Privacy by design: Summary of barriers, desired outcomes and recommendations
| Theme |
Barriers to privacy by design |
Desired privacy
outcomes |
Recommendations for delivering privacy by design |
Engaging
executive
management |
- Executive managers don’t always recognise
or correctly prioritise their organisation’s
responsibility or their own accountability for
protecting individuals’ privacy.
- Executives and their staff often lack a
shared language to discuss or to specify
privacy requirements in a clear
unambiguous way. As a result, poor privacy
specifications deliver poor privacy controls.
- Commercial risks and benefits of
managing personal information are often
unclear, making it hard to justify privacy
investment. In consequence privacy needs
are often omitted from the business cases
for new systems.
|
- Executive managers
understand their privacy
duties and communicate
their privacy
management wishes
across the organisation.
Business cases for new
systems incorporate
privacy specifications
that are understood by
all members of staff.
|
- The executive managers of public
authorities and private organisations need
greater awareness of their privacy
responsibilities, and this should be
supported by:
- providing sample costs, risks and benefits
cases to demonstrate the value of
privacy compliance; and
- promoting a simple shared language for
key privacy concepts such as data
minimisation, identification,
authentication and anonymisation to
assist communication within and outside
of organisations.
The ICO and other regulatory bodies have a
role in making this happen. |
Planning for
privacy by
design |
- Traditional risk management methodologies
often fail to consider the value of personal
information, and hence do not take privacy
needs into account.
- Risk assessment approaches often fail to
manage privacy needs throughout the
systems lifecycle, so many bespoke and
off-the-shelf systems are still built without
proper or innovative privacy controls.
- Privacy needs are often not rigorously
considered at any stage of the systems
lifecycle, so systems can be modified or
re-used without consideration for privacy
implications.
- Systems do not always support automated
subject access requests, and hence
information retrieval procedures can be
onerous for organisations.
|
- Systems incorporate
appropriate PETs based
upon a rigorous privacy
impact assessment.
- Privacy needs are
managed throughout
the systems lifecycle
|
- Organisations should be encouraged to
implement high-level privacy management
policies that will call for:
- incorporating privacy impact
assessments throughout the systems
lifecycle from business case to
decommissioning;
- managing privacy-related risks to within
pre-defined levels;
- potentially submitting privacy impact
assessments for the most sensitive
systems to the ICO for verification; and
- promoting greater transparency by
publishing privacy impact assessments
(this possibly being mandatory for public
sector organisations).
- Organisations should be urged to demonstrate
that all new systems support automated
subject access requests, and encouraged to
implement online subject access request
services where appropriate.
|
Sharing
personal
information |
- The pressure to share personal information
within and outside of organisations can lead
to privacy-related problems:
- data from ‘privacy-friendly’ systems is
shared with other systems that are less
able to respect privacy needs;
- copies of personal information in transit are
not always appropriately secured;
- organisations often aggregate data rather
than sharing it;
- identifiers are used as indices, making it
hard to anonymise data thereafter; and
- privacy metadata can be lost as
information is shared between systems.
- If system PIAs are conducted in isolation the
results may fail to take into account the
broader systemic implications of data sharing.
|
- Organisations can share
data internally and
externally, and individuals
have confidence that
their privacy wishes will
be respected when they
do so.
- Individuals know who
has their personal
information and are able
easily to access and
amend it.
|
|
| Developing
practical
privacy
standards |
- Organisations are often uncertain how to
implement systems that comply with
data protection law, and are left to
manage privacy in accordance with ‘best
efforts’, with each system approaching
the issue on a case-by-case basis.
- There are no internationally-recognised
standards to guide organisations in
implementing privacy controls.
|
- Organisations are able
to operate in
compliance with
consistent, affordable,
provable privacy
standards, in much the
way they already do
with information
security standards.
|
- Government, regulators, industry and
academia should be encouraged to develop
practical standards for privacy
implementation, supported by guidelines for
the functionality and specific technologies
that should be considered for incorporation
into new systems. This initiative has to come
from the organisations themselves so that
they contribute and collaborate to ensure that
resultant standards meet their needs. The
work should not be in isolation, but rather
should engage with similar emerging initiatives
elsewhere. The ICO has a role to play in
guiding and supporting the initiative.
|
| Promoting
privacy
enhancing
technologies |
- PETs have yet to find widespread
adoption in ‘real world’ environments
because organisations and vendors are
fearful of committing to specific PETs in
case these quickly prove to be obsolete
as technologies develop. Web 2.0, cloud
computing and service oriented
architecture developments will most likely
add further complexity to this problem.
|
- Vendors are
encouraged to
incorporate PETs and
privacy functions into
their off-the-shelf
systems and to
promote these as
selling points.
- Organisations adopt
PETs into their systems
where appropriate.
- PETs are recognised as
valuable tools to
support the
management of
personal information.
|
- Government, regulators, industry and
academia need to work together to
support existing and future PETs research,
and in particular encourage research into:
- mechanisms to simplify obtaining and
managing consent, revocation and data
minimisation;
- ‘privacy-friendly’ identification and
authentication systems; and
- methodologies to test and prove the
effectiveness of privacy controls in
systems and across organisations.
- Successful initiatives should be developed
into practical standards, and buyers
encouraged to demand better privacy
functionality from vendors.
|
| Managing
compliance
and
regulation |
- The ICO lacks the necessary resources and
powers to detect, investigate and where
necessary enforce compliance through
punitive sanctions. In consequence,
individuals perceive organisations as
unaccountable when privacy problems arise.
- Many organisations treat the DPA as ‘just
another compliance issue’, which is not
necessarily enough to ensure effective
privacy management controls.
- Despite the ICO’s guidance, organisations
are sometimes uncertain about what
constitutes personal information or what
powers individuals have over that data.
- Privacy professionals operate in an
unregulated environment where there are
few recognised qualifications or
accreditation bodies. This makes it hard for
organisations to gauge the level of
competence of the individual practitioner, or
to trust that person’s work.
|
- Individuals know that
organisations will be
held to account for
proper management
of personal
information.
- Organisations have a
clear understanding of
what information is
considered to be
personal and what
powers individuals
have over it.
- Privacy professionals
are trained and
accredited to known
standards.
|
- Regulators and government should explore
the idea of obliging organisations to nominate
an executive-level representative who will be
held accountable for proper management of
personal information.
- The government needs to recognise the
realistic increased funding requirements of an
empowered ICO that can both promote and
enforce privacy practices.
- The ICO should examine whether there is a
need for any further guidance on what
constitutes personal information, and
continue to deliver practical advice for
organisations about what powers individuals
have over their data.
- There is a pressing need for the development
of a professional body for privacy
practitioners (possibly under the aegis of an
existing chartered body). The aim of this body
will be to train, accredit and promote the
work of privacy professionals. Clearly the ICO
will have an important role in supporting this.
|
