On Data Sharing and Data Protection

I was delighted to speak with the eclectic and thoughtful Kate Carruthers recently on her Data Revolution podcast.

With Kate’s permission, I’ve extracted a few blog posts from her podcast transcript, to provide my take on data protection and data sharing, identity and identification, verifiable credentials, and a vision for making them mainstream to safeguard consumers and businesses online.

Our conversation started with data sharing and the future of data protection.

I’ve spent the past several years thinking a lot about how we should systemically safeguard data at nation-scale, commensurate with its value as an economic and community asset. See for example How to Create an Infostructure July 2022 published by the Australian Institute of Policy and Science.

My highly esteemed long-term collaborator George Peabody joined Lockstep in 2022 so we could better focus our efforts together.

Operationalising data protection is now Lockstep’s major focus.

Data protection in the rest of the world is synonymous with data privacy. The GDPR of course has “data protection” in its name. Data privacy and data protection are synonymous in many places and in a lot of the literature. Australia’s Privacy Act 1986 is based on principles nearly identical to those of the GDPR (and 140+ data protection laws around the world).

Lockstep seems to be a rarity amongst technology firms, for we advocate for conventional data protection law. We have seen how powerful it is, and how technocrats underestimate its power https://lockstep.com.au/the-regulatory-superpower-of-technology-neutrality/. Yet in my mind, today’s law is still only a prototype of the data jurisprudence we will need to protect data as a critical economic and community asset.

As I discussed with Kate, Current data privacy protection is based on technology neutral principles which call for limiting the collection, use and disclosure of personal data. Not banning collection, use and disclosure, but restraining these activities to what we really need to know for the task at hand.

There’s a default attitude that because data is valuable, we should keep it close (metaphorically, legally and geographically). But that’s not a very artful way of managing the value of data.

We actually want to share data, not only as businesses, governments and researchers, but as individuals. We individuals absolutely need to share data. Simply, we need to tell people things about ourselves.

Sadly, data sharing has got a bad rap. Commercial data brokers have operated in a ‘grey market’, exploiting regulatory loopholes (and blackholes). When they operate poorly, they have been breached, exposing spectacular personal details. But even when operating ‘well’, data brokers have made data sharing synonymous with surveillance capitalism.

Nevertheless, we cannot live under a rock online. We need new generation systems to enable data sharing in different contexts, with safety, restraint, and transparent regulations.

When data protection is taken to mean privacy, then it is all about restraint. Data protection can evolve from this precautionary position towards a more progressive treatment of the value of data.

If data is an asset or resource, then we should gauge the properties that makes that asset valuable, in different contexts, and safeguard those properties to maximise the value of data.

Kate and I then ventured onto how verifiable credentials have a bigger purpose than identity.

Lockstep’s Data Verification Platform is a scheme to rationalise and organise data flows between data originators such as government and the risk owners who rely on accurate data to guide decisions. Join us in conversation.

If you’d like to follow the development of the Data Verification Platform model, please subscribe for email updates.​