Executive summary

Over the past year a stream of high-profile data loss incidents have shaken consumer confidence in the ability of public authorities and private organisations to manage personal information in a trustworthy manner. There is a clear and urgent need for a new approach that will help to reduce the risks arising from processing personal information and hence rebuild consumer trust. This is the purpose of Privacy by Design.

The privacy by design approach that is described in this report will encourage organisations to give due consideration to privacy needs prior to the development of any new system or process, and to maintain that control throughout the systems lifecycle, from the earliest stages of developing a business case, through to the decommissioning of the system. This lifetime approach will ensure that privacy controls are stronger, simpler to implement, harder to by-pass, and totally embedded in the system’s core functionality.

A ‘privacy by design ecosystem’ is required – an environment in which organisations understand what is expected of them and how to deliver it, supported by innovative delivery of privacy enhancing technologies (PETs) from vendors, and an ICO that can both support and enforce fresh standards for the handling of personal information.

However, if privacy by design is to be successful then a number of important barriers to its adoption must be removed. At present there is an ongoing lack of awareness of privacy needs at an executive management level, driven by uncertainty about the potential commercial benefits of privacy-friendly practices; a lack of planning for privacy functionality within the systems lifecycle; fundamental conflicts between privacy needs and the pressure to share personal information within and outside organisations; few delivery standards with which organisations can comply; a need for off-the-shelf PETs to simplify delivery of privacy functionality; and a role for an empowered and properly-resourced ICO to ensure that organisations step up to the mark in their handling of personal information.

To remove these barriers, and stimulate the development of privacy by design, the Enterprise Privacy Group has developed a number of recommendations for government, regulators, industry, academia and privacy practitioners to pursue, with the support and encouragement of the ICO. These recommendations include the following:

• Working with industry bodies to build an executive mandate for privacy by design, supported by sample business cases for the costs, benefits and risks associated with the processing of personal information, and promotion of executive awareness of key privacy and identity concepts so that privacy is reflected in the business cases for new systems.
• Encouraging widespread use of privacy impact assessments throughout the systems lifecycle, and ensuring that these assessments are both maintained and published where appropriate to demonstrate transparency of privacy controls.
• Supporting the development of cross-sector standards for data sharing both within and between organisations, so that privacy needs are harmonised with the pressures on public authorities and private organisations to share personal information.
• Nurturing the development of practical privacy standards that will help organisations to turn the legal outcomes mandated under data protection laws into consistent, provable privacy implementations.
• Promoting current and future research into PETs that deliver commercial products to manage consent and revocation, privacy-friendly identification and authentication, and prove the effectiveness of privacy controls.
• Establishing more rigorous compliance and enforcement mechanisms by assigning responsibility for privacy management within organisations to nominated individuals, urging organisations to demonstrate greater clarity in their personal information processing, and empowering and providing the ICO with the ability to investigate and enforce compliance where required.

The government, key industry representatives and academics, and the ICO are urged to consider, prioritise and set in motion plans to deliver these recommendations and hence make privacy by design a reality.