The BIS document released on Thursday says that while most countries already have some data use laws in place, most individuals are still unaware of what is at stake or of their rights over their data.
Therefore, authorities should adopt new data governance systems to “level the playing field between data subjects and data controllers,” according to the document.
They should require companies to obtain clearer consent to collect data, to better explain how it is being used and to make it easier for the people from whom it has been collected to access data.
“When data is shared between data providers and data users, the data governance system must specify what data is requested to be shared, how long data users will retain it, and who will process it,” the document says.
The role of the BIS as a hub for major central banks highlights the breadth of the clamor for stronger data standards.
Current controls differ greatly. Although the European Union’s General Data Protection Regulation (GDPR), which came into force in 2018, is generally considered to be the most comprehensive, problems have still been pointed out to it.
Other parts of the world are much less advanced. The United States, for example, where most of the big tech companies are based, still doesn’t have blanket consumer privacy laws, relying instead on a patchwork of state and industry rules.
According to the document, data subjects also lose out because their information is often locked in company silos or platforms after using an app, website or service.
In turn, companies can combine that data with other data, such as income and education, to gain insights and predictions, thus creating “derived data” that is often considered more valuable.
Young people and people with fewer resources are also often denied loans due to lack of prior credit history, whereas if they had full access to their data online, that could replace it.
“Young people are slow to accumulate tangible collateral and the poor may never acquire enough collateral,” the document says. “It’s not profitable to reach these low-margin, high-risk consumers with the traditional system if you don’t have access to digital data.”
He added that any new governance system must meet the following five standards:
1.- Limitation of the purpose: ensure that the purpose for which the data is shared is described in clear and specific terms.
2.- Data minimization: share only the strictly necessary data.
3.- Limitation of conservation: ensure that data is not shared for longer than necessary.
4.- Limitation of use: ensure that data is used only for the purposes for which it was shared
5.- Operational resistance: ensure data security.
