Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, is recognized as one of the leading privacy experts in the world. She has been working with a concept called Privacy by Design for over 20 years. The idea is that Privacy should be designed into systems from the beginning, not added as an afterthought. Systems designers should be made aware of privacy issues and be proactive about embedding them into the system.
Dr. Cavoukian states: “We know from the academic literature that whatever the default condition is, that condition rules 80 percent of the time. I want that to be privacy. By default, I mean it is automatically available to the user without them having to ask for it. It’s embedded; it’s built into the system.”
Once a year, there is an annual international privacy commissioners and data protection regulators conference, usually in Europe. Last year, the conference was hosted in Israel where the privacy commissioners unanimously passed an international resolution making Privacy by Design an international standard. The standard is now being adopted worldwide, in not only Canada and the EU. The Federal Trade Commission has made it one of its three recommended practices. Senators Kerry and McCain recently introduced a commercial bill of privacy rights which uses language taken directly from the Privacy by Design standard for the first time.
Privacy has become a recent “hot topic” due to what seems to be endless security breaches in the health care and banking industries. To address this current state of affairs, Dr. Cavoukian has developed a new concept called Privacy by Redesign, to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, and create a consent management system.
The idea behind Privacy by Redesign is to add additional privacy safeguards to existing systems, which contain Personally Identifiable Information (PII). Triggers would be added to the systems, which when invoked, automatically request additional consent management or identity management protocols. This should limit the use of the data to its intended purpose.
Dr. Cavoukian’s complete interview is available at HealthcareInfoSecurity.com.