Privacy by Design – protecting personal information from the wire-frame up
The dynamic and ever-growing nature of privacy regulations and attack vectors related to privacy emphasises the importance for NSW government organisations to ensure it does, and its suppliers do, a better job protecting data through technology design. Also known as, ‘Privacy by Design’ and ‘Privacy by Default’, the terms refer to the system engineering approach of integrating data procedures in technology to protect personal information.
Privacy by Design is a framework based on proactively embedding privacy practices into the entire product development process. By building privacy into design specifications from the onset, public sector agencies and their suppliers are able to anticipate risks and prevent privacy-related issues, rather than retrofitting a system to address privacy issues as they arise. The concept calls for privacy to be taken into account throughout the entire engineering process.
What is Privacy by Design?
The Privacy by Design framework is based on the following seven foundational principles:
Why should government bodies insist on Privacy by Design?
Government bodies should be implementing Privacy by Design (and should be ensuring their suppliers implement Privacy by Design) to safeguard personal information, preserve brand reputation and comply with various privacy obligations. Strong data protection and privacy practices are essential to meet regulatory requirements and maintain consumer confidence. Participants, including government agencies, in all sectors are being exposed to increased scrutiny by key stakeholders including regulators and the public. As a result, various government organisations including Service NSW have incorporated Privacy by Design strategies to ensure best management of the public’s personal information, critical to reducing overall risk relating to the use of personal information and, importantly, building public trust.
Putting pure compliance concerns aside, implementing Privacy by Design is also likely to have better user outcomes – with the ‘user experience’ being built from the ground up so it is seamless, rather than having to be retrofitted in a manner which is more clunky and obvious. Good privacy practice enables the public to have confidence that their personal information is being used and protected appropriately.In instances where swift implementation of a solution is required (such as we have seen in the case of rollout of various COVID apps) you are also more likely to get swift buy-in to your new solution if the key stakeholders can see that privacy is at the core of your design, rather than an after-thought.
How can government agencies implement privacy by design?
The protection of privacy can be effectively maintained where Privacy by Design practices are implemented at an early stage. This involves embedding a new culture and shifting a mindset that prioritises privacy at the heart of all new systems or processes being designed.
As a first step, NSW government agencies should complete a privacy impact assessment (PIA) which involves a systematic assessment to determine the impact of a project on the privacy of individuals, and outlines recommendations for managing, minimising or eliminating those impacts.
Rather than waiting until a solution is nearly ready to launch (and approaching legal/compliance as a final check), it is important for each PIA to be conducted at any early stage, comprehensively consider privacy risks and mitigation strategies, to evolve with a project and anticipate risks that may arise, incorporate feedback from stakeholders and map how personal information is handled. In the case of major projects, it will be important to ensure that your relevant suppliers, including IT providers, are engaged in completing the PIA so that the risk mitigation strategies are known (and practical) to assist with their implementation as the project continues. Organisations should then designate a team who will be responsible for overseeing and enforcing the outcomes of the PIA.
The OAIC also recommends that your PIA should:
- map how information is collected as part of a project, and once it is collected, how the information will flow. This should include who can access it, how and where it will be stored, what it will be used for;
- consider the privacy risks and mitigation strategies. A PIA is more than just a compliance check;
- incorporate feedback on privacy risks from relevant stakeholders; and
- evolve with a project so that it reflects any changes in scope or direction.
However, Privacy by Design is not only about privacy-enhancing new technologies. Government organisations (either themselves or through their service providers) can also take a transformative approach and apply privacy principles to existing technologies and processes.
A recent high-profile example relates to the Australian Government’s launch of the COVIDSafe contact tracing application. Privacy was a key consideration in the design and architecture of the application and this was reflected in the methodology of the Privacy by Design approach. The approach involved strengthening the underlying privacy and integrity of the contact tracing system, minimising the data which was collected, the circumstances in which the personal information would be used, and otherwise adopting an approach to reassure users that the handing and collection of their personal information would be minimised as much as possible.
In addition to the above, the New South Wales Information and Privacy Commission suggests the following strategies to assist in embedding a Privacy by Design framework beyond conducting the PIA:
Relevant legislation and upcoming changes
While the European Union General Data Protection Regulation (the GDPR) requires organisations to implement Privacy by Design where it is reasonable and practical to do so, at present there is no specific requirement in Australia for public sector organisations to implement Privacy by Design (despite it being considered good practice and a means of ensuring compliance with Information Privacy Principles). However, due to the extra-territorial application of the GDPR, any Australian government organisation whose activities are caught by the GDPR, should be implementing Privacy by Design to ensure compliance with the GDPR. NSW government agencies should check whether the GDPR applies to their activities. An example of where the GDPR could apply to a NSW government body is if it provides an app which helps EU students find housing while they are studying in NSW. The GDPR applies in addition to existing NSW privacy laws, including their obligation to manage all personal information in accordance with the Privacy and Personal Information Protection Act 1998 (NSW) and the Information Protection Principles.
For more information on the privacy related issues that NSW government organisations face or if you require assistance in understanding your obligations to protect citizens’ privacy, please contact our Digital and Intellectual Property team at McCullough Robertson.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.