Wednesday, 3 March 2010

The Privacy Dividend - business case for privacy & data protection-friendly systems, & the financial value of personal data

Today the UK Information Commissioner's Office is launching The Privacy Dividend: the business case for investing in proactive privacy protection - a paper commissioned in 2009 "which provides organisations with a financial case for data protection best practice".

Interestingly, it aims to provide a way to estimate the monetary value of "personal information", and the financial cost of data security breaches and data losses (emphasis added, footnotes omitted):

"The total value of personal information to the organisation may be hundreds, thousands or millions of pounds, but the data brought together in Figure S1 appears to suggest a typical commodity value per record is likely to be in the £10-£100 range. The value to other parties who do not have a legitimate interest in personal information appears to range from a few pence to £100.

From a person-centric viewpoint rather than an organisation-centric one, the value of an individual's own information could be much higher, typically in the £100 to £1,000 range per person. If we consider financial fraud, where there are data published, a recent UK survey10 suggests that the average financial loss per victim is £463. While any one individual person might be able to recover some or all of this loss, this will not always the case.

In addition to this loss, an estimate should include the time and expenses of the person affected, and other resultant non-financial harms… the average cost to the victim (the sum of their financial loss and the time and effort needed to correct the results) amounts to between £476 and £1,054, or say between £450 and £1,050. To this should be added an allowance, say £50, for the other expenses and potential harm effects not otherwise included, giving a total average value in the range £500 to £1,100."

There's even appendices with: Value of personal information calculation sheet (from perspectives of organisation, individual, other parties and society), Privacy failure costs calculation sheet, Privacy protection benefits calculation sheet.

On the basis that money makes businesses sit up and take notice, putting it in financial terms is a good approach.

From the ICO press release of 3 Mar 2010:

"The report explains how to put a value on personal information and assess the benefits of protecting privacy. It includes practical tools to help organisations prepare a business case for investing in privacy protection…

This report provides organisations with the tools to produce a financial business case for data protection ensuring privacy protection is hardwired into organisational culture and governance.

Practical tools to help organisations prepare a business case for investing in privacy protection include:
• Guidance on the steps involved in a privacy protection scheme to assess the costs and benefits
• Guidance on creating business cases for implementing a new system or changing an existing system
• Calculation sheets to assess the value of personal information and put figures to the business case."

The report was prepared by John Leach of John Leach Information Security Ltd and Colin Watson of Watson Hall Ltd, after feedback on their discussion document.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.