Protecting your privacy is considered very important in the Netherlands. At least 94% of Dutch people are concerned about the protection of their personal data according to a recent investigation by the personal data authority. Do we have a grip on our personal data?
The enormous data explosion that has taken place, and is still taking place, in recent years will not diminish the concern. And even though, as a result of the introduction of the AVG, there is more regulation and the citizen have more say over their personal data, we are not yet fully in control of our personal data and the distribution thereof.
It also seems that researchers have stopped counting how many systems someone’s personal data is in. The last research that we could find during a short Google search spoke about 250 to 500 systems. And that was in the year 2009 … or 10 years ago. It is inevitable that this number has risen sharply.
An interesting question is what the impact of blockchain technology could have? At first glance the blockchain does not predict much good: after all, the blockchain is a decentralized database in which various parties (nodes) have a copy of the database. That sounds like a lot of copies of your personal data.
However, this requires some nuance. Provided that it is set up properly this should not be the case!
A report from the Zorg Instituut Nederland (ZiN) about blockchain in relation to the AVG clearly describes the structure with which you can create a grip on personal data. Briefly summarized: do not store/minimize (personal) data in the blockchain, but leave it at the source.
This is a very relevant statement and therefore offers opportunities to get a better grip on personal data. Why? Because the situation as it is right now is not that good.
Data is often exchanged in the current IT landscapes. Data is transferred both within an organization and between different organizations. From that moment on the recipient has a copy of the data which they will have to protect and manage as well.
With the introduction of the AVG, a lot of regulations have been made for this. What translates into processor agreements, exchange agreements, better security of storage and exchange of data, etc. Absolutely a step in the right direction, but only rarely is the question asked whether it is necessary to exchange the data.
From a procedural and legal point of view, it is fairly closed down, but as a citizen, I have no grip on what’s happening with my data. Few organizations can give 100% insight into where my data is and with whom they have been exchanged.
Changes or deletion of data will occur at most in a number of systems. But certainly not in all systems, data warehouses, and other organizations with which the data have ever been exchanged. And do the organizations with which my data have been exchanged actually handle the data just as well as the organization to which I initially gave it?
Retrieving data that has been sent is almost impossible and it is difficult to check whether this has actually been done. And in all this, the citizen depends on how well an organization arranges this. Essentially you have to trust that what has been agreed upon will actually happen.
If the recommendations of the ZiN are followed, blockchain offers a solution here. Three principles are very important here. The first is to no longer exchange data but only to record the transaction in the blockchain. The real data remains in the source system and therefore it is always clear where this data is.
A “single source of truth” is created. An underestimated concept in privacy legislation. It is not only about where your data is but also that it is correct (accuracy, completeness, timeliness). Not unimportant, for example, in health care: what medication does someone have, what is the CPR policy, what allergies are there, etc. And if something needs to be adjusted or removed, it is completely clear where that should happen and it has therefore changed for everyone. An absolute gain compared to how it is now often arranged.
The second important point is that in the blockchain it is easy to manage who can access what data, that these authorizations can be adjusted and that it is clear who has viewed and modified information.
This requires good governance. And where desirable and possible, citizens can manage and control these authorizations themselves. In other words, the citizen gets a grip because he can determine who is allowed to access his data, where his data is and who actually was allowed to see or change it.
The last principle that is important is working with claims. The exchange of data from the past decades was partly prompted by the fact that we needed data to execute the processes. Without that data, processes could not be executed: the more data the better.
Here too, blockchain offers an important opportunity. Do you really need the data? Or do you want certainty about something? For example, do you actually need the date of birth or do you just want to know if someone is really older than 18?
In the past, you exchanged the date of birth so that the receiving organization could check at any time whether someone is older than 18. The blockchain removes this barrier. Any organization that needs to know if someone is older than 18 can refer to the blockchain and receive an answer which is either: Yes or No.
In this way, the amount of data that parties receive is reduced to what is actually necessary, in other words, data minimization.
Another advantage is that historical data does not (have to) remain with the receiving party. They can always request the current situation and do not have to save it to go through their own process.
If, for example, someone is in debt, that information is no longer relevant once the person successfully gets out of debt. Also in this aspect, citizens can have their control as to what information they would like to share or not.
Blockchain offers the perfect opportunity to get a grip on the unbridled distribution of personal data and to manage this more securely by:
In this way, blockchain offers important possibilities to actually better protect personal data, to be transparent to the citizen and to get away from the paper reality of data exchange agreements, registers and procedures for requesting data by those involved. If you have any questions or want to know more about this subject, please contact us.
Auteur: Jouke Langhout, Be-Better
No more single point of failure An important mechanism of a blockchain is that there is not one central database that contains everything, but that the database of transactions (blockchain) is stored with multiple parties. Essentially, there is a copy of the database at every party that participates in the blockchain. This comes with a …Read the full story
The challenge originally resulted in the idea of a digital data safe – based on blockchain and Zero-Knowledge Proof – which gives the citizens the possibility to decide for themselves which organization can see which part of their personal data. In cooperation with the Ministry of Justice (Innovation-team J&V and DGSenB), the Cyber Security Group …Read the full story
We are driven by creating experiences that deliver results for your business and for your consumers