Recently I had the opportunity to attend the IAPP Global Privacy Summit in Washington D.C. where along with Karriem Shakoor, Dave Dobrotka and Vicki Kamenova we led a discussion of privacy in relation to the use of personal mobile devices in a corporate setting.

While there it was impossible to avoid the new buzz term, Privacy by Design, it was similar to attending RSA in 2010 and trying to escape a discussion on cloud computing – good luck. Privacy by design is a construct developed by Dr. Ann Cavoukian the Information and Privacy Commissioner of Ontario, and naturally, as a citizen of Ontario I was immediately drawn to her, probably as a function of nationalistic, or would it be ‘provincial-istic’, pride. As I listened and learned, I began to realize that it really is a good construct and could be a logical evolution of what is already being done, at least to some degree for security today.

As a broad overarching concept, Privacy by Design encompasses many elements in practice [i]

• Recognition that privacy interests and concerns must be addressed proactively;
• Application of core principles expressing universal spheres of privacy protection;
• Early mitigation of privacy concerns when developing information technologies and systems, throughout the entire information life cycle —end to end;
• Need for qualified privacy leadership and/or professional input;
• Adoption and integration of privacy-enhancing technologies (PETs);
• Embedding privacy in a positive-sum (not zero-sum) manner so as to enhance both privacy and system functionality; and
• Respect for users’ privacy.

Relating this back to enterprise systems I feel that privacy by design is really the catalyst for driving change in organization and the way that organizations identify, track and own data (more to come). As the discussion goes, people expect privacy and all of the rights and privileges that come along with that expectation. Lucky for us they are often ill informed about these principles and don’t yet know how to express them.

The principles of privacy require that we as an organization provide our customers with the mechanisms to review their personal information in all forms along with our usage, transmission and any subsequent usage of their data. Further, should any of that information be incorrect, privacy principles indicate that they should be able to revise it. Can you imagine that request in our organization today? Given my experience the impact would be massive. The ability to identify all sources of data, transmissions and subsequent uses simply does not exist, without which, neither does the ability to maintain referential integrity in the event of a change. Yikes!
So what do we do about it?

• Consider our privacy commitments -not just from a regulatory point of view (i.e. HIPAA compliance as it relates to electronic PHI) but rather privacy as it relates to all forms of personal information and our ability to meet the commitments as stated in our privacy policy.
• Consider our position on the use of personal information and our commitment to personal privacy. Are we really delivering what people have come to expect? Further, have we used our privacy position to differentiate ourselves in the marketplace, or does our current plan for product development put people’s privacy at risk (i.e. purchasing credit card data to make data based product offerings)?
• Lastly, consider the need to adopt privacy at an organizational level, enabling it through a strong corporate position that includes a leader and a cadre of qualified support personnel to define requirements, integrate check points into product and system development that must be met before passing through tollgates.

[i] Privacy by design: http://www.ipc.on.ca/images/Resources/privacybydesign.pdf

Photo Credits