Identifying privacy solutions
Once you have identified and assessed the privacy risks your project presents, you need to consider what action you intend to take in relation to each risk. At this stage you have three options:
- accept the risks, impacts or liabilities;
- identify a way to avoid the risks (a privacy impact avoidance measure); or
- identify a way to mitigate the risks (a privacy impact mitigation measure).
Accepting the risks
In some instances, because of the nature of the risks, impacts or liabilities, the chances of the risks being realised or the minimal impact they may have, it might be entirely appropriate to simply recognise and accept the privacy risks or certain aspects of the privacy risks. However, this must not be done simply as an alternative to taking action to address risk and must be considered carefully as an option. If considering this option, ensure that a record of the identified risk is made, along with the reasons for accepting the risk.
Privacy impact avoidance measures
An avoidance measure is a means of dissipating a risk. It refers to the exclusion of technologies, processes, data or decision criteria, in order to avoid particular privacy issues arising. Examples include:
- minimising the collection of personal information to what is strictly necessary;
- non-collection of contentious data-items;
- active measures to stop or block the use of particular information in decision making (a good example of this is ethnic monitoring forms being filled out anonymously when companies are recruiting);
- active measures to preclude the disclosure of particular data-items, for example screening or hiding of certain services which are being provided to the individual which might disclose other personal information;
- non-adoption of biometrics in order to avoid issues about invasiveness of people’s physical selves.
Privacy impact mitigation measures
A mitigation measure is a feature that compensates for other, privacy intrusive aspects of a design. A mitigation measure may compensate partially or wholly for a negative impact. Examples include:
- minimisation of personal data retention by not recording it;
- destruction of personal information as soon as the transaction for which it is needed is completed;
- destruction schedules for personal information which are audited and enforced;
- limits on the use of information which has been collected for a very specific purpose, with strong legal, organisational and technical safeguards preventing its application to any other purpose;
- design, implementation and resourcing of a responsive complaints-handling system, backed by serious sanctions and enforcement powers. Problems must be analysed, to devise acceptable avoidance and mitigation measures. The following suggestions are made about the process of problem analysis:
- The differing perspectives of the multiple stakeholder groups should be reflected.
- The focus of each impact and implication should be identified. For instance, what kinds of people or organisations will experience the various impacts, and under what circumstances?
- The justification for the feature that gives rise to the problem should be examined. For example, is the privacy infringement proportional to, or appropriately balanced with, any benefits gained from the infringement? And is it clear that the claimed benefits will actually arise?
- The circumstances in which the feature needs to be applied should be questioned. Is it appropriate for the data to be collected, used or disclosed in every instance, or can the data handling in question be limited to particular situations in which it is demonstrably relevant?
Privacy by design
Further information about the technologies, processes and methodologies which can be used to address privacy risks is available in the ICO “Privacy by Design” report.