Privacy by design

Privacy by design is a practical framework that aims to “embed” privacy into the design and architecture of information systems, business processes and networked infrastructure. It aims to ensure that privacy is considered before, at the start of, and throughout the development and implementation of initiatives, projects and products and services that involve the collection and handling of personal information.

What are the benefits of implementing a privacy by design approach?

Privacy by design is a “best practice” approach to privacy governance and an essential tool for moving towards “data resilience”.

Implementing a robust privacy by design approach is a practical way to ensure compliance with key Australian Privacy Principles (APPs), however, it will also effectively help mitigate cybersecurity risks including to minimise the impact of a cybersecurity incident and allow your client or business to (potentially) continue to operate effectively during a cybersecurity event.

The Australian Government Agencies Privacy Code (the Code) was registered on 27 October 2017 and commenced on 1 July 2018. The Code sets out specific requirements and key practical steps that Australian Government agencies must take as part of complying with Australian Privacy Principle 1.2.

The Code requires agencies to move towards a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.

Seven key principles of privacy by design

There are seven internationally recognised foundational principles of privacy by design. These should be considered in all business projects and decisions that involve personal information:

• Proactive not reactive; preventative not remedial;
• Privacy as the default setting;
• Privacy embedded into design;
• Full functionality — positive-sum, not zero-sum;
• End-to-end security — full lifecycle protection;
• Visibility and transparency; and
• Respect for user privacy — keep it user-centric.

Below are some basic steps you can take to ensure that your organisation or client is taking a privacy by design approach:

• Be proactive by understanding how your business or client collects, stores and handles personal information. Regularly conduct whole of business data surveys. See GDPR Applicability Assessment Questionnaire.
• Ensure relevant stakeholders have a robust understanding of privacy by embedding a culture of privacy into the organisation. Have in place a Privacy Management Framework, conduct regular staff training and have in place policies and procedures regarding the implementation of new projects. See the template on Staff guidelines and privacy training.
• Be proactive not reactive by conducting a privacy impact assessment for new projects which involve personal information. See Conducting a privacy impact assessment and the Privacy Impact Template.
• Consult broadly with all relevant technical, commercial, operational, legal and compliance stakeholders during the embryonic stages of a project to ensure that privacy is the default setting and embedded into design. For example, developers of an application might include explicit opt-in, safeguards to protect data, restrictions on sharing and restricted data collection. Privacy by default and embedding privacy into design directly lowers the cyber security risk profile.
• Security measures should be end-to-end. For example, appropriate encryption and authentication should protect the data till the very end when it finally gets deleted. See Securing personal information across the information life cycle for more information.
• A plain English privacy policy and bespoke and specific collection statements tailored to specific projects can assist in ensuring visibility and transparency and keeping it “user-centric”. Make it simple for individuals to give and revoke their consent and correct and manage their personal information as opposed to making them go through complex multistage processes.

What are reasonable steps to protecting personal information held?

APP 11.1 states that an APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. What constitutes “reasonable” steps will depend on the circumstances of collection and factors such as the amount and sensitivity of the personal information held and the possible adverse consequences for an individual in the case of a breach.

However, the Office of the Australian Information Commissioner has published the Guide to securing personal information which includes detailed information regarding what could constitute “reasonable steps”. While the Guide to securing personal information is not legally binding, it is very prescriptive. Accordingly, if an APP entity has in place the measures described in the Guide to securing personal information, it would help in ensuring compliance with APP 11.1 if it were ever under investigation.

Appropriate security measures for protecting personal information need to be considered in regard to all of your entity’s acts and practices. Taking a whole of business collaborative approach and adopting a “privacy by design” approach is essential with clear procedures for oversight, accountability and lines of authority for decisions regarding personal information security established.

To read the full guidance notes ‘Understanding personal data’ and ‘Securing personal information across the information life cycle’, subscribe to Practical Guidance Cybersecurity, Data Protection & Privacy module.