The following is an excerpt from Commissioner Cavoukian’s keynote presentation at the IAPP Canada Privacy Symposium on May 5, 2011.
Privacy by Disaster is what you get when you don’t do Privacy by Design – when you don’t build privacy into technologies, business processes, and infrastructures proactively, right from the beginning!
The Apple iPhone/iPad controversy has put mobile location privacy in the spotlight. The Sony PlayStation breach is another case in point.
I would argue that it really boils down to control – personal control over one’s data flows. What’s missing here? I’ll tell you: it’s the proper application of Fair Information Practices that form the core of our Privacy by Design principles, namely:
1. Consent: Have the users provided their free and specific consent for the collection, use and disclosure of this personal information? Make the system user-centric.
2. Openness and Transparency: Give users clear, effective notification of the information being collected – it is no good burying these details deep inside a web site or a lengthy terms and conditions document.
3. Purpose specification: Clearly specify the purposes for which personal information is collected, used, retained and disclosed.
4. Use limitation: Always limit the use of personal information to the relevant purposes identified to users.
5. Data Minimization: Limit the amount of data you collect and retain – and anonymize the data so it can not be linked back to personal identifiers.
Failure to apply these universal principles damages business reputations, product brands and services and, of course, individual privacy. Classic lose-lose scenario.
It doesn’t have to be this way. Privacy by Disaster can be prevented altogether.
When Privacy by Design principles are applied early, robustly, systematically and across the business ecosystem, they can prevent disasters from occurring in the first place, helping to preserve confidence and restoring trust.
I encourage you to check out a number of PbD panels and workshops at the IAPP Symposium, including the panel on PbD and Mobile Computing led by Assistant Privacy Commissioner Ken Anderson.
You can also pick up a copy of our recently published Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers, and Users.
Hopefully the Apple and Sony controversies will serve as a loud wake-up call – for companies to embrace Privacy by Design, address privacy proactively and put control squarely in the hands of the users, where it belongs.