Privacy by Design or Redesign—a new International Standard

Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, is recognized as one of the leading privacy experts in the world. She has been working with a concept called Privacy by Design for over 20 years. The idea is that Privacy should be designed into systems from the beginning, not added as an afterthought. Systems designers should be made aware of privacy issues and be proactive about embedding them into the system.

Dr. Cavoukian states: “We know from the academic literature that whatever the default condition is, that condition rules 80 percent of the time. I want that to be privacy. By default, I mean it is automatically available to the user without them having to ask for it. It’s embedded; it’s built into the system.”

Once a year, there is an annual international privacy commissioners and data protection regulators conference, usually in Europe. Last year, the conference was hosted in Israel where the privacy commissioners unanimously passed an international resolution making Privacy by Design an international standard.  The standard is now being adopted worldwide, in not only Canada and the EU. The Federal Trade Commission has made it one of its three recommended practices. Senators Kerry and McCain recently introduced a commercial bill of privacy rights which uses language taken directly from the Privacy by Design standard for the first time.

Privacy has become a recent “hot topic” due to what seems to be endless security breaches in the health care and banking industries. To address this current state of affairs, Dr. Cavoukian has developed a new concept called Privacy by Redesign, to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, […]

Keeping Electronic Health Records Safe

Surveys have shown that the majority of Americans are “very concerned” about identity theft or fraud (80 percent), the use of their medical information for marketing purposes (77 percent), and that their data might become available to employers or insurance companies (56 and 55 percent, respectively).  At the same time, 89 percent of respondents say that they want their physicians to be able to communicate with one another, while the majority support the development of Health Information Technology as a whole and believe that it will improve care and reduce costs1.

According to a current listing on, four of the ten major data security breaches on the list involved medical records getting into the wrong hands.  The VA experienced one of the top ten data security breaches of all time (over 26 million records).  Patient records contain information that can be used to steal a person’s identity or help criminals pinpoint vulnerable targets. Medical information can be used to discriminate unfairly because it is often beyond what the payors and others are allowed to know. Employers and insurance companies can discriminate based on past health issues if given access to these records.

Initiatives for a standardized Electronic Health Record (EHR) are gaining acceptance. As these standards are developed, the government and industry should look to the Purchase Card Industry Data Security Standard (PCI DSS) standard for eCommerce security. Under PCI DSS, compliant systems require sensitive information to be separated from non-sensitive data within the system and to be encrypted both in transit and at rest. This prevents hackers from reading the information even if they manage to break into the system or steal a computer. While PCI DSS compliance has helped prevent security breaches in […]