Privacy By Design — A complete Story
Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.
In 1960, quoted in Marlon Brando, Ch. 11 (1974, rev. 1989), by David Shipman.
These days, out of the blue, we often hear the term “Privacy by design.”So the question which comes to mind is :
What is Privacy by Design ?
Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices.
Umm, that’s very boring. Can you explain its importance with some examples
First one:
Back in Oct 2012, the Facebook CEO wrote an email to his head of product development, raising concern over Facebook’s years-long practice of allowing third-party apps to access their users' data. However, in his email, he suggested it was not: “I’m generally skeptical that there is as much data leak strategic risk as you think,” he wrote at the time. “I just can’t think of any instances where that data has leaked from developer to developer and caused a real issue for us.”
On October 27, 2012, Facebook CEO Mark Zuckerberg wrote an email to his then-director of product development. For years, Facebook had allowed third-party apps to access data on their users’ unwitting friends, and Zuckerberg considered whether giving away all that information was risky. In his email, he suggested it was not: “I’m generally skeptical that there is as much data leak strategic risk as you think,” he wrote at the time. “I just can’t think of any instances where that data has leaked from developer to developer and caused a real issue for us.”
All went fine for Facebook until March 17, 2018, when a pink-haired whistleblower named Christopher Wylie told The New York Times and The Guardian/Observer about a firm called Cambridge Analytica.
Cambridge Analytica had purchased Facebook data on tens of millions of Americans without their knowledge to build a “psychological warfare tool” unleashed on US voters to help elect Donald Trump as president. Just before the news broke, Facebook banned Wylie, Cambridge Analytica, its parent company SCL, and Aleksandr Kogan, the researcher who collected the data, from the platform. But those moves came years too late and couldn’t stem the outrage of users, lawmakers, privacy advocates, and media pundits. Immediately, Facebook’s stock price fell, and boycotts began. Zuckerberg was called to testify before Congress, and a year of contentious international debates about consumers' privacy rights online commenced. On Friday, Kogan filed a defamation lawsuit against Facebook.
Second one:
NHS Uk is going to put all the medical history of their 55m patients, which includes sensitive information like mental and sexual health history, criminal records, abuse, diagnostics, into a centralized database.NHS Digital has confirmed the plan to dump all medical records from every patient in England who is registered with GP into a centralized data lake.
According to NHS Digital, the data can include:
- your sex, ethnicity, and sexual orientation
- diagnoses
- symptoms
- observations
- test results
- medications
- allergies
- immunizations
- referrals
- recalls
- appointments
- information about your physical, mental, and sexual health
This data is going to be used for research and development purposes using Advanced AI techniques.
Imagine the necessity to protect the data which contains all residents PII information and, by design, is going to be shared across different organizations.
Of course, if privacy concerns can be addressed it will be state of art system and will reap many benefits.
Let’s briefly talk about history and principles
Roots of Privacy by Design goes to the traditional Canadian healthcare system, which was pretty mature in data classification, data tenure, data expiry, and data destruction.
Privacy by design is initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.
Privacy by design calls for privacy to be taken into account throughout the whole engineering process.
Principles of Privacy by design
Hmm, so what’s the role of individuals for Privacy by Design
To Opt-In or Opt-out
In one of my previous roles,I was the lead developer for an AI-based system that captured all the relevant data points from the user like his location, browser details, operating system, etc when he browsed my customers' website.The data enabled us to do “Customer Journey Analytics” in real-time and let us come up with a dynamic Personalised experience on the website for the customer.
I am pretty sure you would have come across those pop-ups with Privacy policy notices from adverts, especially from e-commerce and social networking websites. The Privacy policy defines how you will be tracked across different websites. To Opt-in or opt-out depends on individual users.
How about regulatoryy guidelines across different geographies
EU
GDPR
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas
Singapore
Guide to data protection by design for ICT systems, PDPC
Singapore’s Data Protection by Design (“DPbD”) for information and communications technology (“ICT”) systems is an approach where data protection measures are considered and built into ICT systems that involve the processing of personal data as they are being developed.
Norway
Software development with Data Protection by Design and by Default
The Norwegian Data Protection Authority has developed these guidelines to help organizations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation
What are actually some of the prominent approaches for secure data sharing
Key objectives for data sharing :
1.Only genuine receiver gets the data
2.If a rogue receiver gets the data, it's unusable for him
Below is one of the approaches to achieve this based on PKI.
Approach 1:
1:User registers for data request into a centralized web portal. As part of registration, he provides a public key to the Source system(Data Lake). There is a governance process at this stage to approve or reject the request
2.Data lake runs a process called “Data Enclave Process” which considers the approved data download/share request.It takes the requested data from the data lake and encrypts it with the public key of the Requester.
3.The encrypted data is shared with the customer
4.Customer decrypts the data with his private key.
Conclusion
As we see more and more of AI and data-driven workloads, Privacy By Design is going to evolve more and more and eventually become the pre-requisite for any new Development.
Last note…
Think about the hardships government and agencies faced to get data of Covid and Ebola patients.Although our scientists developed vaccines in record time but having a existing framework for Privacy by design would have immensely helped.
These data points were very crucial for the development of countermeasures and vaccines for these diseases
So this brings us to the end of story. Please let me know feedbacks so I can improve.
References:
https://ipc.v51.com/wp-content/uploads/Resources/PbDReport.pdf
https://link.springer.com/content/pdf/10.1007/s12394-010-0061-z.pdf
https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf
