Personal data access: Not easily done

Computerworld - One of the cornerstones of data privacy is that companies grant people access to the information they keep about them. As reasonable as that sounds, it will be the last privacy cornerstone actually hefted into place. Why? Because providing a single view of each employee and customer is a huge financial and cultural proposition for Global 100 corporations, guardians of the world's most extensive stores of personal information.

The ideal of data access is trumpeted in almost every privacy law. Europe says companies must tell inquiring people what categories of information they've collected about them, where they got it from, what they're doing with it, and who it's been sent to. Canada says ditto, while Australia is satisfied with providing access to the records that have been collected. In the U.S., the Children's Online Privacy Protection Act says parents must have read/write access to data collected online from their preteens. The bars have been set.

But are they feasible? If the Global 100 suddenly attempted to meet the letter of these laws, it would create an IT crisis of Y2k-like proportions -- but with less hope of success.

One reason for pessimism is the stubborn pervasiveness of paper forms. In part for legal reasons, large companies keep paper records on an employee across payroll, benefits and training departments, in addition to supervisors' performance reviews. Collecting all the paper-based, personal information on a single employee would be the private sector's equivalent of meeting a Freedom of Information Act (FOIA) request. Any government worker will tell you that FOIA requests consume numerous man-hours.

The technical barriers facing comprehensive access to personal data are similarly daunting. Even if a company's data flows are mapped, any particular data field -- such as "name" -- may exist in multiple formats reflecting divergent business requirements. Data will reside in systems based on incompatible technologies that are linked, if at all, at great expense. Providing one view of the individual makes Y2k look like a light warm-up.

Organizational culture is an even larger obstacle to integrated data access. Employees who are closest to a company's customers will feel a natural obligation to guard their data from the company's other regions and lines of business. They can do so by storing data locally and not participating in companywide data systems. Comprehensive access won't occur without their cooperation. These employees have the right instinct -- a bias for privacy -- that highlights a largely overlooked contradiction: Access requirements pit privacy against itself, by encouraging integration of personal data rather than compartmentalization.