The Information Disclosure Lifecycle
5th May, 2018 | Data Security | Entropic
Organizations are constantly challenged to continually improve their security posture, and protect the information they rely on to do business. Many now also rely heavily on curating information about individuals who have consented to share, as they go about their daily lives.
Blockchain is helping to improve these organizations cybersecurity posture, in areas such as multi-factor authentication (MFA), and the Internet of Things (IoT). Some of these improvements are detailed in this article by Christina Comben, originally posted on CoinCentral.com
With the recent increase in events surrounding the handling, processing and protection of information, we thought it would be a good idea to create a draft model that would allow us to better describe the lifecycle of information after it has been disclosed to an organization by an individual.
Using this model, we could better describe how significant information-related events, such as data breaches, and the implementation of data protection regulations such as GDPR can affect organizations. We also hope to increase general awareness about how an organization might use an individuals information, and where it might flow, once the organization has been authorized to collect and use it.
Phases of Information Disclosure
Below is a diagram that shows how an organization might use an individuals information. Following this, we'll discuss some key activities associated with each phase of information disclosure and handling.
1) INDIVIDUAL CONSENT
- The individual is presented with the organizations privacy policy, which discloses what information they collect and how it is used and shared
- After optionally reviewing the privacy policy, the individual consents to the sharing of their information
2) COLLECT & SEND
- The collection of the individuals information commences
- This collection might occur:
- less frequently - for instance when the individual browses to a web site, or when they like or retweet a post on social media
- more frequently - for instance when the individual's smart thermostat at home detects a temperature change
- Over time through ongoing collection, the organization may curate a profile of the individual
3) RECEIVE & STORE
- After optional encryption, the information is then transmitted to the organization
- This transmission may be done from their home network, public WiFi, cellular network, etc...
- The information is stored, normally on a series of servers within a protected data center
- The information may be stored using a traditional structured database, or unstructured (ex: big data)
- This information may also be duplicated to other data centers, and also backed up periodically
4) MAIN REFINEMENT
- To make it less personally identifiable, the collected information may be:
- Anonymized - removing all original attribution to the individual it was collected from
- Pseudonymized - removing most attribution to the individual, but retaining linkage between records collected from the same individual
- To make it more useful, the collected information may be:
- Combined, unionized, or correlated with other internal and third party data sources
- Further analyzed and processed using methods such as artificial intelligence
- Note: It is possible that introducing new sources of information into this process might allow the original information to be de-anonymized
-
To prevent having to reprocess refined information, duplicates of this information may be saved after processing has completed
5) ADDITIONAL SHARING
- The information may be internally duplicated or transferred to other employees or groups workstations or servers within the organization, for further processing
6) ADDITIONAL REFINEMENT
- A copy of the original information may be used by an employee, or a group for further analysis, or to further enhance internal analysis systems
- To prevent having to reprocess refined information, duplicates of this information may be saved after processing has completed
- Additional duplicates of this information may be made on storage media
- Additional duplicates of this information may be made during a backup process
7) THIRD PARTY SHARING
- A copy of the original or processed information may be shared with the individual who it was collected from, as required by law
- A copy of the original or processed information may be regularly shared with one or more third parties, such as partners, affiliates, law enforcement, and customers as disclosed in the privacy policy
- The information may be further analyzed by the third party, using their own internal and external data sources to enrich it and make it useful
- The third party may share this information internally with other employees and groups within their organization, for further analysis or to further enhance internal analysis systems
- To prevent having to reprocess refined information, duplicates of this information may be saved after processing has completed
- Additional duplicates of this information may be made on storage media
- Additional duplicates of this information may be made during a backup process
- Refined information may be shared by the third party with their partners, affiliates and customers
8) ERASE
- Based on an event, such as an individual opting-out of information collection, the information may be erased
- Based on time, the individuals collected information may be automatically erased, or purged
- Automatic erase policies and schedules are often disclosed in the organizations privacy policy
Conclusion
This information disclosure lifecycle model is intended to help build awareness about how information relinquished by an individual, is transferred and shared by an organization. We consider this a working model that we'll update over time as needed to help describe key events and how they affect the way that information is handled.
If you have any feedback, questions, or suggestions, please let us know.