Insights for Action

Privacy by Design

Seven principles of privacy by design

Data Controller image Photo Credit: Photo by ThisIsEngineering from Pexels

Legislation which carries large fines usually provides a good reason for checking out the law. In this case, the driver is the General Data Protection Regulation (GDPR), an EU directive which addresses the fundamental rights and freedoms of natural persons. Natural persons are “real” people, unlike llegal persons which includes entities like companies. It asserts that natural persons have the right to have their personal data personal data protected. It does not regulate data used for national security; nor does it cover data used for purely personal or household activity, such as sending birthdays cards.

Whilst the definition of the data subject, a natural person (within the EU) limits the focus GDPR, the data are likewise limited. The directive only concerns data collected on “An identified or identifiable natural person”. Such a data subject can be regarded as “identified” within a certain group of people if he or she can be distinguished from all the other group members. To be specific, Article 4(1) of the GDPR states that a natural person is identifiable when it is possible to identify him or her, directly or indirectly. Some identifiers are obvious; name, identification number, some less obvious such as location. However, indirect identification may be possible through physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Therefore,
Article 9 specifies the following as sensitive personal data:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic data
  6. Biometric data used to uniquely identify natural person
  7. Health data
  8. Data concerning individuals’ sex life
  9. Sexual orientation

(It’s interesting that Sex is not listed, unless that is implied by Genetic data).

The GDPR is not law of itself. It applies to anyone working with data pertaining to EU citizens through action of member state’s law. The aim of the directive is to harmonise national law of member states. It superceded legislation on the protection of individuals with regard to the processing of their personal data as well as the free movement of such data (1995) on the one hand, and police and judicial co-operation on the other (2008). Proposals for GDPR were made in 2012 and aimed to protect individuals in terms of legislation around the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the enforcement of criminal penalties based on the free movement of these data. The directive entered force on 5th May 2016, with the requirement that member states implement this directive in their own law by 25th May 2018. It was signed into law by the UK and has not yet been removed from UK statute since departure from the EU. Whether the UK will remain abreast of changes to the GDPR over time remains to be seen. The Police and Criminal Justice Data Protection Directive was handled the same way at the same time.

Article 5 sets out six principles underlying the GDPR:

  1. Personal data must be processed in a lawful, fair and transparent way. Article 8 mandates that parents or legal guardians have to consent for data processing on children.
  2. Data are to be collected only for specified, explicit and legitimate purposes. However, further processing for the purposes of the public interest, scientific or historical research or statistical purposes is not considered as incompatible with the initial purposes and is therefore allowed.
  3. Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Data must be accurate, and where necessary, up to date.
  5. Data must not be kept in a form where it is possible to identify data subjects for any longer than necessary for the purposes of the processing.
  6. Appropriate security measures should be in place which includes protection against unauthorised or unlawful processing, destruction or damage. This can include encryption, authentication and authorisation mechanisms.

Article 5 asserts that the data controller is responsible for compliance and demonstrating compliance. This begs the question as two what a “data controller is”. In order to operationalise the GDPR, a number of roles are defined:

  1. Data controller Article 4(7) GDPR, a natural or legal authority who determines the purpose and method of processing personal data
  2. Data processor Article 4(8) GDPR, a natural or legal authority who processes data on behalf of controllers
  3. Data subject Article 4(1) GDPR, discussed above, a natural person
  4. Data Protection Officer (DPO) Articles 37-39 GDPR, a person designated by a controller and/or processor to ensure controllers, processors and their employees are following the GDPR and other relevant legislation
  5. Supervisory authorities Article 4(21) GDPR and Article 51 GDPR
  6. European Data Protection Board Article 68 GDPR

So this is where it gets interesting. As a statistician we could be acting as controllers or (far more often) processors of data. But we could also be developing statistical software that is intended to be used by others. So one of the strong implications of the GDPR is that this process needs to be done in a way that respects the GDPR. Most specifically, this leads to the priciples of “Privacy by Design” An early statement on Privacy by Design was made by Ann Cavoukian (Canadian Information andn Privacy Commisioner) in 2011. The key ideas are:

  1. Privacy by Design is a proactive approach aimed at preventing privacy risks rather than fixing them after problems arise.
  2. Privacy is a default setting.
  3. Privacy has to be embedded into design.
  4. It ensures full functionality and provides both privacy and security.
  5. Security is an integral systems for the whole lifecycle.
  6. “Privacy by Design” provides visibility and transparency.
  7. User interests and needs must be considered, and systems should be user-centric.

And it can be noted that Article 25 of the GDPR makes more specific regulations around privacy by design.

Share on: