Privacy by Design embodies the notion of making privacy a default, like embedding privacy tools and technologies directly into a product or device or service itself so that the protection is there from the get-go.
But, to Dr. Ann Cavoukian, Ontario’s Privacy Commissioner, Privacy by Design (PbD) is more than an esoteric concept – it is a firm and actionable methodology.
“Embedding privacy into technology in a proactive way, before the fact, moves you beyond compliance,” Cavoukian states.
“Complying is after the fact; PbD is preventing privacy abuses before hand. Privacy as a default is going to be the strongest protection you can have,” she said in a phone interview.
Our discussion took place on the day before one of the Commissioner’s big highlight events – the second annual Privacy by Design Challenge.
Today’s (January 28) event in Toronto coincides with International Data Privacy Day (did you know there was one?).
The PbD gathering will focus on the implementation of privacy into new technologies, business practices, and networked infrastructures. In particular, image encryption technology that makes privacy the default for video surveillance will be showcased this time around.
But while enthusiastically anticipating the event, the Commissioner also shared her thoughts on current consumer technology, and how such common gadgets as a USB memory stick can be used to both protect, and inadvertently damage, personal data privacy.
She recalled the recent story about a Durham Region (Ontario) health care facility, from which some 84,000 patient files were compromised when a staffer took home a memory stick – and lost in it transit!
The files were not encrypted, and the data was certainly valuable –to more folks than the patients themselves, unfortunately!
Apparently, a new staff member just was not aware of the procedure for data protection and encryption that, in fact, the Commissioner had mandated more than two years earlier.
“We previously had issued a warning to Sick Kid’s Hospital, that all data must be locked down if it is to be transported by mobile device,” Cavoukian explained. “That order extends to all health care providers in the province.”
(As an aside, one of my many USB sticks has privacy by design – there is a six-digit code I have to enter before the thing boots up! Then, if I desire, I have another layer of protection by encrypting the data itself.)
As required by the regs, the Durham health care provider has to notify its patients – all 84,000 of them – about the data breach. Not surprisingly, people freaked out – and many called or wrote to the Commissioner to find out what could be done.
Well, the data’s gone – but the aggrieved parties have some tremendous tools for claiming and obtaining compensation, she said.
“In the case of identity theft, you can seek damages, both in terms of the actual harm suffered as a victim of theft, but also you can seek damages for mental anguish or psychological harm.”
Armed with evidence of identity theft (like a letter from the breaching party), and an Order like the Commissioners (basically already determining guilt due to its issuance, subject to appeal), one can proceed by showing the actual harm that was done.
However, as Cavoukian cautioned, “In case of ID theft, most cases don’t even surface before a year has elapsed. Don’t think ‘all is well’ because nothing has happened.”
Yikes! Nothing is not good in this case.
But doing nothing is in fact one of the Commissioner’s working metaphors for data safety.
“It is the ‘No Action’ mode. If I do nothing, will I have the data privacy and personal information security that I want? If the answer is ‘Yes’, you have privacy by design,” she explains.
In the Durham example, would PbD have prevented the data loss? Perhaps.
If the real workplace default was ‘no data copy without encryption’, well, that might have worked. If, by design, all memory sticks were locked by a password, well, that might have helped, too.
When doing nothing – that is, when using the default settings – can ensure privacy, well, that will be a major accomplishment.
But, as the Commissioner enjoined, good design must be accompanied by good training.
Employees, certainly, must be trained to respect data and regard its security as a top priority at all times. Employees on the frontline and employees at the top of the corporate pyramid.
Consumers, too, need training or heightened awareness of data privacy and security issues. We have to use the tools that are provided, but even if such tools are in place, we must think before we post…or copy…or hit send.
The Commissioner is sympathetic to the potential dilemma, though: “Consumers should not have to think about data privacy at every step they take. They can’t be expected too, what with technology turning on a dime.
That’s why it should be the default.
“We know that, whatever the default is, it rules! More than 80 per cent of settings are based on default. And we want privacy to prevail.”
But consumers can always ask the critical question, the Commissioner added, of any service provider, be it public or private sector: ‘How are you safeguarding my information? You have just collected valuable data …how are you protecting it?’
“If there’s no answer, well, you know there is a problem. Go up the line. Ask the managers. Just by posing the question, you can alert people to think about the rules, and to act upon them,” Cavoukian advises.
And you can let them know you are watching them, and their privacy practices. (Oh, surveillance – we’ll talk about that issue in another blog post.)
submitted by Lee Rickwood
# # #
For now, what’s your tech?
Your privacy routine? Using technical tools, like encryption and solid passwords? Using attitudinal tools, like pointed questions and informed choices? Or, is it typing in ‘password’ in all cases?