banner

Thales Blog

8 Elements Of Personal Data Policies For IoT

March 19, 2015

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >

IoGiven the current global furor over continuing data breaches, Edward Snowden disclosures, the hue and cry around NSA data collection from mobile phones and mobile encryption, now is a good time to stop and think before we plunge wholesale into even more extensive collection of personal information from IoT environments and devices.

Think how much worse a breach of data could be if it includes full profiles of people's movements, actions, eating habits, purchase preferences or even more personal information.  Consider at the same time the potentials for abuse if this information is improperly handled or made available.

ClickToTweet: IoT - The need for enterprise ready personal data policies @akicklighter #DefenderOfData http://bit.ly/1LwBj8v

It seems inevitable that legislation will lag our technical capabilities for collection and use of data, but that there will eventually be a reckoning with the public.  Given that coming day, organizations that have put in place the policies and procedures for both the use and safeguarding of data coming in from the coming IoT tsunami will be both better perceived by the public, at an advantage against competitors, while also being ready for regulators. Properly structured policies, followed to the best of ability, will show good faith in preserving public rights and trust.

There will of course need to be variations in policy – Even within a field like healthcare different policies will be required based on data type and usage.  For instance, a patient’s health records as used by a primary care provider, versus data collected by researchers working on lifestyle and experimental studies. In one case permanent storage and protection is required, in the other most people would prefer that personal data is anonymized appropriately and early in the usage process.

From my point of view, these policies need to break down into eight key areas:

  • Collection – What data will you collect?
  • Usage – What you will do with the data?
  • Retention – How long you will keep data?
  • Access – Who will have access to the data?
  • Protection – How will you protect the data from compromise?
  • Opt in/out – How can personal information be deleted if requested? Not collected at all?
  • Breaches – What will you do if the data is exposed outside of your policies?
  • Auditing – How will you verify that you are meeting your policies?

There are plenty of ideas about how to build suitable policy sets – Task a privacy group with creating best practices? Create a new set of ISO or IEEE standards? Start a central clearing house that creates not only privacy policy sets, but administers user’s preferences and can serve them up via the web (think of it as an extension of the “do not call” registry)? But – it’s pretty clear that we’re going to have no such resources any time soon. If your organization is going to be building or using IoT personal data, now, early in the game is the time to set your policies.

To close this out, you’ll find below one sample policy set built using these principles … See what you think.

=======================================================

In this example we’ll use a health and activity monitoring smartwatch with a back end application that tracks and displays activity, pulse rate, sleep patterns, and (just for grins) also feeds back GPS data about where you’ve been, linked back to a mapping function that tracks eateries (You went to Krispy Kreme again? Oh man, you just lost points). You have to register at a portal to be able to use the device, and there is a light yearly fee (allowing them some real tracking of who exactly you might be).

Policy set:

  • Collection – What data will you collect?
    • Your identity, height, weight, build, motion activity, steps, changes in location, pulse rate, depth and type of sleep patterns (list), what commercial food restaurants you visit, duration of stay
  • Usage – What you will do with the data?
    • We will use the data to display your activities and trends on a phone or web application
    • We will use anonymized data (information that does not identify either you, or your locations visited) for aggregated analysis of device usage and effects
  • Retention – How long you will keep data?
    • Full data will be retained for 2 years
    • Anonymized data will be retained for 5 years
  • Access – Who will have access to the data?
    • Full data set: Used for display through an app on your phone or website only, to a person who logs in with your credentials
    • Account information: Customer service personal can see your name and account numbers only
    • Anonymized data: Information collected from the device that does not identify your primary residence, personal identity, or movement patterns can be shared internally for aggregated analysis of trends only
    • Data sharing: We will not share any of your data outside of our organization, including with any affiliated business units. Anonymized data may be retained if our organization is acquired, subject to our retention policy.
  • Protection – How will you protect the data from compromise?
    • We will use secure, encrypted storage on the device
    • We will use industry standard SSL communications to exchange information between device and for display of web information
    • Within our organization’s service - All data will be encrypted, tokenized or masked – With data access policies that correspond to our information access policies implemented as security controls
    • Security personnel with access to policy setting infrastructure – These will undergo periodic financial, criminal and lifestyle audits
    • We will collect information on data access patterns from within our application, and within underlying IT infrastructure and internet access points, and then analyze the results to identify possible threats to your data
  • Opt in/out – How can personal information be deleted if requested? Not collected at all?
    • At any time, you may select information that you do not want collected from the device. A check list of available measurements is available from the application.
    • You may opt out of anonymized data collection at any time in the same way
    • Your account may be deleted, including all sets of information except those relating to your payments, at any time if you chose to stop using the service.
  • Breaches – What will you do if the data is exposed outside of your policies?
    • If we believe that your anonymized data set has been compromised we will notify you in the application, and through your contact information.
    • If your personally identifiable information is lost, we will … (specific breach policy )
  • Auditing – How will you verify that you are meeting your policies?
    • Outside auditors trained to compliance standards …