Privacy, data protection must be built into system design, says ICO

Having raised national awareness of the problem of data breaches, the Information Commissioner's Office is raising the stakes with its new report, "Privacy by Design."

There was a time when edicts from the Information Commissioner's Office (ICO) carried little weight, and were generally ignored by organisations.

Not anymore. The ICO has taken on a much more central role under the leadership of Richard Thomas, and will soon acquire new powers to back up enforcement with financial penalties where necessary. From being a slightly marginal and low-key body that muttered motherhood statements about privacy, the ICO has adopted a much more aggressive approach in exposing and criticising companies and organisations that choose to play fast and loose with personal information.

The Privacy by Design report
Having raised national consciousness of the problem of data breaches (277 in the last year), the ICO is now raising the stakes with the publication of a new report, called "Privacy by Design," which sets out a comprehensive manifesto for better privacy protection.

The ambitious document envisages a broad range of initiatives to raise privacy awareness at all levels; a programme to promote more privacy-enabling technologies (PETs); more focus on privacy impact assessments; and even the development of a new privacy profession. It also makes a strong business case for building privacy into the systems design process, and it outlines a new role for the ICO in approving new systems before they go into production.

The aim of the report is to "encourage organisations to give due consideration to privacy needs prior to the development of any new system or process, and to maintain that control throughout the systems lifecycle, from the earliest stages of developing a business case, through to the decommissioning of the system. This lifetime approach will ensure that privacy controls are stronger, simpler to implement, harder to by-pass, and totally embedded in the systems core functionality."

Privacy concerns and risks: Data protection and security breaches
The report acknowledges that there are significant barriers in the way of making this happen. Senior management officials do not understand the need for personal data to be protected, it says, and this ignorance is compounded by the lack of a common language between IT people and the management they need to convince. Privacy concerns, and the potential damage of a security breach, are also rarely factored into the business case for new systems.

So why does this matter?

The ICO argues that without control individuals cannot have real privacy. The office says individuals should have control over the use of their personal information, and should be able to give, revoke or withhold consent for organisations to use the information.

The recommendations at a glance

The ICO will:

Work with industry bodies to build an executive mandate for privacy by design, supported by sample business cases for the costs, benefits and risks associated with the processing of personal information, and promotion of executive awareness so that privacy is reflected in the business cases for new systems. 

Encourage widespread use of privacy impact assessments throughout the systems lifecycle. Assessments may be published where appropriate to demonstrate transparency of privacy controls.

Support the development of cross-sector standards for data sharing so that privacy needs are harmonised with the pressures on public authorities and private organisations to share personal information.

Nurture the development of practical privacy standards to help organisations produce provable privacy implementations. 

Promote research into PETs that deliver commercial products to manage consent and revocation, privacy-friendly identification and authentication, and prove the effectiveness of privacy controls.

Establish more rigorous compliance and enforcement mechanisms by assigning responsibility for privacy management within organisations to nominated individuals, urging organisations to demonstrate greater clarity in their personal information processing, and empowering and providing the ICO with the ability to investigate and enforce compliance where required.

But as systems become more complex and interlinked, with Web 2.0-applications for example, users may have no idea which computer, organisation or even country holds their personal data. "In this environment, privacy and identity management in particular will be the foundation of success," the report says. "Without it, the full benefits -- for both individuals and organisations -- will not be realised. Privacy by design is the way to meet this challenge."

The report says that few PETs exist at the moment because few organisations demand them. It suggests that if demand can be created by government and big corporations, then vendors will respond with products to make it all happen.

"Within each organisation, the mandate [for privacy controls] will need to spread down from executive management throughout the organisation, being delivered as policies, standards and implementation guidelines, and then reported back through audit processes," it says.

A call for privacy impact assessments (PIA)
In outlining the way forward, the document's analysts assert that privacy impact assessments (PIA) need to become a normal component of any new systems proposal. The PIA is intended to identify privacy-related risks from the earliest stages of a project onwards.

"Where business cases for new systems are presented without a supporting PIA, they should be rejected," the report continues. "This is a logical and beneficial step, since a PIA may reveal a need for additional controls or even a fundamentally different approach, with consequential costs for the project. In the public sector, this approach could be mandated for all systems."

The private sector will need to be persuaded of the need. "Businesses in particular need to understand the importance of privacy by design, and its potential impact on the bottom line. This could be achieved by providing example benefits cases that clearly express the possible commercial benefits of a privacy-friendly customer offering, whilst demonstrating the risks associated with poor privacy practices."

Where companies are processing very sensitive personal information or large volumes of personal information, the report suggests they should consider sending a copy of the PIA to the ICO for verification. "In such cases it would be reasonable to expect the ICO to grant a degree of tolerance to those organisations that suffer privacy-related incidents but have taken all reasonable steps to transparently deliver a privacy by design process," it says.

It also suggests putting PIAs in the public domain to demonstrate "commitment and transparency."

The future of privacy by design
A long-term goal of the report is to automate the process whereby requests for personal information are controlled and managed.

It recognises that authentication presents a challenge for subject access requests (SARs), especially for online services. "Organisations need to reconsider their use of strong authentication techniques in order to facilitate the SAR process and to assure all parties that data will only be released to a legitimate requesting party," it says.

But despite the difficulties, the ICO says a coordinated strategy for offering online SARs is an important long-term goal. "On a sector-by-sector basis, public authorities and private organisations need to develop targets for moving towards simple online delivery of data when it is requested," it says.

Predictably, the ICO also calls for more powers and resources to itself to help bring this new state of affairs into being. "If privacy by design is to succeed, then there is a role for an empowered and properly resourced ICO to encourage and enforce requirements," it says.

"Privacy by Design" also suggests the formation of a new professional body for privacy professionals in the U.K., and the development of a new role for someone called a 'privacy architect.'

At a conference held shortly after the publication of the new report last week, Assistant Commissioner Jonathan Bamford said that "privacy cannot be left to chance" and that it could not be "bolted on to systems as an afterthought."

His boss Richard Thomas has just six months left in the job. Given the progress he has made since his appointment in 2002, there is a good chance he will find backing for making Privacy by Design a reality.

Read more on Regulatory compliance and standard requirements