Public policy is an instrument that is used by nation-states to achieve their aspirations. The moral codes held and shared together by society compel its policymakers to draft policies, laws and regulations that represent the ethos and aspirations of society.
Humans have historically relied on information and data to innovate and create value within a society. The banking and financial sector, medical facility providers and government entities have always relied on information and data to deliver services, create products and contribute towards the overall socio-economic growth of the society. However, the size, structure and usability around the data have varied throughout the human history.
In today’s world, improved computational capabilities have enabled businesses and public and private organizations to better structure their data in the form of huge databases and leverage analytics to generate business intelligence and contribute value creation.
With these computational and analytical capabilities, there are increasing avenues to develop profiles of humans’ behavior around their purchasing, spending and consumption habits, their genetic profiling, their travel history, medical history, etc. While these capabilities add value to the human society, they also come with risks of intruding into individuals’ privacy.
Unfortunately, the discourse around personal data is only centered around its protection from leakage or prevention from breach. However, the primary objective to safeguard the personal data is to ensure that such data are not processed to create a more inequitable society and bring about unfair outcomes.
The amount of discrete data available today allows us to bring more nuance and innovations into public policy, therefore aiding in ironing out any imbalances within the society.
Public policy experts wish to avail themselves with discrete personal data accumulated by public and private organizations to effectively address issues associated with healthcare, financial sustainability and overall security concerns.
To put forward any policy recommendations, there is a need to identify broad patterns of human behavior and propose a solution that may further require some algorithmic decision-making. This identification of human behavior or preferences and then associating it with respect to ethnicities, race or religion can cause the wedges within a society to deepen even further.
Therefore, the protection of personal data is not just associated with its secure storage in a safe or information systems but rather its fair processing that helps to eliminate or minimize the asymmetry within the social classes of the society. But when such personal data are used to carve out policies that might be extractive in nature or to target a particular section of a society, then there is strong likelihood that it would end up legalizing the prejudice and systemic racism.
There is strong contention among privacy advocates that use of such discrete personal data can strengthen the elite capture and cultivate extractive public policies where minorities of the society can be further targeted to extraction.
Consider the scenario in which increasing medical treatment costs need to be addressed within a society, and as the public policymakers begin to crunch through the data, they figure out that a substantial chunk of medical costs has been associated with the treatment of a specific disease that might be more prevalent within individuals and families of a specific racial or ethnic background. If similar information is used by public policymakers or regulatory authorities to allow medical insurance companies to increase the insurance premium for individuals belonging to that racial or ethnic community, then it may put the community at a disadvantageous position or may deprive some from similar communities to afford the medical insurance at all.
There can be various similar scenarios where minority sections of the society can be subjected to policy decisions which will inflict damage to the society’s fabric, and therefore, such data processing might serve as a tool to perpetuate the problem rather than the solution.
Data privacy therefore needs to be seen as a public policy challenge and not just as an information security issue. The objective of protecting the personal data is linked to creation of a fair, harmonious and just society.
Editor’s note: Visit ISACA’s privacy page for additional information about privacy, including frameworks and guides, certification and training, and other featured resources.
About the author: Muneeb is an Information Security & Privacy Consultant with a forte in strategy, program development, governance and compliance. Based in the Middle East region, he has worked with clients from the financial, governmental and telecommunication sectors to help them in developing and implementing cybersecurity and privacy programs in accordance with their regulatory, legal and compliance requirements. He has contributed with his knowledge and expertise through various writings, podcasts, policy reviews and conference appearances. For more details, visit: http://www.linkedin.com/in/muneebimranshaikh/.
