Post by Matthew Higgs, Data scientist at The Data Lab
How can personal-data sharing be made safer and easier?
An organisation wants to share personal data with me. I do not work for the organisation. In GDPR terms: they are the Data Controller and I am the Data Processor. I need to undergo a Baseline Personnel Security Standard (BPSS) check – a lengthy process delaying the start of the project. This is my pain. This article is my search for a solution.
Smart Security Checks
While BPSS checks are related specifically to access to government assets, every Data Controller should ensure Data Processors have adequate security measures in place to protect personal data. One of the problems I found with BPSS checks is that they rely on trust between the Data Controller and the Data Processor. If the Data Processor is an organisation with an HR division, then the HR division is responsible for applying the BPSS check. A person in the HR division will observe employee documentation (such as a driving licence, utility bills, and a basic disclosure report), will tick some boxes, sign a form, and then store the form somewhere. That’s it. The Data Processor can then claim its employees have undergone the necessary security checks and its fine for the Data Controller to share their data. Obviously, this approach relies on the Data Controller trusting the Data Processor to perform the security checks appropriately, without human error or corruption. While this might be OK if the Data Processor is an established organisation, what if the Data Processor doesn’t have an HR division? What if they are an SME? What if it they are a freelance data scientist? As the trustworthiness of the Data Processor decreases, so does the potential validity of any security checks they perform. How can we make this process better?
Stakeholder Experience Design
Let’s explore an ideal Data Controller and Data Processor experience. From the Data Controller perspective, they set out a data sharing agreement which is specific about the security measures the Data Processor should have in place. A number of these measures will relate to personnel security, i.e. the standard of vetting required for people who will have access to the data. Once the Data Controller has specified these requirements, they want assurances the requirements are met. From the Data Processor perspective, they want to ensure that they themselves meet the requirements so they can receive the data and get started. So, the problem is how can we ensure people who have access to the data meet the requirements of the data sharing agreement?
Shaping a Research Question
The BPSS verification process has several bottlenecks. For example, I needed to undergo a Basic Disclosure check and provide proof of employment history. These required me, respectively, to fill in a Basic Disclosure application and write to past employers for them to confirm when I worked for them. Remember the Data Controller currently does not see these records directly, they only receive confirmation from my employer that I can provide proof. I have issues with this process, it costs me time and seems very outdated. So, I ask:
Is there a way for all my security-relevant records to be collected automatically over time, securely stored, easily updated, and instantly checked to verify that my records meet the requirements of any particular data sharing agreement?
It would be great if the Data Controller could just set out the data sharing agreement, name the individuals they want to grant access to, and then click a button to start a process that will verify if the Data Processors meet the requirements and, if they do, release the data automatically to them. And, it would be great if the Data Processor didn’t need to invest time in collecting together all the necessary pieces of documentation to prove they meet the requirements. One way to achieve this would be to have a place where individuals can store all the records necessary to meet the requirements of any potential data sharing agreement. Does such a solution already exist? Regarding employment history, companies such as appii are building a career verification platform. Could such a platform be combined with a similar platform for Basic Disclosure verification? More generally:
Is there a platform where Data Processors can securely store the records necessary to ensure data is released to them (or not) as soon as data sharing agreements are finalised?
Sounds to me like an opportunity for Smart Contracts. Am I wrong? Is anyone already doing this?
This article was motivated by my experiences in completing a BPSS check to meet the requirements of a data sharing agreement. What other types of security checks are often required by data sharing agreements? How do security checks vary depending on the type of data or Data Controller? What are the technical solutions to this problem? What are the technical, commercial, and ethical challenges in building such a platform? I’m just a data scientist who wants to process data with confidence I’m meeting the requirements of those who control the data and without weeks of admin. Help me do this.