privacy by design maureen h falconer sr guidance & promotions manager building a successful...
TRANSCRIPT
Privacy by Design
Maureen H Falconer
Sr Guidance & Promotions Manager
Building a Successful Information Sharing Partnership: Privacy by Design 13 August 2009
Information Commissioner’s Office
• Regulatory Authority– DPA, PECR; FoI; EIR
• Role of the Regional Offices– Cardiff, Belfast, Edinburgh
– Enquiries– Stakeholder engagement– Input Scottish dimension to ICO
Privacy by Design?
Privacy by Design: Context
• Recognised gap in development and adoption of privacy-friendly systems;
• Lack of public trust and confidence;
• Report launch – Nov’ ’08;
• Ensure ‘privacy’ is always on the agenda;
• Privacy and data protection compliance designed into systems at the outset.
Privacy by Design: Defining Privacy
Webster’s Dictionary:
Privacy is:
The quality or state of being hidden from, or undisturbed by, the observation or
activities of other persons and freedom from undesirable intrusions.
Privacy by Design: Why do a PIA?• To identify privacy risks to individuals;• To identify privacy and DP compliance liabilities
for your organisation;• To protect your reputation. • To instil public trust and confidence in your
organisation;• To avoid expensive, inadequate “bolt- on”
solutions;• To inform your communications strategy;• Enlightened self-interest!
Privacy by Design: When to do a PIA?At the start, when:
– the project is being designed;– you know what you want to do;– you know how you want to do it; and– you know who else is involved...
…but certainly before:– decisions are set in stone;– you have procured systems;– you have signed contracts; and– while you can still change your mind!
Privacy by Design: How to do a PIA?• Initial assessment
• Full-scale PIA
• Small-scale PIA
• Privacy law compliance check
• Data protection compliance check
• Review and redo!
Privacy by Design: Initial Assessment• Prepare a project outline
• Identify stakeholders
• Look at other PIAs
• Look at studies on the technology and processes
• Decide the appropriate level of assessment
Privacy by Design: Full-scale PIA
5 Phases:– Preliminary work– Preparation– Consultation/analysis– Conclusions– Review
Privacy by Design: Small-scale PIA
5 Phases: (less formal)– Preliminary work (more specific)– Preparation (just as important!)– Consultation/analysis (less exhaustive)– Conclusions (part of a process)– Review
Privacy by Design: Compliance
Privacy Law:– Vires– HRA; PECR; Law of Confidence– Statutory prohibitions
Data Protection:– DP Principles– Schedule Conditions– Exemptions
Privacy by Design: Key Points
• The PIA is a process to consider privacy risk;
• It may not be appropriate in all cases;
• It can be incorporated into the organisation’s current risk strategy or it can be stand-alone;
• New and more manageable guidance!!
www.ico.gov.uk
93-95 Hanover Street93-95 Hanover StreetEdinburghEdinburghEH2 1DJEH2 1DJ
[email protected]@ico.gsi.gov.uk0131 301 50710131 301 5071