Sharing personal data has many facets, from privacy concerns and ethical considerations to business opportunities and the needs of individuals. Once personal data is shared, users often lose control over how it is used, stored, or further shared. On the other hand, there are considerations of how individuals might monetize and benefit from their personal data.
That’s why IDSA launched the Personal Data and IDS Sub Working Group in May 2023 to explore personal data sharing, its possibilities and challenges in an increasing data-driven world. How can IDS concepts help make personal data more trustworthy and better controllable by the owners? What are the main obstacles and how can they be addressed? How can we gain value and knowledge without risking exploitation? Transparent data practices are critical to building confidence in sharing.
It’s obvious that we need to guide people who will implement a data space that involves sharing of personal data. IDSA is mainly driven by industrial initiatives and industrial data. Now the intersection of IDS and personal data sharing is explored and will be defined. We will have a GitHub for internal collaboration and for external dissemination.
But first, what exactly is personal data? One of the tasks of the group is to identify what counts as user-centric data. This is more complex than one would think. For example, let’s say you have an air quality monitor in your garden and data is generated there. But does it really belong to you or to the machine or to the sensors?
Another task of the group is to look at how IDS currently handles scenarios where individuals play a role. How can we address personal data in the IDS standard? The sub-working group plans to develop a step-by-step guide to help implementers decide what technology or components to use, at what stage of development, and in what way. There are a lot of technologies for personal data available such as from MyData, iShare and other initiatives. The subgroup works on identifying the development path to create IDS-compliant data spaces.
And there is more to be done: The IDS RAM will be expanded to include all aspects and requirements from the personal data perspective. And clearly define the difference between the requirements for personal and organizational or industrial data. Currently, the IDS RAM does not refer to personal data and the same is true for the IDS Rulebook – a clear positioning will be provided in both. How can it be applied in an IDS data space?
Going back to the example above, where sensors in the garden monitor air quality, IDSA components can be used to collect and to share this data with other parties. But the big question, who has the right to this data, is still open. If I produce data in a place that I own, do I have the right to commercialize it? That question is a bit revolutionary because, to stay with this example, up to now we’ve all been using the air quality application of our phones, as data consumers. But now we have the chance to become a data provider as well. Others can consume the data that we help generate.
But now there is a possibility for a person to become a data provider as well. The data we help generate can create greater good for others and we can all benefit from a fairer exploitation of personal data. Majority of IDS-compliant data spaces already involve personal data (directly or indirectly), we just need to establish the mechanisms that ensure secure and sovereign data sharing for individuals.
Another example are personal health records that you can share with health organizations, hospitals, and government bodies. But there’s also the possibility of using this data for other purposes. Which purposes this might be has to be still explored and clearly defined. The question of which data is yours can be ambiguous.
IDSA wants to take a clear position towards what we call personal data, user-generated data, or user-centric data. IDS is not only applicable to organizational or industrial data. That would be a misconception. The subgroup will help emphasize our support for personal data. The purpose is to empower individuals by improving the right to self-determination regarding their personal data – and maybe gain something along the way.