Privacy By Default

Sometimes we need to think long-term.  Unfortunately, in the government, long-term normally means “next fiscal year” or maybe even “next quarter”.  But that’s not long-term enough.  Let’s take a look at an example of where thinking long term, even in terms of the government long term, will have an impact on what we do right now.

On April 27, 2016, the European Union (EU) established something called the General Data Protection Regulation (GDPR) that bolsters the ability of individuals with in the EU to have more control of the data held by companies.  While the GDPR is an EU law, it does impact non-EU companies in that if you process data of EU residents there are certain things you need to keep in mind.  Sector, the Canadian IT Security Conference, has some information on it’s website with regard to the GDPR.  In an article entitled “NORTH AMERICANS: GET READY FOR GDPR” they state:

Data portability is one example. PIPEDA lets Canadians find out what information companies hold about them, but GDPR goes a step further. It lets individuals ask for that information in a machine-readable form so that they can take it somewhere else.

GDPR also imposes new requirements around consent. Canadian law relies on implied consent – the idea that individuals can consent once to a company collecting information and then using it in diverse ways. In a single agreement. GDPR forces companies to get different consent for different uses of that data.

The GDPR also ensures that there is “Data protection by Design by Default”.  It embedded within the document as Article 25.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

Theoretically, if someone comes to you for a service, you provide that service, then their data is supposed to be purged if it is not needed for further processing. As one of it’s underlying principles, it states:

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

The rules are much tighter than under existing PIPEDA (Personal Information Protection and Electronic Documentation Act) legislation and the penalties are much tougher.  The Privacy by Design Wikipedia page has a number of ideas on the foundational principles behind privacy.  I personally like the 7 Laws of Identity as proposed by Kim Cameron and transformed into 7 Foundational Principles by Ann Vavoikian, Ph.D., Information and Privacy Commissioner for Ontario.

  1. Proactive not reactive; Preventative not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection
  6. Visibility and transparency – keep it open
  7. Respect for user privacy – keep it user-centric

Too often when we think about things and design systems privacy is an add-on, something we look at afterward and say “is there privacy”?  By placing it foremost in our minds, by making it one of the key requirements of the system, indeed, requirement #1, we create a system that is more secure and that safeguards data. But most of all, by keeping it user-centric, by focusing on the user first and the business second (yes, that may sound strange) we create systems that truly embody the idea of Privacy by Design and ensure that we follow the spirit, if not the letter of the law, when it comes to PIPEDA and GDPR.

Leave a Reply