The personal data of potentially thousands of Dutch citizens has been stolen from the computer systems of the GGD, the Netherlands’ health authority responsible for the country’s coronavirus test-and-trace programme. Unfortunately, this is not a one-off incident; there has been a rapid rise in the number of cases of data leaks and data-related fraud in recent years. This type of cybercrime is difficult to tackle in today’s increasingly data-driven society. Therefore, it is time for a different approach and a whole new mindset regarding how data is handed: decentrally instead of centrally, and revolving around access rather than provision. Data owners should also be given the tools to control how their data is viewed, used and shared.
Last week, it emerged that countless citizens’ personal data that was stored in the GGD’s computer system had been stolen and was being illegally traded on the internet. The data could be used for identity fraud, which forms the basis of all kinds of criminal activities. For example, stolen identities can be used to purchase high-value items, to extort money, to gain access to secure areas and even to learn details of the contents and unloading schedules of containers in major ports. Although identify fraud is a significant societal problem, it is very difficult for investigators to tackle because they repeatedly find themselves up against international crime rings that operate above and beyond national laws.
We believe that the solution lies in developing a whole new mindset towards data. Therefore, we advocate the development of a soft data infrastructure based on the following principles: data is stored decentrally rather than centrally, data is accessed rather than provided, and the data owner has full control, which is also referred to as data sovereignty.
Instead of requiring users to provide their data to platforms, which is associated with numerous risks – including an increased risk of cybercrime – public-sector and private-sector organisations should work together on setting up a decentralised digital infrastructure based on open standards and a distributed network.
In such a decentralised setting, government authorities, businesses and service providers would have to request a user’s permission to access the data at source. In concrete terms, rather than citizens uploading their data to platforms such as those operated by healthcare providers, insurance companies and energy firms, the organisations would have to ask the data owners for permission to access their data, either directly or from a party that data owners have authorised to share their data.
Within such a decentralised digital infrastructure, it is also essential that public-sector and private-sector parties develop a framework or scheme of mutual agreements on the secure and controlled access to data, and also agree to adopt and continuously maintain that scheme. The agreements relate to not only the technical aspects of data sharing, but also to the legal, operational and functional aspects, which is why a decentralised digital infrastructure of this kind is also referred to as a ‘soft’ infrastructure. But above all, the key success factor is a revolutionary vision of the future of data sharing: a whole new mindset.