IBM’s Data Privacy and Consent Management Technology Provides Greater Control

Data Privacy Consent Management

The ever-increasing amount of data being collected by organizations is also becoming more sensitive. While information on location, habits, medical conditions and even genomic data can be a boon for enterprises that want to better understand their customers and offer enhanced services, it also represents a huge risk.

According to most privacy laws, organizations need a person’s consent to use his personal data for a specific purpose, and it can only be kept as long as it’s needed for that purpose. Unfortunately, most applications today have an all-or-nothing approach to privacy and consent. In response to this, IBM Research is developing a data privacy and consent management technology whose goal, as Sima Nadler, senior program manager for privacy and worldwide research lead for retail, explains, is to simplify consent for enterprises and provide more control over how and when data is used.

IBM Systems Magazine (ISM): Could you explain some of the difficulties involved in current consent management?
Sima Nadler (SN):
Take insurance companies, for example. They’re collecting data that can be used for many different purposes—discounts based on how you drive, statistical analysis for age-related issues, well-being predictions or demographic profiles. You, as a consumer, may think it’s being used for a specific purpose, such as giving you better rates if you stay fit. But what else are they using it for that you don’t know about and didn’t consent to or didn’t know you consented to? Even if they want to comply with legal regulations for the use and protection of this data, the infrastructure doesn’t exist to do so. There’s no modeling of your consent or other privacy policies at the technical level and no linkage of it to the data that was collected. As a result, the company can put role-based controls on who can access that data, but they cannot guarantee at a technical level that it will only be used for the purpose you intended.

ISM: What are the potential results of this?
Today, consent, terms and conditions are legal documents. There’s no technical representation of those terms. It’s just a text document that may change over time. The data itself is sitting in a database in some type of data store. If you could model what was in that consent contract and link it to the data, it would at least be potentially feasible, although not necessarily trivial, to enforce what was in that consent contract and various other policies. This doesn’t exist today.

I can give you a hypothetical example. A senior employee at a major health network is working on a master’s degree. As part of a project, he needs to look at and analyze some patient data. His role has access to that data. He extracts the patient data with the identities and with the diagnoses, etc., and conducts academic research on it, but there’s no consent for him to use that data in that way. Patients hadn’t opted in to that, but because the system was role-based and his role was appropriate to access patient data, he has access to it.

ISM: Who should be responsible for this?
: Well, it’s not the developers because they’re not privacy experts. The idea that you could teach each developer all of the different laws and rules isn’t practical or reasonable. Rather, you have to encode all of the laws and policies in a repository and use a smart engine to figure out what overrides what. The person who encodes those laws has to be a privacy expert.

One of the things we do is provide tools to help define the policies, and for a privacy officer who certifies particular applications for a purpose. For example, say I created an app for tracking personal fitness. That app would be certified for personal fitness tracking. It would not be certified for marketing or advertising or other things. Any query coming out of that app is certified only for fitness tracking.

Jim Utsler, IBM Systems Magazine senior writer, has been covering the technology field for more than a decade. Jim can be reached at

comments powered by Disqus



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Safely Concealed

IBM Identity Mixer is poised to change how Web users reveal personal data

Ups and Downs

IBM and Stanford University push spintronics to smaller levels

Computing in 3-D

Chips could gain depth to keep delivering on Moore’s Law

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters