Design options

The process entails considering each item in the Issues Register arising from the preceding design issues and privacy problems activity, and searches for ways in which those problems can be overcome.

There are two broad categories of solution.

An 'avoidance measure' is a means of dissipating a risk. It refers to the exclusion of technologies, processes, data or decision criteria, in order to avoid particular privacy issues arising. Examples include:

• minimisation of personal data collection;
• non-collection of contentious data-items;
• active measures to preclude the use of particular data-items in the making of particular decisions;
• active measures to preclude the disclosure of particular data-items;
• non-adoption of biometrics in order to avoid issues about invasiveness of people's physical selves.

A 'mitigation measure' is a feature that compensates for other, privacy intrusive aspects of a design. A mitigation measure may compensate partially or wholly for a negative impact. Examples include:

• minimisation of personal data retention by not recording it;
• minimisation of personal data retention by destroying it as soon as the transaction for which it is needed is completed;
• destruction schedules for personal information;
• limits on the use of information for a very specific purpose, with strong legal, organisational and technical safeguards preventing its application to any other purpose;
• design, implementation and resourcing of a responsive complaints-handling system, backed by serious sanctions and enforcement powers.

Problems must be analysed, to devise acceptable avoidance and mitigation measures. The following suggestions are made about the process of problem analysis:

• The differing perspectives of the multiple stakeholder groups should be reflected.
• The focus of each impact and implication should be identified. For instance, what kinds of people or organisations will experience the various impacts, and under what circumstances?
• The justification for the feature that gives rise to the problem should be examined. For example, is the privacy infringement proportional to, or appropriately balanced with, any benefits gained from the infringement? And is it clear that the claimed benefits will actually arise?
• The circumstances in which the feature needs to be applied should be questioned. Is it appropriate for the data to be collected, used or disclosed in every instance, or can the data-handling in question be limited to particular situations in which it is demonstrably relevant?
• Consideration may need to be given to future economic and social developments.
• Relevant legal considerations need to be taken into account, including liabilities that may arise. Examples include the responsibility to deliver services and to do so on an equitable basis, the law of confidence and the duty of care arising under negligence law
• One major issue is the effectiveness of privacy protections. An effective privacy protection regime requires all of the following to be in place:
  • clear specifications of privacy protections
  • clear prohibitions against breaches of protections
  • clear sanctions or penalties for breaches of protections
  • mechanisms in place to detect and report breaches
  • resources for investigating breaches and applying sanctions

One particular issue that may need careful consideration is the location at which data is stored. From the perspective of privacy protection, there are considerable privacy benefits in de-centralisation rather than centralisation. The benefits include:

• reducing the risk of function creep;
• enabling the application of access controls;
• encouraging a focus on relevancy;
• reducing the misinterpretation of data due to a loss of context, and
• increasing the likelihood of prompt data destruction when it is no longer required.

Where a project involves centralising information, it is important that there is clear justification. Further those who want to use information in a more speculative manner (such as 'statistical analysis', 'management reporting' and 'data mining') need to be challenged for greater detail, and to show that benefits will be achievable. Once a case for centralisation has been established, it is necessary to identify, assess and balance the disadvantages.

Many technologies are privacy-invasive. Some technologies, however, have been developed for the specific purpose of protecting privacy or enhancing it. A commonly-used term to describe such tools is Privacy-Enhancing Technologies (PETs). It is strongly advisable that PETs be considered as design options.

Discussions within the PIA Consultative Group may result in a consensus on some measures that avoid privacy impacts, and some measures that reduce privacy intrusion which cannot be avoided. In some circumstances, consensus may not be feasible and the organisation responsible for the project must decide on an appropriate balance between the competing interests. Where the issue is major, consultation with the Information Commissioner's Office may be appropriate.

The conclusions regarding design features should be documented in the 'Issues Register', and provided to the project team as a whole. This is described in the later activities of the consultation and analysis phase.