Re: @Repeat (pete 2) The law is not the answer
A few month ago I came up with the idea for a government-run central database to store all information about that country's citizens.
Every citizen would be issued a smart-card that would be used to authorize access to their information. IN turn each Company, organization and agency would be then issued their own CA certificate with which they would use to issue each employee their own certificate as well as certificates for equipment used to process personal information. This would allow for access to that information to be revoked for an rogue employee, a compromised server, or even an entire company that is misusing data.
Each certificate issued would come with a long list of flags based on what information the requester can see (Primarily based off of whether the requester / requester's organization has passed regulatory checks such as HIPPAA, SOX, etc) or if they have a valid business license. This would be restricted at both the CA level and the individual employee level.
Each company or data requester would have a standardized database that would receive the information in the form of a selective replication from the central database over a secured connection (SSL VPN perhaps using the device's certificate for access).
When information is requested of a private citizen, a unique ID is generated along with a series of flags describing which pieces of data that are being requested, this is then sent to the central database where it is held to await authorization. At this point the citizen for whose data is being requested will use some for authorization terminal and log in with their card and see any requests being made for their data, at which point they could uncheck some things they don't want the requester to know, or is irrelevant. At this point the citizen would then send back the authorization. Once this authorization step has taken place, the request is granted in the form of a simple database replication from the central database to the requester's with only the authorized data.
The requester's database would be constructed in such a way that it will filter information itself based on the authorization level of the employee.
An example of all this would be if a citizen broke a bone and went to the hospital, at reception the clerk would create a request for all the citizen's medical information at which point they would be able to filter out irrelevant stuff (say the citizen had a psych eval. a few years back), the citizen would then authorize access to that data. The central database would then replicate all the authorized requested bit of information such as medical history, name, gender, DOB, next of kin, medical benefits, etc. along with a token describing how long the data will be available before the request expires and new authorization is needed.
Since this data is further filter by the local database, each employee would see a different subset of data: the receptionist would see just your name, the doctor would see all your medical history but not address or other information, the nurse would be able to see your name, medications you are *currently* taking and allergy information, etc.
Another example would be an online store where it would ask you for your shipping address and confirmation that you are allowed to posses certain materials such as prescription drugs, or toxic materials (But only if they are authorized to sell such things).
A third example would be for an online service (such as email, a forum or social network) would only need to validate that you are a human being without the need to give them your name or even an email address, plus you could log in without the need for a password (you''d be able to use your smartcard). This would allow illegal activity (Such as soliciting sex from a minor or other malicious behavior) to be reported and the account traced through the original request, that way the police can handle it without the website ever knowing who that person truly was.
On the other hand, if someone came up to you claiming to be from the government or a specific company, you could then make a request to the central database to validate that they are, in fact, a member of that organization and see a list of what they are able to request (In order to prevent fraudsters from claiming to be from your bank to steal you money or a government agent over-stepping their bounds).
There would also be a a table in the database listing every single request for data, which would allow each citizen to review who made each request, even law enforcement requests would be listed here.
The organization running the database would be built from the ground up with the idea of privacy in mind where no one can make an anonymous request despite them having a court order or National Security Letter. In the process of proper law enforcement, certain requests can be authorized by a judge and possibly be anonymized for a set amount of time (say 90 -120 days, but no more than a year) at which point the request will become public and the prosecution must either enter the information as evidence or delete it, either way it would be revealed to the citizen that this information was requested.