Search

Privacy & Security

PrivacyByDesign

Maintaining user privacy and the security of systems that process—i.e., collect, store, use, and disseminate—personal data is a fundamental concern for ID systems as discussed in Section II. Assess Risks. In addition to adhering to international data protection and privacy principles in the development of the legal framework, privacy-enhancing technologies (PETs) and security measures should be built into every aspect of the ID system—that is, privacy assurance must become an organizational norm.

Achieving this goal can be done through adopting a “privacy-and-security-by-design” approach—first conceptualized by Anne Cavoukian as “Privacy-by-Design” or PbD (Cavoukian 2011)—that adheres to the principles enumerated in Box 18.

Box 18. Foundational Principles of Privacy by Design (PbD)

  1. Proactive not reactive; preventative not remedial: The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred—it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

  2. Privacy as the default: We can all be certain of one thing—the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy—it is built into the system, by default.

  3. Privacy embedded into design: Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.

  4. Full functionality; positive-sum, not zero-sum: Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.

  5. End-to-end security; lifecycle protection: Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved—strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.

  6. Visibility and transparency: Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to both users and providers alike. Remember, trust but verify!

  7. Respect for user privacy: Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric!

Source: Cavoukian (2011).

As shown in Figure 12, the privacy-and-security-by-design approach embodies a number of global standards and principles on privacy and data protection that have been developed over the past few decades, including those discussed in Section III. Legal Framework.

Figure 12. Privacy frameworks for personal data

privacy framework for personal data

Source: Privacy by Design: Current Practices in Estonia, India, and Austria. For details on privacy frameworks, see OECD (2013), Cavoukian (2011), the ISO/IEC 29100, and EU (2016).

Implementing a privacy-and-security-by-design approach requires complementary controls throughout the ID system lifecycle. This includes:

  1. Legal controls for privacy and data protection, as well as information and cyber security;

  2. Management controls for monitoring, oversight, and risk management;

  3. Operational controls that promote security awareness, training, and detection; and

  4. Technology controls that limit and protect the processing of personal data and ensure the physical and virtual security of systems that process this data (adapted from ISO/IEC 29100).

Each of these controls are complementary; on their own, each will be insufficient maximize the privacy and protection of personal information.

This section focuses on privacy- and security-enhancing technologies, design strategies, and operational controls—legal and management controls are discussed more thoroughly in Section III. Legal Frameworks. Privacy-enhancing technologies (sometimes called PETs) are a category of ICT measures, products, or services that protect privacy by eliminating or reducing PII or by preventing unnecessary or unauthorized processing of PII without losing the functionality of the system (ISO/IEC 29100).

As articulated in a recent report from the European Union Agency for Network and Information Security (ENISA) and summarized in Table 21, technology and operational controls can help protect personal data in multiple ways, including by minimizing data collection and processing, hiding personal data and their interrelationships, separating or distributing data processing, aggregating data to a level where it is not identifiable, informing people regarding data processing, giving control over data processing, enforcing privacy policies, and demonstrating compliance with privacy legislation (Danezis et al. 2015).

Table 21. Examples of privacy and data protection enhancing technologies and operational controls

Strategy Example solutions (not exhaustive)
Data-oriented Minimize the collection and processing of personal data to limit the impact to privacy of the system
Hide personal data and their interrelationships from plain view to achieve unlinkability and unobservability, minimizing potential abuse

  • Encrypt data when stored or in transit

  • End-to-end encryption

  • Key management/key obfuscation

  • Anonymization and use of pseudonyms or tokenization for data processing

  • “Zero semantics” or randomly generated ID numbers

  • Attribute-based credentials (ABCs)
Separate, compartmentalize, or distribute the processing of personal data whenever possible to achieve purpose limitation and avoid the ability to make complete profiles of individuals

  • Tokenization or pseudonimization by sector

  • Logical and physical data separation (e.g., of biographic vs. biometrics)

  • Federated or decentralized verification
Aggregate personal data to the highest-level possible when processing to restrict the amount of personal data that remains

  • Anonymize data using k-anonymity, differential privacy and other techniques (e.g., aggregate data over time, reduce the granularity of location data, etc.)
Process-oriented Inform individuals whenever their data is processed, for what purpose, and by which means
Give individuals tools to control the processing of their data and to implement data protection rights and improve the quality and accuracy of data
Enforce a privacy policy that complies with legal requirements
Demonstrate compliance with the privacy policy and applicable legal requirements
Source: Framework adapted from Danezis et al. (2015) available at to fit the ID system context. This table is meant to be illustrative of common privacy-enhancing technologies and operational controls, but it is not exhaustive. For emerging solutions, users are also encouraged to consult the online, crowd-sourced catalog of privacy patterns currently being developed by UC Berkeley’s School of Information.

The specific privacy- and security-enhancing operational and technical controls adopted by an ID system will depend on context and other design choices. Some important categories of these technologies and strategies are discussed in more detail below, including: