Investment Data Standards Organization

Last updated
Investment Data Standards Organization
AbbreviationIDSO
Formation23 October 2017
Type Non-governmental organization
Purpose Standards & best practices
Headquarters Manhattan, NY

The Investment Data Standards Organization (IDSO) [1] is a U.S.-based organization that publishes Alternative Data standards. IDSO was established to support the growth of the Alternative Data industry through the creation, development, and maintenance of industry-wide standards and best practices. IDSO is a non-profit 501(c)(6) organization made up of companies in the Alternative Data industry such as data originators, intermediaries, and institutional investment funds. [2] [3]

Contents

Overview

The Investment Data Standards Organization is an independent, non-governmental organization that publishes Alternative Data standards and best practices for personally identifiable information (PII), web crawling, and other security and compliance-related topics. [4] [2] Consisting of companies in the Alternative Data industry such as data originators, research providers, aggregators, and investment funds, the Investment Data Standards Organization (IDSO) represents the interests of Alternative Data industry participants and supports the acceptance and adoption of Alternative Data by institutional investors. The use of standards enables robust and reliable Alternative Data products and services that meet U.S. privacy and security requirements. [5] [6] [7] [8] [9]

Membership

IDSO serves managers and compliance teams in the Alternative Data industry who are interested in regulatory guidance. [10] [11] [12] [13] Companies that participate in the Alternative Data ecosystem include: [14]

  1. Raw data originators, who collect or generate data,
  2. Research providers, who produce original research and derived signals,
  3. Aggregators, who enrich and aggregate data, and
  4. Investment funds, who use data to add value to their investment process.

IDSO publications are developed by working groups composed of representatives from these Alternative Data organizations. IDSO members work together in teams to create and edit standards and best practices.

Membership Functions

Investment Data Standards Organization (IDSO) members access IDSO publications, interact with industry participants, and drive change to help shape the future of the Alternative Data industry.

Publications

IDSO's main products are standards, checklists, technical reports, technical specifications, and guides. The standards currently available are related to personally identifiable information (PII), web crawling, and dataset compliance for sensitive information (SI):

  1. Personally identifiable information (PII) : [15] The PII publications develop processes and risk management strategies for identifying, maintaining, and securing personally identifiable information (PII) in data sets used for investment management.
  2. Web crawling : [16] [17] The web crawling publications provide processes and procedures for data harvested or scraped from the web.
  3. Dataset compliance for sensitive information (SI): The dataset compliance publications assign a dataset compliance-level to datasets that contain sensitive information (SI).

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

Protected health information (PHI) under U.S. law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity, and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as either hard or soft privacy technologies.

The California Online Privacy Protection Act of 2003 (CalOPPA), effective as of July 1, 2004 and amended in 2013, is the first state law in the United States requiring commercial websites on the World Wide Web and online services to include a privacy policy on their website. According to this California State Law, under the Business and Professions Code, Division 8 Special Business Regulations, Chapter 22 Internet Privacy Requirements, operators of commercial websites that collect Personally Identifiable Information (PII) from California's residents are required to conspicuously post and comply with a privacy policy that meets specific requirements. A website operator who fails to post their privacy policy within 30 days after being notified about noncompliance will be deemed in violation. PII includes information such as name, street address, email address, telephone number, date of birth, Social Security number, or other details about a person that could allow a consumer to be contacted physically or online.

The NAI (Network Advertising Initiative) is an industry trade group founded in 2000 that develops self-regulatory standards for online advertising. Advertising networks created the organization in response to concerns from the Federal Trade Commission and consumer groups that online advertising — particularly targeted or behavioral advertising — harmed user privacy. The NAI seeks to provide self-regulatory guidelines for participating networks and opt-out technologies for consumers in order to maintain the value of online advertising while protecting consumer privacy. Membership in the NAI has fluctuated greatly over time, and both the organization and its self-regulatory system have been criticized for being ineffective in promoting privacy.

<span class="mw-page-title-main">Paul M. Schwartz</span> Author and law professor

Paul Schwartz is an American legal scholar who specializes in information privacy law. He is the Jefferson E. Peyser Professor at the UC Berkeley School of Law and a director of the Berkeley Center for Law and Technology. He was formerly the Anita and Stuart Subotnick Professor of Law at Brooklyn Law School from 1998 to 2004.

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.

NIST Special Publication 800-92, "Guide to Computer Security Log Management", establishes guidelines and recommendations for securing and managing sensitive log data. The publication was prepared by Karen Kent and Murugiah Souppaya of the National Institute of Science and Technology and published under the SP 800-Series; a repository of best practices for the InfoSec community. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time.

Privacy engineering is an emerging field of engineering which aims to provide methodologies, tools, and techniques to ensure systems provide acceptable levels of privacy. Its focus lies in organizing and assessing methods to identify and tackle privacy concerns within the engineering of information systems.

Alternative data refers to data used to obtain insight into the investment process. These data sets are often used by hedge fund managers and other institutional investment professionals within an investment company. Alternative data sets are information about a particular company that is published by sources outside of the company, which can provide unique and timely insights into investment opportunities.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

ISO/IEC 27018 is a security standard part of the ISO/IEC 27000 family of standards. It was the first international standard about the privacy in cloud computing services which was promoted by the industry. It was created in 2014 as an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process personally identifiable information (PII) to assess risk and implement controls for protecting PII. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

Data sanitization involves the secure and permanent erasure of sensitive data from datasets and media to guarantee that no residual data can be recovered even through extensive forensic analysis. Data sanitization has a wide range of applications but is mainly used for clearing out end-of-life electronic devices or for the sharing and use of large datasets that contain sensitive information. The main strategies for erasing personal data from devices are physical destruction, cryptographic erasure, and data erasure. While the term data sanitization may lead some to believe that it only includes data on electronic media, the term also broadly covers physical media, such as paper copies. These data types are termed soft for electronic files and hard for physical media paper copies. Data sanitization methods are also applied for the cleaning of sensitive data, such as through heuristic-based methods, machine-learning based methods, and k-source anonymity.

References

  1. "Investment Data Standards Organization Homepage". Investment Data Standards Organization.
  2. 1 2 Kolanovic, Marko; Krishnamachari, Rajesh (May 29, 2017). "Big Data and AI Strategies - Machine Learning and Alternative Data Approach to Investing". RavenPack. J.P. Morgan, Global Quantitative & Derivatives Strategy. Archived from the original on 22 July 2018. Retrieved 20 February 2018.
  3. Ekster, Gene. "Driving Investment Performance with Alternative Data" (PDF). Integrity Research. Retrieved 21 February 2018.
  4. Z., W. (22 August 2016). "Why investors want alternative data". The Economist. Retrieved 20 February 2018.
  5. Ekster, Gene (May 2, 2016). "Mitigating Alternative Data Compliance Risks Associated with Web Crawling". Integrity Research. Retrieved 20 February 2018.
  6. "The Privacy Impact Assessment (PIA) Guide" (PDF). U.S. Securities and Exchange Commission. January 2007. Retrieved 20 February 2018.
  7. "Security & Privacy Best Practices". Online Trust Alliance (OTA). January 21, 2015. Retrieved 20 February 2018.
  8. "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" (PDF). Organisation for Economic Co-operation and Development. Retrieved 20 February 2018.
  9. "Guide to Managing Information Security Risk" (PDF). National Institute of Standards and Technology Special Publication. NIST. Retrieved 20 February 2018.
  10. "The Privacy Impact Assessment (PIA) Guide" (PDF). U.S. Securities and Exchange Commission. January 2007. Retrieved 20 February 2018.
  11. "Security & Privacy Best Practices". Online Trust Alliance (OTA). January 21, 2015. Retrieved 20 February 2018.
  12. "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" (PDF). Organisation for Economic Co-operation and Development. Retrieved 20 February 2018.
  13. Ekster, Gene (8 July 2015). "Alternative Data Research Compliance". Integrity Research Associates. Retrieved 21 February 2018.
  14. Mayhew, Michael. "MITIGATING LEGAL RISKS ASSOCIATED WITH ALTERNATIVE DATA" (PDF). Integrity Research Associates. Retrieved 22 February 2018.
  15. McCallister, Erika; Grance, Tim; Scarfone, Karen. "National Institute of Standards and Technology Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (PDF). National Institute of Standards and Technology.
  16. "The Digital Millennium Copyright Act of 1998" (PDF). U.S. Copyright Office. Retrieved 20 February 2018.
  17. "Legal Cases Relating to Web Harvesting" (PDF). Eagle Alpha. Retrieved 20 February 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.