Ralf Bendrath has a thoughtful post on Oracle’s recently announced “Identity Governance Framework”, a set of draft standards for sharing and controlling personally identifiable information across different systems and applications. He was particularly struck by the use of the term “governance” in this context, and how it reflects a changing discourse on privacy & identity management:
In the good old days, the social value to be safeguarded was called “privacy”. Then came computers, and the ugly word “data protection” took over. The semantic move was subtile, but worked to some extent: It was about protecting the data (i.e. the computers on which they reside), not the privacy of the persons the data was about. After the rise of the Internet, it started to be called “privacy and identity management”. The idea of protecting data or persons got lost and replaced by “management”. Instead, “identity” was introduced, which also includes an idea of control: The users have to authenticate themselves. Nowadays, it is mostly called just “identity management”, and the idea of privacy has to be re-introduced as a kind of add-on, like in the “privacy-embedded laws of identity”.
So, it sounds like the discourse of identity has won over the discourse on privacy. By introducing the term “governance”, Oracle makes it clearer again that it is not just a corporate process, as “identity management” sounds like, but includes externally set values and goals.
An interesting development. It is still unclear to me how “privacy” could systematically be inserted into this on the semantic level, as it would be one of many theoretically possible goals of the governance of identity. On the other hand, “governance” here just means enforcement of data-usage policies inside the corporation. In political science, “governance” has a far wider meaning, including public laws, private-public partnerships, standards, private contracts, education, publicity and so on. The Identity Governance Framework in this perspective is just enabling the operational implementation of values set in the larger network of institutions that deal with the governance of personal information – privacy governance, that is.
Of course, reality is much more complex, and there are always competing discourses, side-branches and so on. But this big picture with little complexity should do for the moment, if we look at the private sector perspective on it. I also did not attempt a Foucauld-inspired discourse analysis, which would much more focus on the governmentality of the modern buraucracy that rose and developed together with the practices and laws of identity management from the 15th century on.
He writes more, and it is worth reading.