The last week or so has seen lots of privacy hiccups highlighted on this blog. What I haven’t done is talk about how to do this the right way, or at least the right way in my opinion. One of my favorite writers on practical privacy issues, Kashmir Hill of Forbes, called the flip-side of privacy by design, “embarrassment by design.” I love this. That is what we have been seeing lately.
Let’s face it though. Lawyers learn by someone else’s mistakes. Someone did something wrong, therefore we don’t do that. The problem with privacy breaches is that once the privacy horse is out of the barn, it is roaming the pasture telling everyone about you. Yes, my horse is the famous Mr. Ed.
Privacy by Design is all about thinking about private personal data handling before you even fire up that system or release that piece of software code. Baking it into the design process. You can learn alot about Privacy by Design (PbD if you like acronyms) from my neighbors to the north, Canada.
The Great White North
The Privacy Commissioner of Ontario released this document in 2011 that outlines 7 foundational principles. It is great as a backdrop as I go into more detail what PbD means to me. The 7 principles are:
- Proactive not Reactive, Preventative not Remedial. Don’t learn from your mistakes.
- Privacy as the Default Setting. Yes, most of us leave the default settings as is. Scary, isn’t it?
- Privacy Embedded into Design. More on this later.
- Full Functionality – Positive Sum, not Zero Sum. Everyone’s interests are alittle different, seek to design a system that takes that into account.
- End-to-End Security – Full Lifecycle Protection. Cradle to grave protection should be your goal.
- Visibility and Transparency – Keep it Open. I so want to say, ‘no duh.’ Wait, I just did.
- Respect for User Privacy – Keep it User-Centric. It’s all about the users, stupid.
Theory is Great, What About Practice
The principles are great, but what does it mean when I stand up my project team, or even before I do that. If there is any indication that your project will be collecting user data, you need to add privacy as a component of the work. I don’t mean someone who does double duty with privacy aspects as a collateral duty. I mean a true Privacy Lead.
Examine the reasons why you are collecting user data. If there isn’t a good reason, stop, don’t pass go. If your reason is we want to collect that data because we can derive value from it, what is the value to the user? If your project sponsors can’t articulate the user value to your privacy lead, stop, don’t pass go.
Identify where the data is going to be stored. Who will have access to that data store? Where will it be located? Are you putting it in the cloud? As you work this step, also look at who has access to those data stores. This includes other systems. It would be my suggestion that you have separate systems for the storage of protected data. It should be a simple enough thing in other systems to put a pointer back to that original data store. Don’t replicate data, maintain control.
Identify the actual uses of that data. Think about other ways to use that data, too. This is a bit of a brainstorming exercise, so have fun with it. If the data is location information, maybe a use would be offering up free crab-cakes when the user has just gotten back from Maryland. In all seriousness, you need to think long and hard about this. It also includes combination of this data with other non-protected data. Unless you are all about making new law, please don’t say that once combined it is no longer protected, or that you users no longer really own the data. It’s about the users, remember. If you do that, be prepared for embarrassment by design.
How will the data be managed and when will it be purged or deprecated. You can accomplish the non-use of data with programmatic controls over the data store. Once you no longer need the data, sever all connections. Purge the data out of your systems and backup tapes as quickly as you can once you no longer need the data (practically and legally). If you keep the data around, I bet you hard cold cash that someone will want to combine it with other data stores.
Listen to your Privacy Lead. This person should have a report chain that is different from the project lead and project sponsor. They should not be beholden to your ship deadline, though they need to be sensitive to it. Find the pragmatists in your organization to serve these roles. They may be privacy professionals if you organization is big enough. What they need to do is ask the hard questions.
Listen to the users. I highly recommend field-testing your system/process with an average user. Let them react to the collection and use of their data. See what they say. If Renew had did this, I wouldn’t have had anything to write about a few days ago.
Privacy by Design is all about Doing the Right Thing
Doing the right thing should be your yardstick when it comes to user data. Looking at everything through this lens will help you. Quite frankly, privacy is simple. It’s the actual doing of it is hard.