Privacy By Design - Key Aspects

Following is my summary and review relating to Privacy By Design a termed coined by Cavoukian [2]. These notes are part of my work in University of Oxford and towards GCHQ accreditation. All notes and comments are my own.


General data protection regulation article 25 [1] collectively describes privacy by design as "Data protection by design and by default". Privacy by design was a term conceived by information & privacy commissioner Ann Cavoukian, Ontario, Canada [2]. While the term privacy by design was coined by Cavoukian, the concept of data protection and privacy within IT systems is not an entirely new concept as outlined by Schaar [6] and also mentioned by the well documented Trustworthy Computing memo by Gates [8]. Schaar [6] makes reference to the EU directive 95/46 [7], this directive discusses processing of personal data; within this directive processing of personal data is defined to include collection, recording, storage, retrieval etc. Schaar [6] Further explains privacy by design is to go beyond providing and maintaining security, privacy by design gets into the fabric of systems and organisations in order to minimize the amount of personal data processed. While Gates [8] early 2002 discussed and lists key aspects to trustworthy computing; Availability, Security, Trustworthiness and of course Privacy. Under privacy, Gates [8] further expands, "Users should be in control of their own data", "...should be easy for users to specify appropriate use of their information...".

A founding objective of privacy by design is nicely summarized by Spiekermann [5] and provides a description capturing the spirit and goals of privacy by design; "privacy is about the scarcity of personal data creation and the maximization of individuals control over their personal data." [5]. This highlights the minimization and maximization principles associated with privacy by design. An organization should minimize the collection of personnel data for processing, while allowing the end user maximum control over the personal data.

Cavoukian recognizes regulation frameworks; and, accordingly Cavoukian recognizes regulation frameworks alone cannot achieve an individuals desired privacy expectations, Landau [3] further highlights privacy is more than applying regulation frameworks "privacy isn’t only about compliance". To achieve privacy; in addition to regulation frameworks privacy concepts must be incorporated during the design of systems and generally throughout an organisation. Cavoukian identifies this as a trilogy incorporating IT Systems, accountable business practices and physical design & networked infrastructure. Cavoukian has described this trilogy as Privacy Enhanced Tools Plus (PETS Plus), extending the focus of privacy throughout the organisation. Privacy enhanced tools "focused us on the positive potential of technology" [4][41], while PETS Plus extends to the design of systems and throughout the entire organisation.

As such the privacy by design concept outlines seven key principles, these seven key principles can be summarized as :

  • Proactive not Reactive This principle identifies placing the focus on privacy before an event occurs i.e. implement a preventative approach. Can the privacy concern be addressed prior to an event

  • Privacy as the default setting By default privacy settings / parameters are set in such a way they favor the individuals personal data i.e. the default settings take a reserved approach with respect to minimization of data exposure. A user would have to explicitly augment settings in order expand the exposure of ones data.

  • Privacy embedded into design From the outset of a systems design privacy is a fundamental component i.e. privacy is an ingrained and embedded concept from initial project inception.

  • Full functionality This principle focuses on ensuring all components of a system can work together including privacy, no one individual component of a system is in isolation or in a silo.

  • End to End Security Throughout the data's lifecycle in a application it is securely managed, this includes obtaining, retention and deletion. Examples include; while obtaining data secure methods used e.g. SSL/TLS; when data are retained data encryption at rest is deployed, and when deleting secure methods for data deletion are executed e.g. secure file system deletion, data redaction etc. These are just examples and not an exhaustive list.

  • Visibility and Transparency An organisation should openly publish their objectives with respect to privacy. Privacy practices implemented by organisations should be open and subject to independent review verification processes. Findings and results should be openly disclosed helping to achieve user trust and openly promote transparency with respect to individuals privacy.

  • Respect for User Privacy Placing the user at the center of the systems, keeping users central in the process will achieve a more user friendly and user centric systems.

A number of similarities can be identified between privacy by design and security by design. Microsoft introduced security by design; SD3 + C (Secure by design, by default and by deployment & Communicate) , figure 1 and 2 present a before and after visual. In the before figure, security is mentioned once and this is added at the end of the process, while the after figure introduces security as an inherent concept throughout the development / process lifecycle. The similarity with the before figure is akin to thinking of privacy at the end of the product or process lifecycle i.e. the product or process is complete and ready to ship, and now the organisation discusses the users privacy. While the after figure is more akin to the spirit of privacy by design i.e. PbD is ingrained throughout development of product / process. This concept is further is supported by Chow [42], privacy engineering is embedded throughout the entire product life-cycle rather than tacked onto the end.

Figure 1 Microsoft Software Development Lifecycle - Before

Figure 2 Microsoft Software Development Lifecycle - After


[1] General Data Protection Regulation http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST54192016_INIT&from=EN

[2] Ann Cavoukian Ph.D., Privacy by design The 7 Foundational Principles https://www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf

[3] Susan Landau, Educating Engineers: Teaching Privacy in a World of Open Doors http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6824531

[4] Cavoukian, Privacy by Design, Workshop, Foreword. http://link.springer.com/article/10.1007%2Fs12394-010-0062-y

[5] Sarah Spiekermann, The Challenges of Privacy by design http://ec-wu.at/spiekermann/publications/The%20Challenges%20of%20Privacy%20by%20Design.pdf

[6] Peter Schaar, Privacy by design. Identity in the Information http://www.bfdi.bund.de/SharedDocs/Publikationen/EN/0610EUPrivacyByDesign.pdf

[7] EU Directive 95/46, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN

[8] Bill Gates Memo Trustworthy Computing https://news.microsoft.com/2012/01/11/memo-from-bill-gates/#sm.0001p1e5t2157ucy8r5zj4x60e9mw
http://www.wired.com/2002/01/bill-gates-trustworthy-computing/

[9] Microsoft SD3 + C, Secure By design, By Default and By Deployment + Communication https://msdn.microsoft.com/en-us/library/windows/desktop/cc307406.aspx

....

[41] Davies, Why Privacy by Design is the next crucial step for privacy protection. http://i-comp.org/wp-content/uploads/2013/07/privacy-by-design.pdf

[42] Richard Chow, Privacy by Design for the security Practitioner https://www.blackhat.com/docs/asia-14/materials/Chow/WP-Asia-14-Chow-Privacy-By-Design-For-The-Security-Practitioner.pdf