As a continuation of my previous blog on Digital Identity, this article will continue to discuss about the data protection and privacy principles that we need to consider while developing a national Digital Identity or any other IT system in your organization.
Since the future of privacy cannot be assured solely by complying to a privacy regulatory framework such as GDPR in UK or PDPA (Personal Data Protection Act) in Sri Lanka, it should become a part of the organizational IT life cycle. In the past, there had been multiple privacy frameworks formed and evolved (See Figure 01).
Privacy by Design (PbD)
Out of these, the “Privacy By Design (PbD)” concept was formed as a privacy framework coined by Dr. Ann Cavoukian  in early 90’s.
There is a growing understanding that innovation, creativity, and competitiveness must be approached from a “Design Thinking” perspective. On the same line, privacy too must be approached and should be part of organizational priorities, objectives, design processes, and planning operations. It should be embedded to every standard, protocol and process that touches our lives .
“The term “Privacy by Design” means nothing more than “data protection through technology design.” It is a topic, which has been discussed quite often in the past in data protection . It basically emphasizes that data protection and privacy should be considered upfront before anything you do.
In PbD, this could be achieved by seven (07) foundational principles.
Foundational Principles of PbD
- Proactive not reactive, preventative not remedial — PbD approach is characterized by proactive rather than reactive measures. In a nutshell, any data protection effort should not be a damage control but to be more proactive in their approach.
- Privacy as default — PbD expects all IT systems to deliver the maximum degree of privacy by ensuring that personal data are automatically protected, “by default”. No action is required on the part of the individual to protect their own privacy.
- Privacy is embedded into design — PbD is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on and it is an essential component of the core functionality being delivered.
- Full functionality, positive-sum not zero-sum — You should not make consumers choose between seemingly contradicting options, such as privacy or security. These two goals have to be complementary, and it is an organization’s duty to make both works. Forwarding this burden of choice to your customers will not get you far.
- End to end security, lifecycle protection — Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion.
- Visibility and transparency — Being transparent about the data privacy efforts in your organization to all the stakeholders is essential in your data privacy journey to build trust.
- Respect for user privacy but keep it user-centric — User privacy could be a complex concept, but it need to be keep it simple for the user.
There are multiple Privacy Patterns, being developed by UC Berkeley’s School of Information as a crowd sourcing solution for emerging IT solutions .
Privacy by Design in a Digital Identity
To adopt the same rigor in a Digital Identity system, it is imperative to execute certain design choices. The ID4D Practitioner’s guide have listed down some of the key design choices as given below.
- Digital Certificates and PKI
- Platforms for personal access and control
- Temper-proof logs
- Data center security
- Implementing a cybersecurity program
- Cavoukian, A. 2011. “Privacy by Design: The 7 Foundational Principles. Implementation and
Mapping of Fair Information Practices.” https://iab.org/wp-content/IAB-
- Sri Lanka Data Protection Overview — https://www.dataguidance.com/notes/sri-lanka-data-protection-overview
- GDPR — Privacy By Design — https://gdpr-info.eu/issues/privacy-by-design/
- GDPR Art 25 — Data Protection by Design and by Default — https://gdpr-info.eu/art-25-gdpr/
- Privacy Patterns — https://privacypatterns.org/patterns/
- Privacy by Design: Current Practices in Estonia, India and Austria — https://id4d.worldbank.org/sites/id4d.worldbank.org/files/PrivacyByDesign_112918web.pdf