Online Access & Security Committee
Access Subgroup One:
This Subgroup considered: 1) the degree to which consumers should have access to information concerning them, and 2) the appropriate terms and conditions governing access. Our report, in outline form, follows. This overview provides a brief description of the Subgroup's methodology and a summary of the report itself.
Methodology: At the outset, the Subgroup decided to produce a report discussing as many legitimate approaches to data access as possible. Referred to internally by the Subgroup as a "due diligence" approach, this methodology was designed to surface a variety of ways to think about data access. Thus, the report describes many different approaches to data access and provides some basic "pros" and "cons" for each. The Subgroup recognized that not all of the approaches are equally valid. The report, therefore, is not a recommendation for specific options but rather describes the universe of options.
It is also important to note that the report does not address implementation. If recommended, the approaches described in the report could feasibly be implemented by statute, regulation, self-regulation, or some combination of the three. The Subgroup deliberately refrained from an assessment of preferable implementation strategies, and the report should not be read as a recommendation for any particular strategy.
Summary of Report: The manner in which to provide access and to what degree access should be provided are complex questions given the numerous types of non-personally identifiable and personally identifiable information, the "sensitivity" of that information, the sources of that information, and the various costs and benefits associated with providing access. Nonetheless, the Subgroup attempted to describe the most likely approaches to the question of access.
Access by Categories. First, the Subgroup considered providing different access to data on a category-by-category approach. The Subgroup identified ten potential categories of data for which access might be provided: non-personally identifiable information (non-PII), non-PII that may be linked to PII, account & transactional data, interactive data, computer information (including IP number, GUID or LUID, cookies, etc.), navigational or click stream data, derived data, data merged from other databases, distribution of data, and all PII data. After outlining the pros and cons of providing access to each of these categories, the Subgroup explored more general policy options involving categories. The Subgroup queried whether varying access rights by categories makes sense for consumers and companies and whether or not consumers should be provided access to all of their information, regardless of category.
Data Relevancy and Data Retention. At the end of the categories section, the Subgroup included two policy options regarding data relevancy and data retention. The Subgroup discussed whether those who collect data should question why they are collecting the information in the first place. One member queried: is it being collected because the technology makes it easy to do so and so "more is better", or because the information is relevant to the purpose for which it has been acquired. Policy options regarding limiting the amount of information collected are closely related to the access issue because at least one of the access options is to grant access to all information collected about an individual. Collecting less information can translate into cheaper costs for the company collecting the information. The inclusion of data retention options were also included for many of these reasons. The question is whether information that is less current should have an "expiration" date on it. Information can become stale and out of date. The Subgroup debated whether or not procedures should be put in place for the destruction of such information.
Access Depending Upon Use. Next, the Subgroup considered allowing different access to data depending on the likely use of the data. Loosely, this scheme would reflect consumer expectations in providing the data in the first place. That is, if the data were to be used for a purpose consistent with the consumer expectation in providing the data (e.g. to complete a sale and delivery) then access might be more circumscribed.
Consumer Defined Access Rights vs. Non-Consumer Defined Access Rights. The Subgroup discussed who should be able to make decisions about what access is provided to information: the consumer or some other party. The Subgroup explored creating an access regime where access rights would vary depending upon what data is considered "sensitive" or "important" by any given consumer. The Subgroup recognized that because every consumer might ascribe different importance to information, we were essentially describing a system allowing uncabined access to data. In application, varying access rights by consumer defined sensitivity really is another way of saying that consumers should have access to any information that they choose to access. The pros and cons and such an approach are included.
The Subgroup next considered whether access should be conditioned on the "sensitivity" of the data, as defined "objectively" by some third party (e.g. industry, self-government organization, government).
The Subgroup recognizes that an approach based on the importance or sensitivity of information will not be limited to a consumer definition or definition by some "other", but will likely reflect some blending.
Terms & Conditions of Access: As to terms and conditions of access, the Subgroup discussed a variety of approaches. The overall theme was to balance the need for access with the need to constrain costs, especially costs that are likely to be spread among all consumers regardless of their interest in access. Specifically, the Subgroup has reported on access fees, frequency limitations, temporal limitations and certain miscellaneous limitations.