Part four: Recommendations for delivering
privacy by design

Introduction

This section provides specific recommendations for delivering privacy by design. These are not intended to be comprehensive, complete or prioritised, but rather to provide a framework for the further development of plans to implement privacy by design. The ICO will be in a position to develop these points, exploring the key issues in greater detail, refining recommendations and putting them into practice.

Engaging executive management

The first critical step in delivering privacy by design will be to engage with, and obtain support from, senior executives in public authorities and private organisations.

The mandate for privacy by design

The first step in obtaining executive commitment will be to build a mandate for privacy by design: a popular call from across government and industry bodies, including the ICO and other sector-specific regulators, to adopt privacy by design. The call should be for organisations to recognise that privacy issues are an important component of the corporate governance agenda, to incorporate privacy controls into all new systems, and to fit them into existing systems as they are maintained and modified. Where business cases for new systems are presented without a supporting PIA, they should be rejected. This is a logical and beneficial step, since a PIA may reveal a need for additional controls or even a fundamentally different approach, with consequential costs for the project. In the public sector, this approach could be mandated for all systems.

Demonstrating benefits of privacy by design

Businesses in particular need to understand the importance of privacy by design, and its potential impact on the bottom line. This could be achieved by providing example benefits cases that clearly express the possible commercial benefits of a privacy-friendly customer offering, whilst demonstrating the risks associated with poor privacy practices.

Creating a language for privacy by design

The ICO has worked hard to promote awareness of data protection, with a considerable degree of success. Efforts now need to focus on the language of privacy, with a goal of equipping executives and technology professionals with a shared vocabulary that allows them to discuss privacy requirements in a clear and unambiguous manner.

This approach should focus on desired outcomes – such as proportionality of collection, data minimisation or transparency of processing – rather than the functions used to implement privacy controls. The language must be meaningful to executives and avoid technology where possible.

The clarification of a common language should also be promoted within legal circles with the objective of simplifying online privacy policies and fair processing notices. Only when lay individuals can quickly and easily understand fair processing notices will they be able to actually make informed decisions about processing of their personal information.

Planning for privacy by design

Delivering privacy by design in the organisation will require a structured framework of processes and technologies that can deliver the relevant policies and standards mandated by the organisation’s executive management.

Privacy impact assessments (PIAs)

PIAs are intended to identify privacy-related risks from the earliest stages of a project onwards, so that privacy issues can be addressed within the system design and safeguards incorporated rather than being added later on.

Throughout this process the organisation must understand its own ‘risk appetite’ – ie what degree of failure is considered an acceptable risk? For example, a system that only leaks or loses a single financial transaction in every 10 million might be considered acceptable from the organisation’s perspective, but not to the individual concerned. A balance needs to be struck whereby privacy-related failures are reduced to a reasonable level.

All projects have to balance cost, quality and time, and invariably are limited on each. Project managers have to understand how the organisation wishes to prioritise privacy needs over other competing requirements, guided by a high-level policy statement that defines the baseline tolerances.

Therefore the first operational step for privacy by design should be to ensure that the organisation has an overall PIA or equivalent privacy policy to define baseline risk tolerances and appetites, and that this forms the template for incorporating PIAs into all new systems and system changes. In the case of the public sector, this should include assessments that span authorities and departments, and might even include a pan-sectoral assessment.

When delivering system-specific PIAs, it is important that practitioners go much further than simply a data protection law compliance check (although this should of course be part of the process). The assessments need to consider all aspects of privacy, from the perspective of the individual rather than the organisation. This clearly may appear to be onerous, but with the ICO’s recommended approach it should be possible to conduct a simple, high-level assessment to ascertain whether there is a need for greater investigation (for example, to identify whether a system holds sensitive personally-identifiable information), and then to initiate more detailed investigations if necessary.

In the case of critical systems – such as those processing very sensitive personal information, extremely large volumes of personal information, or with a high number of security risks (such as many distributed users) – the organisation should consider providing a copy of the PIA to the ICO for verification. In such cases it would be reasonable to expect the ICO to grant a degree of tolerance to those organisations that suffer privacy-related incidents but have taken all reasonable steps to transparently deliver a privacy by design process.

Transparency of PIAs

If an organisation has delivered a PIA, then a valuable step to demonstrate commitment and transparency would be to place that document in the public domain – a logical step, since it relates to the individuals’ information. For the public sector, this approach could be mandated for all PIAs, thus demonstrating both the commitment to PIAs and the existence of the documents on a per-system basis.

Introducing system transparency through subject access requests

If systems incorporate subject access request (SAR) functionality at the design stage, then as well as providing essential functions for the business, they will encourage system architects to adopt a more individual-centric approach to their data definitions. It is, therefore, in the interests of both organisations and individuals to ensure that systems are designed to automatically service SARs.

In order to deliver an environment where this is possible, five key issues need to be addressed:

• Mandate: Public-sector organisations should mandate that all new systems that process personal information must support SAR functionality (although it should not be mandatory to offer online subject access). Similar mandates from the regulators of private-sector organisations – particularly in the financial services sector – would force the incorporation of functionality into the commercial environment.
• Clarification: There can be considerable legal uncertainty about what constitutes personal information, and organisations will need greater clarification if they are to be able to design SAR functionality into their systems.
• Authentication: There is a mutual challenge for organisations and individuals in submitting SARs, since the individual has to prove his/her entitlement to access the data. In the majority of cases this requires a written request for the data to be sent to the address held on file, but this model does not work if the individual has not disclosed his/her address to the organisation (eg certain online services) or if the request in fact relates to data where there is no existing relationship (eg where an organisation has received data from a third party but has had no previous contact with the individual). Organisations need to reconsider their use of strong authentication techniques in order to facilitate the SAR process and to assure all parties that data will only be released to a legitimate requesting party.
• Promoting online subject access: A coordinated strategy for offering online SARs is an important long-term goal. On a sector-by-sector basis, public authorities and private organisations need to develop targets for moving towards simple online delivery of data when it is requested.
• Intolerance of non-compliant systems: Where an organisation has difficulty fulfilling a SAR because it feels it to be excessive or disproportionate, if part of the reason is that its systems do not support the request then that should not be a permissible excuse.

Organisations should be urged to ensure that their new systems incorporate this functionality as a means to introduce and prove transparency of operation.

Sharing personal information

It is clear that data sharing is a commercial and government necessity, and any privacy by design approach must not only support the data sharing agenda, but also reduce the risk of failure and enhance the sharing outcome.

There is a clear need to develop a standard for data sharing that would allow organisations to incorporate secure and privacy-positive data interchange in their systems.

Managing privacy metadata

Metadata languages have been researched for many years, but there are few examples of successful implementations for privacy purposes. Work is underway in the research community, including in the PrimeLife and EnCoRE²³ projects, to investigate the detailed requirements for policy languages to support metadata functionality and to encourage use and dissemination of standards through bodies such as W3C’s Policy Languages INterest Group (PLING).

When personal information is shared from a system that is designed in a ‘privacy-friendly’ manner to another that is not, the privacy benefits may be lost. If metadata is stripped in the process (for example, if the receiving system is unable to process the metadata fields) then that personal information is left vulnerable to abuse.

Government, regulators, industry and academia should lend their support to the ongoing research work and seek out opportunities for innovative applications of the concepts that are developed. Whilst it is a long-term approach, the success of metadata is essential for the future of privacy by design.

Information security standards for data sharing

A number of sector-specific regulators have issued guidance on the security controls that should be applied to personal information in transit, be it online or in physical media. For example, public authorities are mandated to encrypt personal information (which in most cases must also be protectively marked), and the Financial Services Authority is calling for similar controls in the finance sector.

These approaches should be extended across all organisations handling personal information. They will require clear and specific instructions about the circumstances under which they must encrypt data; the tools that they may use; and the processes that must be applied to managing the tools and associated encryption keys.

Data minimisation

The most certain way to protect personal information during the data sharing process is not to share it – or even to hold it in the first place. This is the principle of ‘data minimisation’: that is, ensuring that systems collect, process and retain absolutely no more personal information than is necessary to meet the system objectives. Related issues, such as proportionality or necessity of processing, are equally important, and must also be taken into account in order to deliver a minimisation approach.

Data minimisation is largely a design philosophy rather than a technology solution, although specific technologies – such as privacy-friendly authentication mechanisms – can simplify the process. Organisations need to be educated and reminded of data minimisation principles to encourage further use of this approach in future developments.

Developing practical privacy standards

The lack of internationally recognised standards to guide organisations in implementing privacy controls, and differences between various local data protection laws at the international level, are an obstacle to achieving consistency in privacy management approaches across organisations.

There are a number of initiatives under way to develop practical privacy standards. The need is great, as reflected by the adoption of a draft resolution ‘on the urgent need for protecting privacy in a borderless world’ at the 30th International Conference of Data Protection and Privacy Commissioners, on 17 October 2008.

Government, regulators, industry and academia need to come together to support this work and start preparing relevant standards in the UK, in partnership with emerging international activities. Ideally this work should come from end user organisations rather than regulators, since the outputs are then more likely to meet the wishes of the organisations concerned. Nevertheless, the ICO has an important role to play in catalysing and guiding such an approach.

Promoting privacy enhancing technologies

Despite many years of research, PETs have yet to find widespread adoption in ‘real world’ environments. Awareness and understanding of PETs is generally low, and even where PETs exist they often are not available in commercial products.

The key to delivering these outcomes will be turning important research in key PETs areas into deliverable products that vendors and enterprises can integrate into their systems.

Building a market for privacy products

If the market for commercial products and systems that incorporate privacy functions is to grow, then major vendors need to see privacy as a key customer requirement – not just one of a number of functions, but a ‘deal breaker’ in any procurement. Until that happens, it is unlikely that they will be inspired to ensure that off-the-shelf products incorporate strong privacy controls. Government and private sector organisations should be encouraged to demand privacy functions as a core component of any software and system they procure.

Revocation and deletion of data

A long-standing but still unresolved privacy management problem is that of giving individuals the ability to revoke already-given consent for the processing of personal information. Incorporating this need into systems is not always as simple as it seems: in environments where massive data sharing takes place, such as credit reference agencies or data brokers, if an individual’s record is deleted then it may rapidly be repopulated when data is imported from other sources. In such circumstances it may be necessary, and indeed legitimate, to hold a basic record of the individual so that it can be marked as a ‘desist’ and prevent further repopulation of the record.

The UK government is funding research into this area through projects such as EnCoRe, PVnets and VOME, and should support the development of commercial products based on the findings.

Privacy-aware authentication

There appears to be a received wisdom within many organisations that when a system design requires an identification mechanism for individuals, then it is legitimate to ask ‘how much privacy shall be sacrificed to deliver identity?’ This attitude is at the heart of many flawed systems that inadvertently accumulate far more personal information than is actually required to deliver the desired objectives. Generally, an identification system has to be built around a database of personal information, whilst for an authentication system that is not necessarily required.

There is a need for much greater awareness of the identification and authentication mechanisms now commercially available to offer privacy-friendly services. Work by the likes of Credentica²⁴, Liberty Alliance²⁵ and research projects such as PRIME²⁶ have developed practical commercial approaches to privacy-friendly identity mechanisms. Some of the most important work in this space has been done by Kim Cameron of Microsoft, who has developed the ‘Laws of Identity’²⁷, which provide principles for privacy-friendly identification systems. These – and similar ideas – should be promoted to technology professionals involved in the design and delivery of any system that processes personal information.

Proving privacy by design

Any approach that implements privacy by design will need to prove the effectiveness of that approach in order to satisfy consumers and regulators that the system or process really is privacy-friendly. For information security, this proof can be achieved using a combination of approaches that may include:

• assessing risks at a systemic level to confirm that the consequences of a breach are acceptable to the organisation;
• rigorous examination of the system design and implementation by accredited security professionals;
• testing of the implementation in simulated attacks (‘white hat’);
• opening up source code to public scrutiny; and
• obtaining independent certification of the level of security offered.

Privacy experts should prioritise further research into methodologies that can be used to test and prove privacy by design, and work with vendors to see how these can be delivered as practical products.

Putting PETs into practice

The government, through its various innovation schemes in BERR and other agencies, is funding research into privacy issues. Such schemes should incorporate delivery of practical privacy products into their scope, and work with key vendors to ensure that the outputs are turned into commercial products.

Once practical PETs are available, there will be a need for an independent but trusted body – such as a regulator or trade association – which is able to test and accredit PETs-enabled products to confirm the level of protection offered and certify them accordingly. This is not dissimilar to the CAPS-approved function currently provided by CESG²⁸.

Managing compliance and regulation

Perhaps the most important component of a privacy by design ecosystem is ensuring that every stakeholder complies with the agreed privacy requirements, and that an appropriate enforcement regime is available for those organisations that fail to do so. Only when this happens will individuals regain confidence in the responsibility and accountability of the organisations to whom they have to entrust their personal information.

Ensuring accountability for personal information processing

It is clear that if any organisation is to be expected to take privacy needs seriously, then there needs to be both responsibility for privacy management (eg Chief Privacy Officer or equivalent), and possibly a concept of a ‘nominated defendant’ at executive level – a named individual who will be expected to represent the organisation in a criminal or civil court in the event of a data loss incident that results in legal proceedings.

An additional possibility would be to force organisations to declare an asset and liability value of personal information within their financial returns, thus forcing them to keep track of information assets and consider whether they are really required or not.

The topic of data breach notification – compelling organisations to inform regulators and individuals of data loss incidents – is very much in the spotlight at present, and may well provide a mechanism to improve transparency and accountability, but is not within the scope of this document.

Empowering the regulator

If privacy by design is to succeed, then there is a role for an empowered and properly resourced ICO to encourage and enforce requirements. The ICO will require broader and clearly defined powers and bailiwicks with a mandate to govern:

• behaviours: including assigning accountability for proper data management;
• regulations: covering the UK and cross-border data transfers; and
• outcomes: including assigning and enforcing penalties and redress, and sponsoring class action lawsuits.

These powers and duties will need to be clearly communicated to data controllers and individuals alike. To achieve this, the ICO will also need the ability to recruit more technical experts who can communicate with developers, and support the current legal and management team. This has been the focus of the recent Ministry of Justice review, and the outcomes should be given whole-hearted support by the government.

Clarifying legal complications

The private sector is seeking greater clarity on how to comply with the DPA and relevant European directives, since these prescribe the desired legal outcomes, but there are no recognised standards on how to achieve those. More efficient management of personal information (including emerging approaches that allow customers to manage their own information) would lead to a reduction in processing costs, more accurate and complete data, better consent processes, and ultimately a competitive advantage gained through responsible management of personal information.

There is a need to reiterate guidance across all affected stakeholder groups in order to build an improved climate of trust.

Promoting the privacy profession

Organisations need to be able to recruit and retain individuals with accredited skills in privacy management. There is, as yet, no body in the UK that is widely recognised as providing such accreditation. ISEB²⁹ provides data protection qualifications, and the IAPP³⁰ is focused on the USA’s requirements. There is, therefore, a clear need for a new professional body for privacy professionals in the UK.

Privacy professionals need to join together to develop a professional body that supports their profession through training and accreditation. It may prove to be more practical to do this – at least initially – under the aegis of another existing chartered body, with support from the ICO to ensure that all parties coalesce around a single organisation rather than multiple competing bodies.

This approach will create a new profession in which organisations can place their confidence, and which can deliver new privacy-related processes to support privacy by design. For example, qualified ‘privacy architects’ could sign off new systems to confirm the suitability of privacy controls, or accredit products to an assured standard. ‘Privacy auditors’ could even certify an organisation’s overall privacy practices as conforming to known standards, thus assuring individuals that their information will be handled in accordance with those standards.

---

23 http://www.encore-project.info/

24 http://www.credentica.com/

25 http://www.projectliberty.org/

26 Privacy and Identity Management for Europe (https://www.prime-project.eu/)

27 http://www.identityblog.com

28 http://www.cesg.gov.uk/products_services/iacs/caps/index.shtml

29 http://tinyurl.com/64nn4y

30 http://www.privacyassociation.org/