Volume 11, Issue 2

Personal Information Management Systems

Heleen Janssen, Institute for Information Law, University of Amsterdam, Netherlands
Jatinder Singh, Compliant and Accountable Systems Research Group, University of Cambridge, United Kingdom

PUBLISHED ON: 11 Apr 2022 DOI: 10.14763/2022.2.1659

Abstract

Personal Information Management Systems (PIMS) seek to empower users by equipping them with mechanisms for mediating, monitoring and controlling how their data is accessed, used, or shared.
Citation & publishing information
Received: September 26, 2021 Reviewed: December 21, 2021 Published: April 11, 2022
Licence: Creative Commons Attribution 3.0 Germany
Funding: The authors acknowledge the financial support of the Engineering and Physical Sciences Research Council (EP/P024394/1, EP/R033501/1), University of Cambridge.
Competing interests: The author has declared that no competing interests exist that have influenced the text.
Keywords: PIMS, Personal data stores, Data processing, Decentralisation, User empowerment, Self-regulation
Citation: Janssen, H. & Singh, J. (2022). Personal Information Management Systems. Internet Policy Review, 11(2). https://doi.org/10.14763/2022.2.1659

This article belongs to the Glossary of decentralised technosocial systems, a special section of Internet Policy Review.

Definition

Personal Information Management Systems (‘PIMS’) provide technology-backed mechanisms for individuals to mediate, monitor and control how their data is accessed, used or shared.

Their purported goal is to empower individuals with regards to their personal data (Abiteboul et al., 2015; EDPS, 2016; IAPP, 2019; Royal Society, 2019; Janssen et al., 2020a). Given the discourse around how data is currently being extracted and used, the concept is growing in prominence in the research and commercial space (Janssen et al., 2020b), as well as gaining policy attention (European Commission, 2020).

Context

There are growing concerns regarding the opacity concerning how data is being processed and (mis)used, where individuals typically lack meaningful transparency, visibility and control over what, how, why and by whom their data are captured, analysed, transferred, stored, or otherwise processed and used (Zuboff, 2015; Lehtiniemi 2017; Berners Lee, 2018). In response, and in line with the growing public discourse regarding data-related issues, PIMS as a concept generally aims to better inform and empower users with regards to the processing of their data (Royal Society, 2019). PIMS are a form of privacy enhancing technology (PET), representing an instance of an approach for privacy self-managementwhereby users work to manage their own privacy interests (Solove, 2013; Solove, 2020).

Key functionality

PIMS typically involve an ecosystem, which generally entails a platform providing the PIMS infrastructure. The platform provides users with some components for handling their personal data. Within this ecosystem, third parties seek to process user data (Janssen et al., 2020b). PIMS employ technical, legal and organisational measures that enable users to manage and control their data, and to ensure and validate that the behaviours of third-parties accord with user and platform requirements. Though the specifics of which vary by offering, measures often include (to varying degrees) the ability to determine:

(i) the data collected, captured, stored, or that otherwise available for processing;

(ii) that computation, analytics or other processing performed over that data; as well as providing

(iii) oversight measures to validate, review and audit what happens to their data.

PIMS often enable decentralised data processing, where third-parties that wish to process user data will not directly access a user’s data (e.g. where user data are transferred to the third party). Instead, such mechanisms enable the third-party’s desired computation, analytics, or other processing to be brought to the user’s data (typically residing within a physical or virtual user-centric PIMS device), with only the results of that processing returned to the third-party (Janssen et al., 2020a). This (as with other forms of processing) occurs in line with a user’s agreement, and only over certain data, as determined by the user.

PIMS may be supported by other novel technologies, such as Distributed Ledgers (Zichichi et al., 2020; see separate entry regarding DLTs).

Origins and coexisting uses/meanings

The term PIMS is not novel; some older references to the term can be found, for instance, in Barreau, 1995; Jones & Thomas, 1997; Bergman et al., 2008. Nowadays, the term ‘PIMS’ broadly refers to a class of technology that provides users with means for managing their data vis-à-vis those wishing to process it. Note that PIMS is an ‘umbrella term’, and we see a range of related terms used including: personal data stores (World Economic Forum, 2013; De Montjoye et al., 2014; OpenPDS, 2017; Crabtree et al., 2018; Royal Society, 2019; Janssen et al., 2020a); personal data vaults (Schluss, n.d.); personal information management services (ControlShift, 2014), or personal data spaces (European Commission, 2020). The concepts also bear a relationship with some forms of data intermediary (see separate entry regarding “Data intermediary”).

PIMS have been proposed by actors in civil society (MyData movement, 2015); academia, where offerings such as OpenPDS or Databox were developed; the private sector (some examples include CozyCloud; Mydex; CitizenMe, or Digi.me), or by actors in research environments with the PIMS developing into a commercial offering (Dataswift/Hub of All Things, or Solid/Inrupt, the latter being developed by Sir Tim Berners Lee). PIMS are increasingly gaining attention from policymakers, who currently consider mechanisms for regulating and advancing data intermediation services in general, of which PIMS are one example (e.g. European Commission Data Strategy, 2020; European Commission proposal for a Data Governance Act, 2020; German Bundestag bill for Consent Management Services, 2021; Centre for Data Ethics and Innovation (an expert body of UK’s government Department for Digital, Culture, Media and Sports, 2021)).

Debate

PIMS generally adopt an approach that is firmly grounded in the logic of privacy self-management and ‘notice and consent’, whereby users are charged with managing their own privacy interests (Solove, 2013; Solove, 2020; Janssen et al., 2020b). However, such approaches are the subject of critique, with arguments that they are largely ineffective given the systemic issues inherent in digital ecosystems, such as those regarding power and information asymmetries (Barocas & Nissenbaum, 2009; Sloan & Warner, 2013; Bietti, 2020).

Although some forecasted that PIMS could generate considerable economic benefits for businesses and consumers alike (ControlShift, 2014; Brochot et al., 2015; European Commission, 2020), the business cases for PIMS platforms vary and continue to be developed (Bolychevsky & Worthington, 2018).

Conclusion

Personal Information Management Systems (PIMS) aim to inform and empower users by equipping them with mechanisms for mediating, monitoring and controlling how their data is accessed, used, or shared. Their purpose is to provide an alternative to the data processing practices common today. PIMS are growing in prominence with many offerings in the pipeline. While gaining attention from developers, researchers, industry and policymakers, questions over the business cases and the ability for PIMS to overcome the systemic issues in digital ecosystems remain.

References

Abiteboul, S., André, B., & Kaplan, D. (2015). Managing your digital life. Communications of the ACM, 58(5), 32–35. https://doi.org/10.1145/2670528

Barocas, S., & Nissenbaum, H. (2009). On notice: The trouble with notice and consent. Proceedings of the Engaging Data Forum: The First International Forum on the Application and Management of Personal Electronic Information. https://ssrn.com/abstract=2567409

Barreau, D. K. (1995). Context as a factor in personal information management systems. Journal of the American Society for Information Science and Technology, 46(5), 327–339.

Bergman, O., Beyth-Marom, R., & Nachmias, R. (2008). The user-subjective approach to personal information management systems design: Evidence and implementations. Journal of the American Society for Information Science and Technology, 59(2), 235–246. https://doi.org/10.1002/asi.20738

Berners Lee, T. (2018). One small step for the Web... [Open letter]. Inrupt. https://inrupt.com/blog/one-small-step-for-the-web

Bietti, E. (2020). Consent as a free pass: Platform power and the limits of the informational turn. Pace Law Review, 40, 317–398.

Bolychevsky, I., & Worthington, S. (2018). Are Personal Data Stores about to become the NEXT BIG THING? [Medium]. Irina Bolychevsky.

Brochot, G., Brunini, J., Eisma, F., Larsen, R., & Lewis, D. J. (2015). European Commission: Personal Data Store (MPhil Technology Policy) [Final report]. University of Cambridge. https://www.academia.edu/20193979/European_Commission_Report_on_Personal_Data_Stores

Centre for Data Ethics and Innovation. (2021). Unlocking the value of data:Exploring the role of data intermediaries (Report Commissioned by the UK Government’s Department for Digital, Culture, Media and Sport (DCMS)) [Report]. Centre for Data Ethics and Innovation. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1004925/Data_intermediaries_-_accessible_version.pdf

ControlShift. (2014). Personal Information Management Systems – an analysis of an emerging market: Unleashing the power of trust. ControlShift. https://www.ctrl-shift.co.uk/insights/2014/06/16/personal-information-management-services-an-analysis-of-an-emerging-market/

Crabtree, A., Lodge, T., Colley, J., Greenhalgh, C., Glover, K., Haddadi, H., Amar, Y., Mortier, R., Li, Q., Moore, J., Wang, L., Yadav, P., Zhao, J., Brown, A., Urquhart, L., & McAuley, D. (2018). Building accountability into the Internet of Things: The IoT Databox model. Journal of Reliable Intelligent Environments, 4(1), 39–55. https://doi.org/10.1007/s40860-018-0054-5

de Montjoye, Y.-A., Shmueli, E., Wang, S. S., & Pentland, A. S. (2014). openPDS: Protecting the Privacy of Metadata through SafeAnswers. PLoS ONE, 9(7), e98790. https://doi.org/10.1371/journal.pone.0098790

European Commission. (2020). A European Strategy for data COM/2020/66 final. European Commission. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0066

European Data Protection Supervisor. (2016). EDPS Opinion on Personal Information Management Systems: Towards more user empowerment in managing and processing personal data. https://edps.europa.eu/sites/edp/files/publication/16-10-20_pims_opinion_en.pdf

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj

German Bundestag Bill for Consent Management Services: § 26 TTDSG Approved Consent Management Services, End User Preferences, German Bundestag (2021). https://dsgvo-gesetz.de/ttdsg/26-ttdsg/

International Association of Privacy Professionals. (2019). Personal information management systems: A new era for individual privacy? iapp. https://iapp.org/news/a/personal-information-management-systems-a-new-era-for-individual-privacy/

Janssen, H., Cobbe, J., Norval, C., & Singh, J. (2020a). Decentralised data processing: Personal data stores and the GDPR. International Data Privacy Law, 10(4), 356–384. https://doi.org/10.1093/idpl/ipaa016

Janssen, H., Cobbe, J., & Singh, J. (2020b). Personal information management systems: A user-centric privacy utopia? Internet Policy Review, 9(4). https://doi.org/10.14763/2020.4.1536

Jones, S. R., & Thomas, P. J. (1997). Empirical assessment of individuals’ “personal information management systems.” Behaviour & Information Technology, 16(3), 158–160. https://doi.org/10.1080/014492997119888

Lehtiniemi, T. (2017). Personal Data Spaces: An Intervention in Surveillance Capitalism? Surveillance & Society, 15(5), 626–639. https://doi.org/10.24908/ss.v15i5.6424

Royal Society (Great Britain). (2019). Protecting privacy in practice: The current use, development and limits of privacy enhancing technologies in data analysis.

Schluss. (n.d.). Schluss. https://schluss.org

Sloan, R. H., & Warner, R. (2013). Beyond notice and choice: Privacy, norms, and consent. Journal of High Technology Law, 14, 370.

Solove, D. (2013). Privacy self-management and the consent dilemma. Harvard Law Review, 126, 1888–1903.

Solove, D. J. (2020). The myth of the privacy paradox. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3536265

World Economic Forum & The Boston Consulting Grou. (2013). Unlocking the value of personal data: From collection to usage. World Economic Forum. http://www3.weforum.org/docs/WEF_IT_UnlockingValuePersonalData_CollectionUsage_Report_2013.pdf

Zichichi, M., Ferretti, S., & D’Angelo, G. (2020). On the efficiency of decentralized file storage for personal information management systems. 2020 IEEE Symposium on Computers and Communications (ISCC), 1–6.

Zuboff, S. (2015). Big other: Surveillance Capitalism and the Prospects of an Information Civilization. Journal of Information Technology, 30(1), 75–89. https://doi.org/10.1057/jit.2015.5

Add new comment