Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as an after-thought or ignored altogether.
Although this approach is not a requirement of the Data Protection Act, it will help organisations comply with their obligations under the legislation.
The ICO encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes.
We would like to see more organisations integrating core privacy considerations into existing project management and risk management methodologies and policies.
Benefits of taking a ‘privacy by design’ approach
Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:
- Potential problems are identified at an early stage, when addressing them will often be simpler and less costly;
- Increased awareness of privacy and data protection across an organisation;
- Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act;
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Privacy Impact Assessments
Privacy Impact Assessments (PIAs) are an integral part of taking a privacy by design approach. Our code of practice explains the principles which form the basis for a PIA.
Privacy impact assessments (PIAs) are a tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.
You can integrate the core principles of the PIA process with your existing project and risk management policies. This will reduce the resources necessary to conduct the assessment and spreads awareness of privacy throughout your organisation.
Conducting privacy impact assessments code of practice
This guide explains what PIAs are and how you can use them in your organisation.
The code contains annexes which can be used as the basis for your PIA. These include questions to guide the process and templates for recording the assessment. You do not have to use these if you would prefer to follow your own process, but the annexes are included here in an editable format.
As part of our work in this area, we commissioned a report into the use of PIAs and the potential for further integration with project and risk management. The report was drafted by Trilateral Research and Consulting. You can access the report and an executive summary.
ICO guidance and other resources
The ICO has a range of guidance and practical advice which can assist organisations when developing new projects.
Anonymisation code of practice (pdf)
Privacy notices code of practice (pdf)
Data sharing code of practice (pdf)
Data science and PIAs
The Government Data Programme has developed a Data Science Ethical Framework to help organisations understand the benefits and risks of using personal data when developing policy. The framework can be a useful tool if you are working on a project involving data science, Big Data or analytics. If you are doing a PIA, the Framework can be used as part of the process to help you describe information flows and identify privacy risks and solutions.
Seven foundational principles of privacy by design
The Information & Privacy Commissioner of Ontario has taken a leading role in developing the privacy by design concept, establishing seven ‘foundational principles of privacy by design’. These principles will be relevant for UK data controllers too.
