The modern world is interconnected and online—as our lives continue to be mediated by digital technologies, concerns about privacy and data protection are only increasing. Data breaches and privacy violations seem to be becoming more frequent, and the need for proactive, robust safeguards is getting more urgent. Enter the privacy-by-design framework, a made-in-Canada concept that calls for privacy to be considered throughout the entire product development process.
Privacy by design calls for engineers and developers to consider privacy and security throughout the development process, not just at the tail-end of after a privacy violation has occurred. It was developed in the 1990s by Dr. Ann Cavoukian, a Distinguished Expert-in-Residence leading the Privacy by Design Centre of Excellence at Ryerson University and former Information and Privacy Commissioner for the Canadian province of Ontario. The framework is based on seven foundational principles:
- Proactive not Reactive; Preventative not Remedial: Anticipate and prevent privacy invasive events before they happen.
- Privacy as the Default Setting: Ensure that personal data are automatically protected.
- Privacy Embedded into Design: Privacy is an essential component of the core functionality being delivered, not an afterthought.
- Full Functionality — Positive-Sum, not Zero-Sum: Avoid the idea that privacy compromises functionality; there is no need to trade-off privacy or security, as it is possible to have both.
- End-to-End Security — Full Lifecycle Protection: Strong security measures are essential to privacy, from start to finish.
- Visibility and Transparency — Keep it Open: Operations should remain visible and transparent, to users and providers alike.
- Respect for User Privacy — Keep it User-Centric: Keep the interests of the individual user at the forefront; offer strong privacy defaults, appropriate notice and empowering user-friendly options.
Since it is a made-in-Canada approach to data protection, it only makes sense that Canadian experts are leading the way toward development of an International Standard on how to do privacy by design the right way. That leadership was on display at the first plenary meeting of the International Organization for Standardization Project Committee 317 (ISO/PC 317), Consumer protection: privacy by design for consumer goods and services, which took place in London, United Kingdom in early November.
- Sylvia Kingsmill is a Partner in the Risk Consulting practice at KPMG Canada and was Head of the Canadian Delegation for the recent ISO/PC 317 meetings.
- Canadian representative Michelle Chibba was appointed Project Leader of the ad hoc group developing the first draft of ISO 31700, which will be the International Standard on privacy by design. As the project leader, Ms. Chibba—who is a former Director of Policy and Special Projects with the Information and Privacy Commissioner of Ontario—will “hold the pen” for the development of ISO 31700.
- Rae Dulmage, the winner of SCC’s 2016 Hugh Krentz Award, was appointed as one of two Co-Convenors of the Privacy by Design Communications Group.
- Jake Knoppers, the President of Canaglobe International Inc., was appointed as the liaison officer from ISO/PC 317 to two major joint technical committees of ISO and the International Electrotechnical Commission (IEC): ISO/IEC JTC 1/SG 5, the study group on Trustworthiness related to information technology, as well as ISO/IEC JTC 1/SC 32 Data management and interchange.
The committee hopes to have a first working draft of the International Standard ready for review by March 11, 2019. To maintain the momentum of this important committee, the Standards Council of Canada (SCC) will host a series of ISO/PC 317 international meetings in Toronto in May 2019.