Most privacy practitioners and many others working in a range of information management roles today would be familiar with the concept of ‘Privacy by Design’. Developed by a coalition of privacy watchdog agencies and a research institute from Canada and The Netherlands in the mid 1990s, it was formally recognised by the annual assembly of International Data Protection and Privacy Commissioners in 2010.
Privacy by Design is based on 7 ‘foundational principles’:
- Proactive not reactive; Preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality – positive-sum, not zero-sum
- End-to-end security – full lifecycle protection
- Visibility and transparency – keep it open
- Respect for user privacy – keep it user-centric
In recent months I have been investigating the application of the ‘By Design’ philosophy to solving a variety of information management problems and managing information-related risks. These have included everything from ensuring adequate recordkeeping for large infrastructure projects to protecting the security of client information in the delivery of government services online. The ‘By Design’ strategies and tactics employed to these manage information risks were both technical and non-technical, ranging from the design of customer service portals to protect sensitive personal information to the systematic inclusion of privacy impact assessments in new services development.
For recordkeepers, a ‘By Design’ approach is in effect what we have been doing for years. By understanding context and considering the needs of the wide range of users and other stakeholders, we build systems for keeping evidence of business that meet our needs now – but also with an eye to the future. Increasingly, we are making clever use of systems and recordkeeping metadata design to ensure the sustainability and portability of business information complete with its context, as government and corporate structures change. More than other professions, we understand that designing into systems can reap benefits much further down the track than 5 years’ time!
The Digital Transformation Office (DTO) has been doing great work of late to encourage by design thinking and an approach that understands the context services are being deployed in (from technical to societal contexts). Indeed, the DTO’s service design principles are not a world away from the principles of Privacy by Design:
- Start with needs: user needs, not government needs.
- Do less.
- Design with data.
- Do the hard work to make it simple. Then iterate again.
- This is for everyone.
- Understand context.
- Build digital services, not websites.
- Be consistent, not uniform.
- Make things open: it makes things better.
I quite like the idea of a merger of these two sets of principles as a touchstone for the building of new services (not systems! Let’s put the business and users first, not the technology), with the added layer of the key tools at our disposal for better creation, management and usability of information in all its forms. Tools like Privacy Impact Assessments, recordkeeping requirements analysis and definition and metadata frameworks. In doing so we can work collaboratively with the builders of the services to build the right mechanisms in to achieve not just privacy-by-design but security-by-design and recordkeeping-by-design, and ensure that as we transition to digital business have the right information available for the right people at the right time – now and into the future.
Image credit: Design for a Flying Machine, Leonardo da Vinci [Public domain], via Wikimedia Commons
About the author
Cassie Findlay is a Senior Consultant with Recordkeeping Innovation. In past roles, Cassie has worked strategically at the whole of public sector level on digital recordkeeping, training and open data / open government initiatives, and implemented NSW’s first digital archive for born digital government records. Cassie has a Masters degree in information management from the University of NSW and is a co-founder of the Recordkeeping Roundtable.