Privacy by Design

Maureen H Falconer

Sr Guidance & Promotions Manager

Building a Successful Information Sharing Partnership: Privacy by Design 13 August 2009

Information Commissioner’s Office

• Regulatory Authority– DPA, PECR; FoI; EIR

• Role of the Regional Offices– Cardiff, Belfast, Edinburgh

– Enquiries– Stakeholder engagement– Input Scottish dimension to ICO

Privacy by Design?

Privacy by Design: Context

• Recognised gap in development and adoption of privacy-friendly systems;

• Lack of public trust and confidence;

• Report launch – Nov’ ’08;

• Ensure ‘privacy’ is always on the agenda;

• Privacy and data protection compliance designed into systems at the outset.

Privacy by Design: Defining Privacy

Webster’s Dictionary:

Privacy is:

The quality or state of being hidden from, or undisturbed by, the observation or

activities of other persons and freedom from undesirable intrusions.

Privacy by Design: Why do a PIA?• To identify privacy risks to individuals;• To identify privacy and DP compliance liabilities

for your organisation;• To protect your reputation. • To instil public trust and confidence in your

organisation;• To avoid expensive, inadequate “bolt- on”

solutions;• To inform your communications strategy;• Enlightened self-interest!

Privacy by Design: When to do a PIA?At the start, when:

– the project is being designed;– you know what you want to do;– you know how you want to do it; and– you know who else is involved...

…but certainly before:– decisions are set in stone;– you have procured systems;– you have signed contracts; and– while you can still change your mind!

Privacy by Design: How to do a PIA?• Initial assessment

• Full-scale PIA

• Small-scale PIA

• Privacy law compliance check

• Data protection compliance check

• Review and redo!

Privacy by Design: Initial Assessment• Prepare a project outline

• Identify stakeholders

• Look at other PIAs

• Look at studies on the technology and processes

• Decide the appropriate level of assessment

Privacy by Design: Full-scale PIA

5 Phases:– Preliminary work– Preparation– Consultation/analysis– Conclusions– Review

Privacy by Design: Small-scale PIA

5 Phases: (less formal)– Preliminary work (more specific)– Preparation (just as important!)– Consultation/analysis (less exhaustive)– Conclusions (part of a process)– Review

Privacy by Design: Compliance

Privacy Law:– Vires– HRA; PECR; Law of Confidence– Statutory prohibitions

Data Protection:– DP Principles– Schedule Conditions– Exemptions

Privacy by Design: Key Points

• The PIA is a process to consider privacy risk;

• It may not be appropriate in all cases;

• It can be incorporated into the organisation’s current risk strategy or it can be stand-alone;

• New and more manageable guidance!!

www.ico.gov.uk

93-95 Hanover Street93-95 Hanover StreetEdinburghEdinburghEH2 1DJEH2 1DJ

scotland@ico.gsi.gov.ukscotland@ico.gsi.gov.uk0131 301 50710131 301 5071