Ethical Data Management in the Age of The IoT

Video surveillance, remote health monitoring, consumer behavior tracking – the list is endless of decades-old capabilities for observing and capturing information about people. What is different now, in the Internet of Things era, is the sheer volume of the data and the power of assembled data to present a more detailed picture of individual behavior than ever before. When does data collection cross the line from being useful to being intrusive? How do we protect the privacy of the individual while collecting information that might be critical for our well-being?

In the world of IoT, it’s hard to separate issues of security, trust, risk tolerance, and privacy. These considerations are all interconnected and ultimately relate to ethical data management. Users need to believe that the devices they use or are exposed to within the IoT are secure, can safeguard their identity if appropriate, and have acceptable levels of risk tolerance associated with whatever action these devices perform or with regard to the human interaction with these devices. If these devices are capable of collecting and transmitting or storing tremendous amounts of data, it is up to the organizations producing these devices and the applications and services they provide to take responsibility for what they do with that data.

To maintain trust in the age of the IoT, organizations must uphold ethical standards when it comes to handling data collected through or passed to the myriad of connected devices. Organizations should put business practices and software design methodologies in place to ensure the protection of data and individuals’ right to privacy. Standard practices like data governance, security architectures, and system integrity take on new significance in the IoT and must reflect the complexity of this new context.

IoT Data Governance – Prior to implementing IoT systems, organizations must have insight into the entire lifecycle of the data flowing through the IoT system. They must determine what data will be collected, how it will be secured, where it will go (to enterprise systems as well as across geographic borders), and whether it will be stored. Each aspect of the data journey is affected by compliance considerations. The regulations may differ based on state and country, and certainly differ based on the type of data – financial, communications, or medical. As with any other data governance practice, decisions should be made by a cross-functional team with representatives from IT, legal, marketing, and others who can define the processes for ensuring the ethical management and use of the data.

Data Security Architecture – IoT architectures need to be designed with the ethical management of data in mind from the outset. Because so many of the data safeguards overlap with system security, it is best to architect these in tandem. Using business rules and complex event processing technologies, edge analytics, and data caching can enable an organization to limit, restrict, anonymize, retain, or purge data according to the privacy risks as weighed against the value of that data.

System Integrity – Identity and access management on an ongoing basis are important facets of an enterprise data application. The IoT adds another dimension to access policies. Now, not only must the identities and roles of users be managed, but the access policies of countless devices have to be managed as well. Careful consideration should be given to what or who (enterprise system, connected device, application users, administrators) has access to IoT data and what they can see.

In the age of the IoT, meeting compliance thresholds might not be enough. Maintaining trust with the public can often mean going beyond the government regulations currently in place to protect data. For the real value of the IoT to be achieved, the public should participate actively in the collection and utilization of the IoT data.

Deployment plans for IoT solutions should include a communications plan that outlines how the public can be informed of what is happening with data about them that is being collected and whether they will be asked to explicitly opt in. This is akin to the terms of use agreement that we enter into when we use most any website or mobile application. This is already common practice in digital commerce, for example, in online retail. Monitoring customer interactions in a brick-and-mortar store is just an extension of that digital experience and as such should require the same kind of disclosure about what data is being collected and how it will be used. Transparency about IoT data and its utilization can allay some of the concerns that undermine trust. An organization’s ability to be open about its data policies is rooted in its ethical approach to managing IoT data.

Mark Coggin is senior director of solutions marketing at Red Hat (www.redhat.com).