1. PRIVACY-BY-DESIGN
Built-in Privacy Protection Inevitable
And Making Open Data Feasible
Dr. John Borking
Of counsel CMS Derks Star Busmann. & elaw Researcher University Leiden
25-2-2013 ePSI Warsaw 1
2. That’s me ≠ I am personal data
• Dr. J. J. Borking * 1945 - Director /Owner
Borking Consultancy Wassenaar Netherlands
• Of counsel Privacy-by-Design Law firm CMS
Derks Star Busmann in Utrecht
• EU/ CEN/ NR Researcher & Researcher e-Law
University of Leiden
• Arbitrator/ Mediator SGOA (ADR- ICT)
• Former Privacy Commissioner & Board Member
Dutch Data Protection Authority & Former
Board member Gaming & Lotteries Authority
• Senior Counsel Europe Xerox Corp
25-2-2013
ePSI Warsaw 2
3. WHAT IS PRIVACY BY DESIGN?
• Article 23 of the Draft Regulation requires “data
protection by design” and “data protection by default”.
(DPbD is applauded as a core innnovation of reform (Albrecht Report
2012/011 (COD))
• Privacy or Data protection or Compliance-by-Design?
• Having regard to the state of art and the cost of implementation, the controller shall, both at the time of the
determination of the means for processing and at the time of the processing itself, implement appropriate
technical and organizational measures and procedures in such a way that the processing will meet the
requirements of this Regulation and ensure the protection of the rights of the data subject.
• The controller shall implement mechanisms for ensuring that, by default, only those personal data are
processed which are necessary for each specific purpose of the processing and are especially not collected
or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and
the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not
made accessible to an indefinite number of individuals.
25-2-2013 ePSI Warsaw 3
4. WHAT IS PRIVACY BY DESIGN?
The objective is:
“Privacy assurance must ideally become an
organization’s default mode of operation (…)
by deploying PETs (…) extending to a trilogy
of encompassing applications: 1. IT
systems; 2. Accountable business practices;
3.Physical design and networked
infrastructure.”
http://www.ipc.on.ca/images/Resources/7 foundational principles.pdf
25-2-2013 ePSI Warsaw 4
5. WHAT IS PRIVACY BY DESIGN?
• WP 168 The Future of Privacy p.13:
The application of such principle would
emphasize the need to implement privacy
enhancing technologies (PETs), privacy by
default settings and the necessary tools to
enable users to better protect their
personal data (e.g. access controls,
encryption).
• Achieving transparency and opacity
25-2-2013 ePSI Warsaw 5
6. PRIVACY BY DESIGN -WHAT IS IT?
INFORMATION TECHNOLOGY
PRIVACY SUPPORTING
ARCHITECTURE
PRIVACY ENHANCING
TECHNOLOGIES
DESIGN ORGANIZATION EXPERIENCE
GUIDED BY OF PRIVACY,
PRIVACY PRIVACY SUPPORTING BUSINESSES ESSENTIAL
PRINCIPLES & PROCESSES & PIAs FOR PRIVACY,
AND VALUES MANAGEMENT SUPPORT FOR TRUST AND
PRIVACY ADOPTION
M. Van Lieshout
PHYSICAL ENVIRONMENT Stimulerende en
PRIVACY SUPPORTING ORGANIZ- remmende factoren
van Privacy by Design
ATION OF PHYSICAL SPACES in Nederland (2012)
25-2-2013 ePSI Warsaw 6
7. ONE EXAMPLE OF PbD:
The Identity Protector as Design Pattern
USER
PID 1
KNOWN
PID 2
THE IDENTITY PROTECTOR (IDP)
PID n
IDENTITY DOMAIN PSEUDO IDENTITY DOMAIN
Borking J., Der Identity-Protector, in Datenschutz
ePSI Warsaw und Datensicherheit (DuD) 1996, 11 7
8. ONE PRACTICAL EXAMPLE OF PbD: Hospital Information System
Hospital Information System Basic tables with Pseudo Identities & ID Domains
patient caretaker
seq_patient Care relation seq_caretaker
patient_number seq_care relation crt_number
nac seq_patient crt_name
pid_caretaker
date_from
date_till Van Blarkum
No links 1997 &
between Borking, 2010
tables due
admission
to IDP
seq_admission
pid_carerelation
date_from
date_till
anamnesis medication etc notes
seq_anamnesis seq_medication seq_etc seq_notes
seq_admission seq_admission seq_admission seq_admission
pid_caretaker pid_caretaker pid_caretaker pid_caretaker
details details details text
25-2-2013ePSI Warsaw 8
9. HOSPITAL INFORMATION SYSTEM
ID Domain 3 till n for research and open data purposes
patient Care relation
seq_patient Care relation Care taker
patient_number seq_patient seq_care -taker
nac pid_care taker crt_number
date_from crt_name
date_till
ID domain 1 ID domain 2
Pseudo domain admission
3 till n seq_admission
pid_care taker
date_from
date_till
anamnesis medication etc notes
seq_anamnesis seq_medication seq_etc seq_notes
seq_admission seq_admission seq_admission seq_admission
pid_ care taker pid_ zcare taker pid_ care taker pid_ care taker
details details details text
25-2-2013 9
10. PROBLEMS FOR PRIVACY BY DESIGN
• PbD is done mostly without a proper privacy risk
analysis up front (PIA) ( J.J. Borking, Privacy Law is Code 2010)
• The translation of PbD (the legal specs +) into actual
designs of systems is done by example. Therefore,
everybody is free to postulate a particular design
(process) as “Privacy or Data Protection by Design”
(Van Rest Designing Privacy by Design 2012)
• On top of that, actual implementation is confronted
with difficulties such as lack of economic incentives,
transparency of systems, legacy systems, and lack of
adoption by organizations/end-users and consumers in
PbD. ( J.J. Borking, Privacy Law is Code 2010)
25-2-2013 ePSI Warsaw 10
11. HOW FURTHER?
• Do we let each designing party (industry and government) decide
per case or product line what PbD means (an evolutionary
approach? Each different party implements PbD in its own way),
(Van Rest Designing Privacy by Design 2012) or
• As we don’t know enough of and cannot leave it to (behavioral)
economics, that urgently justifies the need for EU Commission/
government/ data protection authority (DPA) involvement,
• “to adopt delegated acts (…) for the purpose of specifying any
further criteria and requirements for appropriate measures and
mechanisms referred to in paragraph 1 and 2 ( of article 23
GDPR), in particular for data protection by design requirements
applicable across sectors, products and services.
• The Commission may lay down technical standards for the
requirements laid down in paragraph 1 and 2)
25-2-2013 ePSI Warsaw 11
12. RECOMMENDATIONS
• PbD: No one-size-fits-all solution (Van Rest Designing Privacy by Design 2012)
• We need a toolbox with PIA, Privacy Design Patterns, PETs, PMS and design
processes (Waterfall etc.)
• Validate (use of) PbD-toolbox via design processes
• We do need the collection of and publication of concrete examples to learn
from and collect and create metrics for the consequences of PbD
• PbD: Should facilitate certification of [product, production
process, design], like certificates from EuroPrise &
Certification should proof the presence of PbD (a sine qua
non)
• Adoption of PbD should be promoted strongly by the DPA
& Behavioural Economics on Privacy should be researched
25-2-2013 ePSI Warsaw 12