Part three: Delivering privacy by design

Introduction

This section considers the actions that will be needed to deliver privacy by design. Principles of obtaining executive support; incorporating privacy controls into every stage of the systems lifecycle; addressing privacy needs within the data sharing agenda; developing privacy standards; promoting PETs; and overseeing the process through an empowered and properly-resourced regulator will all be necessary to put these recommendations into practice.

The privacy by design ecosystem

At the heart of the success of privacy by design will be the creation of a ‘privacy by design ecosystem’ – an environment that engages all stakeholders at all levels across all sectors to ensure that privacy becomes embedded not only in all aspects of the systems lifecycle, but for organisations becomes part of ‘the way we do things around here’. A successful privacy by design ecosystem will encourage organisations to invest in PETs and privacy-friendly systems.

At present such an ecosystem does not exist, and hence privacy needs are often driven out of the systems lifecycle – unclear benefits and a low risk of enforcement mean that organisations tolerate poor compliance regimes, and they do not prioritise privacy in their systems, leading to low demand for privacy solutions, and hence vendors are not under pressure to deliver PETs in their products.

However, in a more constructive environment, government and major corporates would mandate the requirement for privacy controls in their systems, and work with vendors to agree suitable design standards; once in place, they would then call upon their suppliers to conform with these standards, and this would propagate through the procurement chain. Once vendors have ‘off the shelf’ products that incorporate these standards, they will be available to all public authorities and private organisations.

Within each organisation, the mandate will need to spread down from executive management throughout the organisation, being delivered as policies, standards and implementation guidelines, and then reported back through audit processes.

This outcome cannot succeed without the support of the major system integrators and software vendors who have the ability to provide products and services that support privacy by design. This will require mutual agreement not only with the UK divisions of those companies, but the international (predominantly US) parent companies to ensure that they take into account these ideas in their global product development.

Learning lessons: How security by design succeeded

The current status of privacy echoes that of information security some 20 years ago, when the subject was poorly understood and often overlooked in the development of information systems. Today, however, information security is recognised as an important topic in both the commercial world and government, and information security requirements are built in to most major information systems as a matter of course. What lessons can be learned from how this transformation came about?

The following table describes the key factors that contributed to security by design, and suggests how these might apply to privacy by design.

Key factors in security by design		Lessons for privacy by design
Understanding the threat	Growth of the internet and e-commerce significantly raised the risks. Major incidents and the activities of hackers raised awareness. Reliable statistics on incidents became available. The business case for information security investment became convincing.	Privacy risks have increased substantially – identity-related fraud is one of the fastest growing crimes globally – but this has not been communicated effectively. Further work is required on gathering reliable statistics, clearly expressing the threats, highlighting the benefits of addressing privacy at the start of a project and developing sample business cases.
Management standards	Recognition that management issues are as important as technical issues. Significant activity in developing information security management standards – BS 7799 (UK), ISO/IEC 17799 (International).	Recognise that privacy is a management issue as much as a technical issue. Effective privacy standards should be actively pursued, preferably at international level.
Executive awareness	Significant work undertaken by national and international bodies in the area of corporate governance – 18 major reports, guidance and legislation between 1986 and 2002 such as Sarbanes Oxley Act (USA). This work stressed the need to evaluate risks and apply controls and served to legitimise information security as a topic of concern for senior management.	Privacy is recognised as an important element of corporate governance but there is little evidence that this has been used effectively to gain executive attention. Further work is required to show the clear link between privacy and corporate governance and to communicate it widely and in particular to senior executives.
Language and frameworks	Based on clear definitions there was a growing consensus on the definition and scope of information security. At national and international level, information security professionals can communicate effectively. Other disciplines such as internal audit agree with definitions which makes cooperation more successful.	There is no widely accepted definition of privacy – a particular problem with so many different parties involved in achieving privacy. There is also no widely accepted description of the relationship between privacy, identity and information security. There is an urgent need for clear definitions and for agreement among the parties involved.
Organisation and responsibilities	Chief Information Security Officer (CISO), appointed in most major organisations, acts as a focus point and provides knowledge and expertise.	The appointment of a Chief Privacy Officer (CPO) at an appropriately high level of seniority should be encouraged and recommended as good practice.