Towards a more objective basis for establishing trust in information exchange

The emphasis on electronic information exchange among public sector agencies and private sector organizations has increased attention on both technical and non-technical barriers to sharing data among different organizational entities. In many ways, efforts to overcome the non-technical barriers have fallen short of their intended objectives, with the result that would-be information exchange participants who can exchange data choose not to do so because of concerns about how appropriate security and privacy requirements will be honored when the participants in the exchange are not subject to the same or comparable constraints. Some initial attempts to rationalize these differences have focused on information security controls, especially those applied at the system level. This approach cannot arrive at a mutually acceptable level of trust among diverse entities, because information system security drivers and requirements are too subjective. A more effective approach would focus on the data being exchanged, and the privacy and other content-based rules and regulations that apply to it, using these objective requirements to determine both procedural and technical safeguards needed to meet the requirements and provide the necessary basis of trust. Further development of this concept and a privacy requirement-driven framework to support it are key focus areas of our current research.