Privacy by Design

In this multi-part series, IIS Partner Nicole Stephensen explores Privacy by Design (PbD) – what it is, what it isn’t, why it’s important, how to implement it, and how to avoid turning it into insubstantial buzz.

Part 1 - It’s called ‘PbD’… not ‘PbD lite’

Privacy recap

Here we are – moving at lightning speed through the so-called ‘Fourth Industrial Revolution’ – where we have ‘gone digital’, interact and transact online, engage with internet enabled technologies and rely on government, industry, service providers, platforms and apps to securely manage and store our personal (and other) information. Privacy is widely relevant. It relates as much to our approach, as individuals, to the sharing of our personal information as it does to the treatment of that same information by the organisations we place our confidence in.

There is a highly normative value to privacy, and this digital age makes it difficult to define. When we provide training on privacy to our clients, the topic requires unpacking at the outset – considering everything from one’s ‘personal bubble’, to the crevices of physical and mental health, to the multitude of ways we communicate, to the information about ourselves we consider sacrosanct. What privacy means to the people in the room (and what they expect from organisations in terms of privacy protection) is slightly different for everyone, depending on their age and experiences, circumstances, access to (and comfort with) technology and other factors. This presents a challenging starting point for organisations.

Legislators have given us some guardrails here by setting out that privacy, as a duty owed to the community, is about (in the simplest of summaries) the collection, management and protection of personal information in accordance with the law – for example, the Australian Privacy Principles and other rules set out in the Privacy Act 1988, or whatever state, territory or other jurisdiction’s privacy law applies in the circumstance. Implicit in these guardrails, although a point often missed, is remaining aware of and responsive to community expectations.

Using guardrails effectively can be difficult if privacy isn’t part of organisational mindset. Enter Privacy by Design (PbD). PbD is a best practice approach to personal information management coined by former Ontario Privacy Commissioner Dr Ann Cavoukian in the 1990’s. It ‘[advances] the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation. The original seven (7) PbD principles are shown at Figure 1:

PbD seeks to ensure that privacy is an organisation’s first thought, not an afterthought; that it is incorporated from the outset in proposed projects, initiatives or technologies as opposed to being retrofitted (if that’s even possible) at a later time. It extends to what Dr Cavoukian referred to as a ‘”[t]rilogy” of encompassing applications’, impacting privacy design (or engineering) from a project perspective and privacy culture from an organisational perspective.

Importantly, PbD requires commitment to all of the principles, as opposed to cherry-picking those that appear to serve the organisation (remembering that PbD isn’t about the organisation; it is, foremost, about the people entrusting the organisation with their personal information). For Australian organisations, a PbD ethos and attention to PbD principles in project design and decision-making offers a compliance edge in respect of meeting their APP 1.2 obligations.

Our colleague R Jason Cronk wrote the IAPP textbook Strategic Privacy by Design in an effort to address challenges governments, organisations, project teams and developers face when seeking to take a PbD approach – that is, PbD offers principles that are lacking in specificity (they tell us what when we’d really like to know how). While perhaps unintentional as a take-away, the most striking aspect of Cronk’s book is the patient attention to all of the PbD principles while presenting his approach to designing for privacy, as opposed to simply highlighting those most useful or expedient.

PbD is not easy, and there is no one way to do it best, but taking all the principles together is the intent of the exercise. In Dr Cavoukian’s introduction to PbD, she states that ‘[t]he objectives of Privacy by Design… may be met by practicing the following 7 Foundational Principles [emphasis added]’. Playing on the oft-used cooking analogy (that PbD ‘bakes privacy in’), it’s unlikely that a complex layer cake will materialise without using all the key ingredients.

The trouble with ‘PbD lite’

A selective approach to PbD – ‘PbD lite’ – is becoming increasingly mainstream. We have recently seen acknowledgement, on the basis of ‘shopfront’ reviews of organisations and their services, that meeting the benchmark set by one PbD principle is award-worthy. It is vital to recognise and champion hard work happening in the privacy space, and it is useful to analyse where organisations are achieving greatest successes in respect of PbD; however, meeting the requirements of one principle does not necessarily signal the big-picture, holistic, inclusive, privacy mindset-meets-action concept of PbD.

Rather, it can create an impression for the community and competitors that an organisation has got privacy ‘in the bag’ and can be trusted over others. The Australian Broadcasting Corporation (ABC), for example, recently received an award for ‘visibility and transparency’… however, a well-executed privacy policy (assuming that’s the award-winning part) cannot, in isolation, suggest that PbD is what the ABC does well (and certainly not in the wake of the ABC iView privacy debacle).

We have also seen PbD used to promote surveillance solutions for schools, where targeted website links and brochure-style comms focus on how privacy has been ‘designed in’ to the solution. While principles of end-to-end security and transparency may be touted by these vendors (e.g., ‘secure monitoring and communication with schools’ and ‘our PbD link tells you more’), this is not PbD at work nor is it PbD as a market differentiator. It’s a seamy consequence of ‘PbD lite’ – using privacy to sell platforms or services that, by their nature and design, violate privacy through covert monitoring of student activities in online environments.

A recent Human Rights Watch investigation highlighted that many EdTech platforms and services (those with and without an obvious or upfront surveillance component) have no compunctions about sharing personal information of children with their AdTech partners – making privacy, whether or not there is any hint of it ‘by design’, illusory indeed.

From ‘lite’ to right

Where ‘PbD lite’ may represent undercooked privacy practice at best and a drippy glaze for questionable privacy practice at worst – PbD of the intended variety offers something more solid. It speaks to the organisational ethos that comes with being privacy-minded and to the work (especially the constant attention and uplift) that comes with ensuring information practice is consistent with community expectations.

PbD requires diligence, patience and an enduring belief that privacy matters. Even if there are shortcomings or there is ‘work to do’ (and there almost always will be), organisations that subscribe to PbD have all the ingredients for success on hand to help elevate privacy from their to-do (compliance) list to being ‘just what we do here’.

>> Part 2, Bootstrapping PbD when the C-suite doesn’t care, will explore strategies for bringing PbD into your organisation (aka: winning hearts and minds).