Privacy by design (PbD) is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures. It can be contrasted to an alternative process where privacy implications are not considered until just before launch.
PbD was initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority and the Netherlands Organization for Applied Scientific Research in 1995.
The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., to take human values into account in a well-defined manner throughout the whole process and may have been derived from this.
Privacy by Design Principles
The underlying concepts of PbD are expressed in the seven ‘foundational principles’ of privacy by design, as developed by the Information and Privacy Commissioner of Ontario.
- ‘Proactive not reactive; preventative not remedial’: You should take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the fact. This doesn’t just apply in the context of systems design — it involves developing a culture of ‘privacy awareness’ across your organization.
- ‘Privacy as the default setting’: You should design any system, service, product, and/or business practice to protect personal data automatically. With privacy built into the system, the individual does not have to take any steps to protect their data — their privacy remains intact without them having to do anything.
- ‘Privacy embedded into design’: Embed data protection into the design of any systems, services, products and business practices. You should ensure data protection forms part of the core functions of any system or service — essentially, it becomes integral to these systems and services.
- ‘Full functionality — positive sum, not zero sum’: Also referred to as ‘win-win’, this principle is essentially about avoiding trade-offs, such the belief that in any system or service it is only possible to have privacy or security, not privacy and security. Instead, you should look to incorporate all legitimate objectives whilst ensuring you comply with your obligations.
- ‘End-to-end security — full lifecycle protection’: Put in place strong security measures from the beginning, and extend this security throughout the ‘data lifecycle’ — ie process the data securely and then destroy it securely when you no longer need it.
- ‘Visibility and transparency — keep it open’: Ensure that whatever business practice or technology you use operates according to its premises and objectives, and is independently verifiable. It is also about ensuring visibility and transparency to individuals, such as making sure they know what data you process and for what purpose(s) you process it.
- ‘Respect for user privacy — keep it user-centric’: Keep the interest of individuals paramount in the design and implementation of any system or service, eg by offering strong privacy defaults, providing individuals with controls, and ensuring appropriate notice is given.
How should an organization implement PbD?
The first step to operationalizing PbD is to define the informational privacy policies of the organization. These policies provide the foundation on which operations and development teams can determine privacy requirements and design privacy safeguards.
Designing an individual or group of individuals to be responsible for overseeing and enforcing privacy policies is strongly recommended. It is essential for the privacy team to be included in meaningful ways in design choices and reviews.
Conducting periodic reviews of privacy controls in products, services, and programs is essential. To the extent third party content is incorporated into an organization’s products or services (such as by integrating a third-party mobile SDK into an app) the organization needs to review the third party content for privacy implications.
Guidelines from regulators:
Information and Privacy Commissioner of Ontario (IPC): The IPC originated the concept of PbD and has a number of relevant publications, including:
- the original seven foundational principles of privacy by design ; and
- a primer on privacy by design, published in 2013; and
- Operationalizing privacy by design: a guide to implementing strong privacy practices (Dec. 2012) a paper by Ann Cavoukian.
- A Guide to Privacy by Design , AEPD (Spanish DPA), 2019
- Software development with Data Protection by Design and by Default CNIL (French DPA), 2019
- Data Protection by Design and by Default, ICO (UK DPA) website post
- Guidelines 4/2019on Article 25 Data Protection by Design and by Design, EDPB, Nov. 2019
- The Norwegian data protection authority (Datatilsynet) has produced guidance on how software developers can implement data protection by design and by default.
- Guide to data protection by design for ICT systems, PDPC
- FTC Report: Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers (May 2012) (pages 22–34)
ENISA: The European Union Agency for Network and Information Security (ENISA) has also published research and guidance on privacy by design, including:
- a research report on privacy and data protection by design;
- a research report on privacy by design and big data; and
- a subsection on privacy-enhancing technologies (external link)
Implementing Differential Privacy: Seven Lessons From the 2020 United States Census by Michael B. Hawes / Published on Apr 30, 2020
Golden Data Articles: