Introduction
The annual assembly of International Data Protection and Privacy Commissioners was held in Jerusalem Israel in October 2010. A resolution of Privacy by Design was proposed by the Privacy Commissioners of Canada, Germany, New Zealand, the Czech Republic, and Estonia. The proposal was to adopt Privacy by Design (PbD) concepts developed by Dr Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada in the 1990s. The following resolutions were unanimously accepted in the assembly:
Encouraged the adoption of the principles of privacy by design as part of an organisation's default mode of operation; and
Invited Data Protection Authorities and Privacy Commissioners to promote Privacy by Design by fostering the incorporation of its 7 foundational principles in the privacy policy and legislation in their respective jurisdictions and encouraging research into privacy by design proposed
Dr Cavoukian had said that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must become an organization’s default mode of operation. The Privacy by Design framework employs an approach that is characterized by proactive rather than reactive measures. It anticipates and prevents privacy-related incidents before they happen. Privacy risks must not be allowed to materialize because, after the infraction of privacy-related information, it can cause irreparable harm. Therefore it is better to embed Privacy in the Design before the incident.
The 7 foundational principles of Privacy by Design
1. Proactive not reactive; preventive, not remedial
The first principal expects top management commitment ab-intio. It sets up the philosophical heart of the rest of the principles. Privacy in any system, process, procedure and technology should be built from the start and not as a response to any incident. It is a design phase requirement. This requires complete organisation is oriented towards privacy and think privacy as a routine. Every concerned person is clearly made aware of his/her responsibilities in respect of the privacy
2. Privacy as the default setting
The second principle is especially required for modern technology-based automated systems. The default setting must be established by design to be set to the level that provides the maximum possible privacy, whether in a website, database, AI system or just anything. If the subject does not modify the setting, their privacy is guaranteed and must remain intact, as it is integrated into the system and constitutes the default setting.
PbD seeks to provide the user with the highest levels of privacy possible given the state of the art, and especially, that personal data are automatically protected in any system, application, product or service. The default setting must be established by design to be set to the level that provides the maximum possible privacy. If the subject does not modify the setting, their privacy is guaranteed and must remain intact, as it is integrated into the system and constitutes the default setting. Therefore default settings for the systems should be:
Data minimisation
There is a legitimate reason to collect each component of the personal data
There is inbuilt access control to personal data.
Identification and authorisation to add, modify and delete personal data by the user are established and legally provable.
While personal data is processed, its’ access by its own employees or Personal data processor is strictly controlled.
There are technical as well as procedural barriers to the unauthorised linkage of independent sources of data.
Finally, when personal data is destroyed, no data should be left in the system unless there is a legal obligation for the same through law or regulation or direction or appropriate authority.
Privacy-by-Design is Transparency requirements in the Personal Data Protection Bill -2019 (see Table 1 below for relevant extract of PDPB 2019. For full version of PDPB 2019 see at Resource)
Privacy-by-Default is made a formal part of Privacy by Design in the GDPR. (see Table 2 below for relevant extract of GDPR. For full version of GDPR see at Resource)
3. Privacy embedded into the design
The third principle requires embedding privacy in the very architecture of the technology and business process. It should be an integral part. The privacy-by-design should be tested and retested at appropriate intervals or whenever changes are made.
Built-in, not Bolt-on.
It should be an essential requirement within the life cycle of systems and services and business processes.
Undertake technical and business risk analysis and data protection impact assessments from a privacy perspective.
Document all decisions that are adopted within the organisation from a “privacy design thinking” perspective.
4. Full functionality - positive-sum, not zero-sum
The goal of this Principle is to create a win-win situation and all different and legitimate interests should coexist. Generally, it is presumed that privacy will be at the cost of some business functionality or product usability or even security. This principle expects a balanced approach between presumed conflicting requirements and to create privacy by design in such a manner no one is hurt because of other requirements. It may be achieved through :
By establishing open channels of communication for collaboration and consultation with all stakeholders.
Identify points of convergence as well as divergence.
Maximise the impact of points of convergence and minimise any impact of points of divergence by building it in design
5. End-to-end security - full lifecycle protection
This principle requires complete life cycle security of the personal data. From the time personal data is being entered into the system, till the time it is destroyed when no longer needed or on request of the user or as directed by the appropriate regulator/authority/court. Encryption and anonymisation / pseudo-anonymisation are standard practices but many more things are required. Some of them are:
Classification of data into normal data, business-critical data, personal data and sensitive personal data. Do not try to boil the sea but apply security measures appropriate to the class of data.
Encryption, pseudonymisation or anonymisation and authentication policy and process for each stage, including for data at rest or archived.
Guaranteed destruction with complete accountability.
Documentation of data process at each stage and log preservation policy.
6. Visibility and transparency - keep it open
The sixth Principle requires that it is not just having the Privacy by Design but an organisation also must be able to demonstrate and verify that the processing is in accordance with the given information. It is essential for demonstrating diligence and accountability before the Supervisory Authority and as a measure of trust before data principals (subjects). Data principals should be informed as to what she has consented for, what are her rights, how she can exercise her rights and in case of any disagreement whom can she approach. Chapter VI of the Personal Data Protection Bill 2019 deals with transparency. Some of the approaches to transparency and visibility are:
Publication of easily accessible and comprehensible Notice
Keeping Data principal informed about any change in process, procedure, ownership of organisation and policy changes,
A consent form which is filled deliberately by the Data Principal.
Informing authorities and Data Principals in case of any breach and likely impact of such breach on the Data Principal.
Display on the website a certified Privacy by Design Policy.
Privacy Audit Report
Trust Score as issued by the authority
Contact details of Data Protection Officer/ Grievance Officer.
Auto or quick acknowledgement response to any complaint, request or query by the Authority and Data principal.
7. Respect for user privacy: keep it user-centric
While ensuring the legitimate business interest, the organisations should respect the personal data of all the Data Principals who have entrusted their private information with the organisation. They are at the centre of the universe for anything related to personal data, sensitive or otherwise. The inaction or non-interactiveness of a person regarding her personal data must not be construed that she has no interest in it. All measures must be transparently observed for designing processes, applications, products and services that are focused on guaranteeing the privacy of Data Principals. Some of the measures which bring the centrality of Data Principals are:
Cogent and valid consent
Implementing privacy settings that are “robust” by default
Knowledge of rights, powers and obligations of Data Principals
Implementing efficient and effective mechanisms that allow data subjects to exercise their rights.
Designing Privacy in technology and business in accordance with these 7 principles
Conclusion
Privacy by Design is one of the basic features of all the legislation passed on Personal Data Protection or Privacy, across the globe. Ms Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada had proposed seven principles for Privacy by Design, which was adopted by all the Supervisors and Personal Data Protection Authorities. In Personal Data Protection Bill 2019 has proposed that all organisations irrespective of their size and scope should have a Privacy by Design Policy. Additionally, all Significant Data Fiduciaries must submit their policies with the Personal Data Protection Authority of India. After due diligence, the Authority will certify the Privacy by Design Policy. The Data Fiduciary should publish this certified Privacy by Design policy on its website. Therefore Privacy-by Design is a critical feature of any personal data protection mechanism.
Table 1 |
Privacy by Design in the Personal Data Protection Bill 2019 |
The personal data protection bill 2019 Also requires that privacy by design should be inbuilt and not only that the policy of the organisation on the subject should be shared and certified by the data protection Authority of India. Chapter VI of the proposed law which deals with Transparency And Accountability Measures start with section 22, which is “Privacy by Design Policy”. the section states: |
22. (1) Every data fiduciary shall prepare privacy by design policy, containing— (a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal; (b) the obligations of data fiduciaries; (c) the technology used in the processing of personal data is in accordance with commercially accepted or certified standards; (d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests; (e) the protection of privacy throughout processing from the point of collection to deletion of personal data; (f) the processing of personal data in a transparent manner; and (g) the interest of the data principal is accounted for at every stage of the processing of personal data. |
(2) Subject to the regulations made by the Authority, the data fiduciary may submit its privacy by design policy prepared under sub-section (1) to the Authority for certification within such period and in such manner as may be specified by regulations. |
(3) The Authority, or an officer authorised by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements of sub-section (1). |
(4) The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority. |
Table 2 |
Privacy by design and default in GDPR |
Section 25 of the General Data Protection Regulation Of the European Union define the requirement of privacy by design and default. Section 25 states: |
‘Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.’ Article 25(2) specifies the requirements for data protection by default: ‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.’ Article 25(3) states that if you adhere to an approved certification under Article 42, you can use this as one way of demonstrating your compliance with these requirements. |
Resources: This article is based on Privacy by Design: The 7 Foundational Principles – Implementation and Mapping of Fair Information Practices by Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada in the 1990s
Declaration: This Article may be republished without further consent but mandatorily and prominently referring to the source and author
Comments