129

More Related Content