Privacy by Design (PbD) is a concept developed by former Privacy Commissioner of Ontario, Dr. Ann Cavoukian. Privacy by Design (PbD) was developed in the 1990s to address the ever-growing and systemic effects of information and communication technologies and large-scale networked data systems. Privacy by Design (PbD) asserts that privacy assurance must be designed as part of an organization’s default mode of operation. Previously, privacy was assured solely by compliance with legislation and regulatory frameworks in most businesses.
The objectives of Privacy by Design (PbD) are to ensure individuals’ privacy and to help them gain personal control over their information while helping organizations gain a sustainable competitive advantage. The seven foundational principles of Privacy by Design (PbD) are:
- Proactive not reactive; preventative not remedial. PbD anticipates and prevents privacy-invasive events. It does not wait for privacy risks to materialize.
- Privacy as the default setting. PbD seeks to deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice.
- Privacy embedded into the design. Privacy is embedded into the design and architecture of IT systems and business practices. Privacy becomes an essential component of the core functionality being delivered.
- Full functionality. Positive-sum, not zero-sum. PbD accommodates all legitimate interests and objectives in a positive-sum, “win-win” manner.
- End-to-end security – Full lifecycle protection. PbD extends throughout the entire lifecycles of the data involved from start to finish.
- Visibility and transparency – Keep it open. Whatever the business practice or technology involved, it must operate according to the stated promises and objectives and is subject to independent verification.
- Respect for user privacy – Keep it user-centric. PbD requires architects and operators to keep the interest of the individual top of mind by offering measures like strong privacy defaults, appropriate notice, and empowering user-friendly options.
While the PbD principles provide a useful framework for building privacy into products and services, system developers need more. Specifically, developers need clear and unambiguous requirements, an understanding of available privacy and security controls, and an approach to privacy and security protection based on real risks to personal health information.