A data breach at a company: can we still call that news? We often accept the risks of our digital world without asking ourselves whether it can be better. Should we be so laconic about this? Wouldn’t it be nice to see who knows about you, and what they know? We do not spontaneously tell a lot of people which hotel room we slept in yesterday, and who we talked to this week, but this sort of information is given to—or collected by—various digital actors every day.
Technically, it is possible to record which data has been collected and who has access to that data. But what does that look like for you? What personal data has been collected, where is it stored, and how do you gain control over this?
Is it possible to develop a better system with which you can easily and clearly see your personal data, and share that data securely and controllably?
During the meetup ‘Designing personal data ownership’ we researched this question together with visiting citizens and representatives from the initiatives DECODE, Schluss, and Cleverbase. Each initiative sought a solution to their own specific case. Four common and design principles emerged from the results.
A number of proposals were discussed during the meetup on 17 September in the Waag. Their variety shows that it is not easy to find one good solution for all of the problems surrounding our digital identity. Yet there are always recurring themes in the solutions. These themes were articulated as design principles. What are the principles that you ideally take into account while developing a digital identity? Generally, all of the solutions were based on the following four design principles.
It must be clear to the user how the personal data are collected, what they will be used for, and how they are stored.
The user must have standard access to his or her personal data without having to take steps that are too difficult or lengthy.
The user has control over the sharing of his or her personal data. The user can decide for his or herself what the personal data may be used for and for how long. In addition, a user can always withdraw any decision about the sharing of personal data.
A digital identity application must be based on trust. The integrity of the user or the authorized representative is the building block for this trust.
In case you’re thinking, “oh thanks, Captain Obvious”: most online services, from government to commercial, do not meet these requirements. It gives me hope that all initiatives reflect on the realization of these principles when designing a digital identity. Who knows, maybe your digital identity will actually become yours in the future.
The concrete cases will follow soon on which these principles are partly based.
Keep checking this site regularly!
Author: Denise Op den Kamp