Privacy by design
Foreword
The capacity of organisations to acquire and use our personal details has increased dramatically since our data protection laws were first passed. There is an ever increasing amount of personal information collected and held about us as we go about our daily lives. Although we have seen a dramatic change in the capability of organisations to exploit modern technology that uses our information to deliver services, this has not been accompanied by a similar drive to develop new effective technical and procedural privacy safeguards. We have seen how vulnerable our most personal of details can be and these should not be put at risk. The Information Commissioner’s Office (ICO) commissioned this expert report to try to identify why more has not been done to design in privacy protections from first principles and what needs to be done to rectify the situation. This report provides a thorough analysis of the situation and we will be considering what action we can take based upon its helpful recommendations with the aim of achieving a comprehensive approach to securing privacy protection.
Richard Thomas - Information Commissioner
26 November 2008
The privacy by design programme will encourage public authorities and private organisations to ensure that as information systems that hold personal information and accompanying procedures are developed, privacy concerns are identified and addressed from first principles. In short, this means designing in privacy and data protection compliance rather than ignoring it or bolting it on as an inadequate afterthought.
Over recent months the Enterprise Privacy Group has consulted with a cross-section of privacy, identity and security experts, hosted an expert workshop and drawn upon past and ongoing research into privacy-related topics to build up a view of the actions that could reinvigorate respect for privacy needs in the systems lifecycle. This has resulted in a wealth of materials and original work, and these will be published to support this document.
This report is the first stage in bridging the current gap in the development and adoption of privacy-friendly solutions as part of modern information systems. It aims to address the current problems related to the handling of personal information and put into place a model for privacy by design that will ensure privacy achieves the same structured and professional recognition as information security has today.
Our publication is only the first step in a journey towards privacy by design. The project will develop from this point, exploring the key issues in greater detail, refining recommendations and putting them into practice. We wish to extend our appreciation to everyone who has contributed to this report.
Toby Stevens, Director, Enterprise Privacy Group
26 November 2008