Privacy by Design – protecting personal information from the wire-frame up
The dynamic and ever-growing nature of privacy regulations and attack vectors related to privacy emphasises the importance for organisations to do a better job protecting data through technology design. Also known as, ‘Privacy by Design’ and ‘Privacy by Default’, the terms refer to the system engineering approach of integrating data procedures in technology to protect personal information.
Privacy by Design is a framework based on proactively embedding privacy practices into the entire product development process. By building Privacy into Design specifications from the onset, businesses are able to anticipate risks and prevent privacy-related issues, rather than retrofitting a system to address privacy issues as they arise. The concept calls for privacy to be taken into account throughout the entire engineering process.
What is Privacy by Design?
The ‘Privacy by Design’ framework is based on the following seven foundational principles:
Why should businesses implement Privacy by Design?
Businesses in the financial services sector should be implementing privacy by design to safeguard personal information, preserve brand reputation and comply with various privacy obligations. Within the financial services industry, strong data protection and privacy practices are essential to meet regulatory requirements and maintain consumer confidence. Organisations in the financial services sector are being exposed to increased internal scrutiny by their boards and externally by government regulators. In some cases, major organisations have been ordered to adopt Privacy by Design strategies following breaches of their privacy obligations to ensure best management of customer personal information.
Putting pure compliance concerns aside, implementing Privacy by Design is also likely to have better user outcomes – with the ‘user experience’ being built from the ground up so it is seamless, rather than having to be retrofitted in a manner which is more clunky and obvious. Customers and clients, including sophisticated corporates, are also more likely to buy-in to your new solution if they can see that privacy is at the core of your design, rather than an after-thought.
How can businesses implement Privacy by Design?
The protection of privacy can be effectively maintained where Privacy by Design practices are implemented at an early stage. This involves embedding a new culture and shifting a mindset that prioritises privacy at the heart of all new systems or processes being designed.
As a first step, businesses should complete a privacy impact assessment (PIA) which involves a systematic assessment to determine the impact of a project on the privacy of individuals, and outlines recommendations for managing, minimising or eliminating those impacts.
Rather than waiting until a solution is nearly ready to launch (and approaching legal/compliance as a final check), it is important for each PIA to be conducted at any early stage, comprehensively consider privacy risks and mitigation strategies, to evolve with a project and anticipate risks that may arise, incorporate feedback from stakeholders and map how personal information is handled. Businesses should then designate a team who will be responsible for overseeing and enforcing the outcomes of the PIA.
The OAIC also recommends that your PIA should:
- map how information is collected as part of a project, and once it is collected, how the information will flow. This should include who can access it, how and where it will be stored, what it will be used for;
- consider the privacy risks and mitigation strategies. A PIA is more than just a compliance check;
- incorporate feedback on privacy risks from relevant stakeholders; and
- evolve with a project so that it reflects any changes in scope or direction.
However, Privacy by Design is not only about privacy-enhancing new technologies. Organisations in the financial services sector can also take a transformative approach and apply privacy principles to existing technologies and processes.
A recent high-profile example (albeit not for financial services) relates to the Australian Government’s launch of the COVIDSafe contact tracing application. Privacy was a key consideration in the design and architecture of the application and this was reflected in the methodology of the Privacy by Design approach. The approach involved strengthening the underlying privacy and integrity of the contact tracing system, minimising the data which was collected, the circumstances in which the personal information would be used, and otherwise adopting an approach to reassure users that the handing and collection of their personal information would be minimised as much as possible.
In addition to the above, the New South Wales Information and Privacy Commission suggests the following strategies to assist in embedding a Privacy by Design framework beyond conducting the PIA:
Relevant legislation and upcoming changes
While the European Union General Data Protection Regulation (the GDPR) requires organisations to implement Privacy by Design where it is reasonable and practical to do so, at present there is no specific requirement in Australia for businesses to implement Privacy by Design (despite it being considered good practice, a means of ensuring compliance with Australian Privacy Principle 1 and otherwise being recommended by the OAIC). However, due to the extra-territorial application of the GDPR, any Australian business whose activities are caught by the GDPR, should be implementing Privacy by Design to ensure compliance with the GDPR.
In recognition of the complex regulatory environment that has resulted from the growth of the digital economy, as well as the findings of the ACCC Inquiry into Digital Platforms, the Australian Government is currently undertaking a comprehensive review of the Privacy Act. Following this review, it is likely that Australian businesses will be exposed to increased scrutiny regarding the way they safeguard the privacy rights of individuals (and it is also expected that the penalties for failure to comply will be more severe). Implementing Privacy by Design is one of the ways businesses can proactively manage these regulatory changes and maintain consumer loyalty in an increasingly disrupted digital environment.
For more information
For more information on the privacy related issues that modern businesses face in the digital age and the best ways to overcome them, please read our article on Cybersecurity in the post Covid workplace – stress testing your defences. Alternatively, if you are a business operating in Australia and require assistance in understanding your obligations to protect consumer privacy, please contact our Digital and Intellectual Property team at McCullough Robertson.
Thank you to McCullough Robertson Lawyer Emily Stone for her contribution to this article.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.