Data Equity Self Assessment Test for Ethical Data Collection and Use.

Of the 300 million citizens living in the United States of America, it is estimated that almost 98% of those citizens have at least some data about them that is currently being maintained on a private or commercial data base. Of that 98% of American citizens whom currently have their data being stored by a commercial database only a shocking 1%-20% of those American’s are aware of the fact their data has been collected, is being stored, and is most likely available for inclusion and sale in “Commodity Information Bundles” by a commercial data broker from that database.

       What’s worse is the fact that of those American’s who have had data collected about them, which is personally identifiable, a mere 1%-5% of those citizens have actually granted or given a knowing and intelligent consent to have their personally identifiable information utilized. However, most shocking and damaging of all is the fact that despite the billion dollar Data Broker Industry and Commercial Data Brokers being in existence for the better part of the last decade almost no Americans are aware of the existence of the Data Broker Industry, Data Brokers, the activities of Data Brokers, or the fact that almost every American Consumer is affected in some way, shape, or form by this unknown billion dollar industry that knows so much about American Consumers. 


         At current there is some legislation aimed at solving some of the issues, but the real problem is that not every one agrees what the problem is, if there even is a problem, and even fewer agreement on how to fix the problems (If they exist). For the sake of this paper we'll presume that the Association is a current thought-leader in the area of personal identifiable information privacy issues, and then state that the Association has long suggested and put forward the argument for needed licensing requirement for companies engaging in commercial data storage, data capture, and the sale of consumer electronic data and information. We routinely make this argument as licensing is not without a great deal of precedent, as well as being a manageable, scalable, and realistically operational manner in which government could properly influence an entire data-collecting and distributing industry towards the much needed protections for consumer digital and/or electronically communicated PII. Moreover, licensing would solve the biggest problem currently facing the data-broker industry, which is a gross lack of any truly  standardized and recognized privacy practices. Moreover, licensing does carry with it an adequate force of law, which properly wielded should be sufficient enough to deter violations of  established legislatively created accepted norms.


   It is the firm belief of the Association that it is  the right of Americans to be free from search, monitoring,targeting, as well as believing that a leveling of the playing field in information is highly necessary. The term we like to use is data-equity, and we need to create that equity soon! In order to achieve data-equity legislation will need to be passed, because at current there is little incentive for data-brokers to do the right thing and respect consumer PII. To date the Association for Consumer Effectiveness alone has produced and made public actual tools and applicable strategies which can and do aid consumers in defending their PII in any realistic manner. Software is close to useless, as even if one program is completely bullet-proof, the data-brokers will simply get the information sought after from from the next set of programs, aggregate from different and many sources, or purchase it the information themselves from yet another data-broker.  

Recommend legislative changes to bring about information/data equity:

1. Make mandatory that any Data Broker (An company that collects, aggregates, stores, and sells for profit any electronic data capable of being personally identifiable in the aggregate or by itself.) Opt Out Option, Public Disclosure Six Month Data Reporting stipulations so consumers are made aware of the appropriate times and companies with which to lodge those “Opt-out requests” to, and the power to effectively police the actors in that Industry by requirement of mandatory “Data Collection, Storage, Aggregation, Secondary Usage, and Commercial Sales Licensing” for all industry actors.

2. Required registered, licensing, standards setting, testing, and compliance board or bar for data brokers, with the authority to fine, issue cease and desist orders, investigate, and otherwise police, monitor, license, and revoke License thereof industry bad actors. Given the devastating and permanent harms that are capable of occurring, the demand of the people that the data broker industry act with the same level of care as a doctor or lawyer is a fair and just requirement. So to is the heightened level of duty owed by data brokers, despite the obvious protests from the largely unregulated, billion dollar industry, who on a annual basis is responsible for at least several serious breaches of data belonging to American Consumers.

     The results of the recommendations of the Association would cause the first ever true consumer awareness and fairness, whereby the American Consumer capable of knowing just who has what information on them, and decide whether they want to grant or give true informed consent. Thus creating an equitable distribution of information and therefore power. With the passage of the recommended legislation  reporting and licensing a bright light would finally be shown on an industry that has been operating in the shadows for far to long, and industry bad actors would be forced to either shape up or ship out. With increased transparency and realistic regulation consumer confidence would grow in the Data Broker Industry, and as result the new gained perception of consumers being given a choice and control over who holds and uses the electronic data they generate or is capable of identifying them personally will result in more consumers actually agreeing to allow those data brokers holding truly useful and near necessary data on consumers (Often the ones most closely aligned with medical care or finances) to use their data for different purposes.    
   
   
           However, in the mean time the Association realizes that the only way to force data-broker compliance is by "asking the market," if data-privacy is important to consumers. Without going into too much detail, let's just say the Association has found a way to do just that. As a part of new planned project the Association has already developed the Data Equity Self Assessment Test for data-brokers. The ninety-three question diagnostic tool will aid data-brokers in coming to terms with whether they are ethical or unethical in their collection and usage of consumer PII, as well as aid data-brokers in figuring out where and how to improve. The proprietary and copyright protected Data Equity Self Assessment Test is shown below, and soon will be incorporated into a larger structured plan to aid consumers and data-brokers alike towards ethical commercial data-collection and distribution for profit. The Association will be kicking that project into phase two, once the Association for Consumer Effectiveness receives the necessary amount of funding to properly see to completion project "Ask the market." 
   
   
    In the mean time, the assessment tool is below to show the advanced research and inventions of the Association, which are ultimately meant to be shared with the general public at large for the benefit of the general public. The assessment tool is the current state of the art in PII Ethical Data Collection Practices, and soon it is hoped the rest of those individuals and organizations wishing or claiming to operate in an ethical manner with-in the data-broker industry will adopt as there own the standards and practices made obvious by the Data Equity Self Assessment Test for Ethical Data Collection and Use. 
   

3. Why is the information being collected?

4. . Is the information is absolutely mandatory to the functioning of services of operations of the business or services (Ex: A bank must know the customers bank account number.)?

Is the data collected for the following purposes (3-6):

1. For ease of use by data collector or “more convenient” use for customer? (Keep profile in database so customer order or payment information is more accessible and need not be re-entered.)?

2. To aid and assist in the companies own internal operations and functioning: To study and track your own customer buying trends, to seek improved sales and more desirable products.)?

3. To aid in larger research projects of your industry and profession (Doctors comparing cases and statistics for scientific purposes).

4. To sell that information as a retail item (The Geo-location of a consumers phone in relation to nearby stores and restaurants, in order to bring or offer the consumer more relevant adds.)?

5. What legal authority and/or agreements allow the information to be collected?

6. You have not lawfully and ethically obtaining a knowing and willing consent to possess and use the consumer information for the purposes for which you are using that data in writing or other evidence medium?

7. Did you receive consumer permission for a blanket or first use and possession, and now are utilizing data for second use purposes other than the stated reason given the consumer in order to collect the information?

8. Does the consumer doesn't know how you're utilizing their PII?

9. Did you collected or collect data through or by the monitoring of consumers and harvest their PII without their consent or knowledge?

10. Did you buy the PII from a vendor or data broker?

11. Did you harvest or gather the PII directly from the personal or corporate communications of the targets (Meta data searches of e-mails or corporate monitored e-mails of employees.)

12. How great do you believe the expectation of privacy to be of the individual or individuals that you monitor in order to capture the PII?

13. What sort of safeguarding have you deployed to ensure you have given adequate warning about your monitoring, and received the necessary permission to monitor your subjects?

14. Are your subjects required to accept or agree to being monitored in order to utilize your system, website, software, goods, or services?

15. You harvest the data collected from third party blogs, social media websites, and other posted media accounts or websites.

16. You do or do not own the copyright or a license to utilize the media or data which you have collected in order for you to republish, re-broadcast, reprint, or re communicate the original copyrighted material produced and created by your targets, subjects, or customers.

17. Is the information searchable by a personal identifier?

18. You have a system that identifies and tracks consumer information?

19. You have not made anonymous second use data, by removing any and all information that can be said to be PII or relate back to an individual, their place of residence or employment?

20. Data storage and sales is your primary business purposes or generates at least 50% of your net revenues.

21. Explain how long you retain the information?

22. What reason the information is retained?

23. Are there any forms or surveys that are associated with the collection of the information that would be covered by the Paperwork Reduction Act (PRA)?

24. Are there any privacy risks for this system that relate to the purpose of the collection? If so, how will you mitigate these risks?

25. Will individuals be given notice prior to the collection of personal information about them?

26. Will individuals be given notice prior to their information being shared? If not, please explain.

27. Are there any privacy risks for this system that relate to openness and transparency? If so, how will you mitigate these risks?

28. Do you state the reasons why you collect any and all PII which you are collecting?

29. Are those reasons for collection and the sorts of data you do collect made obvious and apparent by being in the first section or paragraph of any disclosures, and stated in plain regular language that is easy to understand. (Ex: We collect you name and address. We use it to market to you, by sending you our catalogs. We sell your information to third parties, whom may use it for purposes unknown to us. )

30. Whose information is included in the system?

31. What PII will the system include?

32. Why is the collection and use of the PII necessary to the project or system?

33. Will the system aggregate previously unavailable data about the individual or create new data about the individual? If so, how will this data be maintained and used?

34. What controls exist to protect the consolidated data and prevent unauthorized access?

35. Will the system monitor the public?

36. Who will monitor the system?

37. Do you have a set policy of access and control procedures for sensitive data, or “need to know only” ratings and designations for your personnel?

38. Will the system monitor employees or contractors?

39. What kinds of reports can be produced on individuals from the data you harvest?

40. Will the data included in the reports produced be made anonymous?

41. Are there any privacy risks for this system that relate to data minimization? If so, how will you mitigate these risks?

42. Is the information in the project limited to only the information that is needed to carry out the purpose of the collection?

43. Will you share any of the information with other individuals, Federal and/or state agencies, or private sector organizations? If so, how will you share the information?

44. Is the information collected directly from the individual or is it taken from another source?

45. Will the project interact with other systems, whether within your organization or outside of your organization? If so, how?

46. Are there any privacy risks for this project that relate to use limitation? If so, how will the mitigate these risks?

47. Do you have permission to share the PII?

48. Do you give assurances of any type stating that you shall not share the PII?

49. Did you give any assurances about the way you shall use the PII?

50. Do you honor those assurances if you give them? If so how do you ensure those assurances are carried out?

51. The PII you collect was collected by stating its use? Do you use the PII in any other ways not known by the individuals it identifies?

52. What steps do you take to ensure that all PII is accurate, relevant, timely, and complete.

53. How will the information collected be verified for accuracy and completeness?

54. Are there any privacy risks for individuals whose information is collected or used by the project that relate to data quality and integrity? If so, how will you mitigate these risks? 57. What are the possible consequences or possible harms could come to an individual whose PII you collect in an inaccurate, incomplete, or untimely manner? Do you have a plan in place to mitigate and minimize those consequences or harms in a timely and responsible manner? 58. Does that plan include public relations media damage control? 59. Who else or what other organizations could be harmed in the data you collect and provide is incomplete, inaccurate, or
    untimely? 60. Which individuals or companies depend of the PII you collect and provide? How do they use that PII in their operations? 61. On a scale of 1 to 10, 10 being life or death and 1 being a possible customer may fail to hear about your upcoming Saturday sale, how important is accuracy, completeness, timeliness, and relevancy of the PII you collect. 62. Who will have access to the data in the project? What is the authorization process for access to the project? 63. Have you completed a system security plan for the information system(s) supporting the project? Who has the Authority to Operate (“ATO”) the system? 64. How is that authority decided? 65. Do you have different levels of access? 66. Which employees shall be authorized personnel, including employees and contractors acting on behalf of the organization? 67. Which personnel official duties require access. 68. Do you have a Standard operating procedure for terminating or reducing access for individuals who no longer have a need to know all or certain information. 69. Do you have an operating policy. 70. What security controls and safeguards exist to protect information contained in the system against unauthorized disclosure and access.

55. Do you have policies and procedures for: Policies and procedures governing privacy and information security;  Conducting background checks on all personnel with access to the  system. Initial and follow-on privacy and security awareness training for each  individual with access to the system; Physical perimeter security safeguards;  Security Operations Center to monitor antivirus and intrusion  detection software; Risk and controls assessments and mitigation;  Technical access controls, such as role-based access management and  firewalls. *Disaster mitigation strategies, breach notification processes and plans, and secure channels for submitting transaction information are in place for the system. 72. Are there mechanisms in place to identify security breaches? If so, what are they? 73. Are there any privacy risks for this system that relate to security? If so, how will you mitigate these risks? 74. Do you give individuals, in most cases, the ability to access their PII, and allow them to correct or amend their PII if it is inaccurate. 75. What opportunities are available for individuals to consent to uses, decline to provide information, or opt out of the project? 76. If no opportunities are available to consent, decline or opt out, please explain why? 77. What procedures will allow individuals to access their information? 78. Can individuals amend information about themselves in the
    system? If so, how? 79. Are there any privacy risks for this system that relate to individual participation? 80. Who will train all personnel about the proper treatment of PII. 81. Describe what privacy training is provided to users, either generally or specifically relevant to the project. 82. Are there any privacy risks for this system that relate to awareness and training? If so, how will you mitigate these risks? 83. Have you hired coaches or lecturers to train employees. 84. Mandatory reading for employees? 85. Consultants to teach employees? 86. Testing for employees 87. Do you have company wide certification? 88. Who developed that certification? How up to date is it? 89. How does the system ensure that the information is used in accordance with the stated practices in this assessment? 90. Do you have internal auditing? 91. How often do you review your policies for weaknesses or outdated systems? 92. Do you run vulnerability attacks on your system? If so how often?

56. Do you hire outside experts to audit your systems and organization for PII compliance?