Monday, December 30, 2002
More on data protection ... the banks know about it too; so do the newspapers!
On Thursday I was wondering about the data protection problems that local councils have and how they could look at what the banks have been doing with their account aggregators for some support. Friday's Wall Street Journal had a feature in the "Personal Journal" section titled "Weighing the Pros and Cons of Grouping Accounts Online" (I'd link to it but (a) I'm not a subscriber to the online version and (b) you're probably not either, although I do hear that they have some 10s of thousands of online readers, I know that there are only 100,000 readers in Europe). It's a good article. It talks about both client side aggregation and server-side aggregation - and how the UK banks have pursued the former (because of those dratted data protection issues) and the global banks have gone for the latter (including my own bank, Citibank). The banks thought that this was going to be the killer app (the El Dorado the article says) of online banking, but so far it hasn't worked out that way, but it is, apparently, picking up. There are something like 150,000 to 200,000 users in the UK. Citibank's lawyers say that as long as the client initiates the aggregation and the client's data is in safekeeping and not used by the aggregator, there is no breach of the rules. Egg uses the client-side method. The only issue with this latter approach seems to be that if you regularly use different PCs, you'll have to install the plugin on all of them to allow you to see the details - something you might not want to do. But it still strikes me that there is something in this. This approach ought to be applicable in lots of scenarios where data protection might otherwise be a problem. For instance, we've long talked about the idea of a "citizen vault" where commonly used data resides so that you don' t have to keep filling in your name and address on government forms, for instance. There's nothing to stop this data being on your own PC for now and then you can grant or deny access as you wish. Some may worry that "government" will take this data and do things it's not supposed to do. Believe me, people I work with in government spend enough time agonising about doing what they can do and are allowed to - the idea that any of them would knowingly create a process that broke the law or even bent it is just not real. Government strives to be whiter than white in applying its own laws - to the outside world it probably doesn't always look that way but on the inside, that's what's going on every day, all the time. Here's a case where government can still be white but can make life easier for people ... the only step that they have to take is to be clear what it is that they want to happen, a simple change of address process; and then make it so. The flaw in the "citizen vault" process above is that it doesn't help government get it right in the various back end systems with which the citizen hasn't chosen to interact or doesn't know about. That means it doesn't revolutionise what we do in government, but it does kick us a step nearer the end goal. It also doesn't require a whole heap of new backend code to be written. I've been thinking a lot about the "backend" problem and will be writing some more about that soon. I've got a few things I want to write: my 7 deadly sins of suppliers and customers; the legacy problem and how we might address it; some stuff on single signon, including the problem of "digital identity"; a view on syndication and why it's not yet what it needs to be (coupled with a piece on the end of the hyperlink in government) and then (sooner than the others I hope), a year end wrapup.
Posted by Alan at Monday, December 30, 2002