From Jan 15 2022, vehicles using highways may use radio frequency identification stickers, known as RFID tags, for toll transactions but concerns are being raise whether appropriate technical and organisational measures are implemented effectively to safeguard individual rights
The Personal Data Protection Act (PDPA) requires you to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights.
This is ‘data protection by design and by default’. In essence, this means Touch ‘n Go have to integrate or ‘bake in’ data protection into their processing activities and business practices, from the design stage right through the lifecycle.
This concept previously known as ‘privacy by design’, it has always been part of data protection law. The key change will be with the Personal Data Protection Commissioner who should now make it a legal requirement.
Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the PDPA’s fundamental principles and requirements, and forms part of the focus on accountability.
☐ We consider data protection issues as part of the design and implementation of systems, services, products, and business practices.
☐ We make data protection an essential component of the core functionality of processing systems and services.
☐ We anticipate risks and privacy-invasive events before they occur and take steps to prevent harm to individuals.
☐ We only process the personal data that we need for our purposes(s), and that we only use the data for those purposes.
☐ We ensure that personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy.
☐ We provide the identity and contact information of those responsible for data protection both within our organisation and to individuals.
☐ We adopt a ‘plain language’ policy for any public documents so that individuals easily understand what we are doing with their personal data.
☐ We provide individuals with tools so they can determine how we are using their personal data, and whether our policies are being properly enforced.
☐ We offer strong privacy defaults, user-friendly options and controls, and respect user preferences.
☐ We only use data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design.
☐ When we use other systems, services or products in our processing activities, we make sure that we only use those whose designers and manufacturers take data protection issues into account.
☐ We use privacy-enhancing technologies (PETs) to assist us in complying with our data protection by design obligations.
What is data protection by design?
Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.
As expressed by the PDPA, it requires you to:
put in place appropriate technical and organisational measures designed to implement the data protection principles effectively; and
integrate safeguards into your processing so that you meet the PDPA’s requirements and protect individual rights.
In essence this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices.
Data protection by design has broad application. Examples include:
- Developing new IT systems, services, products and processes that involve processing personal data;
- Developing organisational policies, processes, business practices and/or strategies that have privacy implications;
- Physical design;
- Embarking on data sharing initiatives; or
- Using personal data for new purposes.
The underlying concepts of data protection by design are not new. Under the name ‘privacy by design’ they have existed for many years.
What is data protection by default?
Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.
You have to process some personal data to achieve your purpose(s). Data protection by default means you need to specify this data before the processing starts, appropriately inform individuals and only process the data you need for your purpose.
It does not require you to adopt a ‘default to off’ solution. What you need to do depends on the circumstances of your processing and the risks posed to individuals.
Nevertheless, you must consider things like:
- adopting a ‘privacy-first’ approach with any default settings of systems and applications;
- ensuring you do not provide an illusory choice to individuals relating to the data you will process;
- not processing additional data unless the individual decides you can;
- ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- providing individuals with sufficient controls and options to exercise their rights.
Who is responsible for complying with data protection by design and by default?
PDPA specifies that, as the controller, you have responsibility for complying with data protection by design and by default. Depending on your circumstances, you may have different requirements for different areas within your organisation. For example:
- Your senior management, e.g. developing a culture of ‘privacy awareness’ and ensuring you develop policies and procedures with data protection in mind;
- Your software engineers, system architects and application developers, e.g. those who design systems, products and services should take account of data protection requirements and assist you in complying with your obligations; and
- Your business practices, e.g. you should ensure that you embed data protection by design in all your internal processes and procedures.
This may not apply to all organisations, of course. However, data protection by design is about adopting an organisation-wide approach to data protection, and ‘baking in’ privacy considerations into any processing activity you undertake. It doesn’t apply only if you are the type of organisation that has your own software developers and systems architects.
What are we required to do?
You must put in place appropriate technical and organisational measures designed to implement the data protection principles effectively and safeguard individual rights.
There is no ‘one size fits all’ method to do this, and no one set of measures that you should put in place. It depends on your circumstances.
The key is that you consider data protection issues from the start of any processing activity and adopt appropriate policies and measures that meet the requirements of data protection by design and by default.
Some examples of how you can do this include:
- Minimising the processing of personal data;
- Pseudonymising personal data as soon as possible;
- Ensuring transparency in respect of the functions and processing of personal data;
- Enabling individuals to monitor the processing; and
- Creating (and improving) security features.
This is not an exhaustive list. Complying with data protection by design and by default may require you to do much more than the above.
However, we cannot provide a complete guide to all aspects of data protection by design and by default in all circumstances. This guidance identifies the main points for you to consider. Depending on the processing you are doing, you may need to obtain specialist advice that goes beyond the scope of this guidance.
When should we do this?
Data protection by design starts at the initial phase of any system, service, product, or process. You should begin by considering your intended processing activities, the risks that these may pose to individuals, and the possible measures available to ensure that you comply with the data protection principles and protect individual rights. These considerations must cover:
- The state of the art and costs of implementation of any measures.
- The nature, scope, context and purposes of your processing; and
the risks that your processing poses to the rights and freedoms of individuals.
This is like the information risk assessment you should do when considering your security measures.
These considerations lead into the second step, where you put in place actual technical and organisational measures to implement the data protection principles and integrate safeguards into your processing.
This is why there is no single solution or process that applies to every organisation or every processing activity, although there are a number of commonalities that may apply to your specific circumstances as described below.
The PDPA requires you to take these actions:
- at the time of the determination of the means of the processing’ – in other words, when you are at the design phase of any processing activity; and
- at the time of the processing itself’ – ie during the lifecycle of your processing activity.
What are the underlying concepts of data protection by design and by default?
The underlying concepts are essentially expressed in the seven ‘foundational principles’ of privacy by design, as developed by the Information and Privacy Commissioner of Ontario.
Although privacy by design is not necessarily equivalent to data protection by design, these foundational principles can nevertheless underpin any approach you take.
‘Proactive not reactive; preventative not remedial’
You should take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the fact. This doesn’t just apply in the context of systems design – it involves developing a culture of ‘privacy awareness’ across your organisation.
‘Privacy as the default setting’
You should design any system, service, product, and/or business practice to protect personal data automatically. With privacy built into the system, the individual does not have to take any steps to protect their data – their privacy remains intact without them having to do anything.
‘Privacy embedded into design’
Embed data protection into the design of any systems, services, products and business practices. You should ensure data protection forms part of the core functions of any system or service – essentially, it becomes integral to these systems and services.
‘Full functionality – positive sum, not zero sum’
Also referred to as ‘win-win’, this principle is essentially about avoiding trade-offs, such as the belief that in any system or service it is only possible to have privacy or security, not privacy and security. Instead, you should look to incorporate all legitimate objectives whilst ensuring you comply with your obligations.
‘End-to-end security – full lifecycle protection’
Put in place strong security measures from the beginning, and extend this security throughout the ‘data lifecycle’ – ie process the data securely and then destroy it securely when you no longer need it.
‘Visibility and transparency – keep it open’
Ensure that whatever business practice or technology you use operates according to its premises and objectives and is independently verifiable. It is also about ensuring visibility and transparency to individuals, such as making sure they know what data you process and for what purpose(s) you process it.
‘Respect for user privacy – keep it user-centric’
Keep the interest of individuals paramount in the design and implementation of any system or service, eg by offering strong privacy defaults, providing individuals with controls, and ensuring appropriate notice is given.
How do we do this in practice?
One means of putting these concepts into practice is to develop a set of practical, actionable guidelines that you can use in your organisation, framed by your assessment of the risks posed and the measures available to you. You could base these upon the seven foundational principles.
However, how you go about doing this depends on your circumstances – who you are, what you are doing, the resources you have available, and the nature of the data you process. You may not need to have a set of documents and organisational controls in place, although in some situations you will be required to have certain documents available concerning your processing.
The key is to take an organisational approach that achieves certain outcomes, such as ensuring that:
· You consider data protection issues as part of the design and implementation of systems, services, products and business practices;
- You make data protection an essential component of the core functionality of your processing systems and services;
- You only process the personal data that you need in relation to your purposes(s), and that you only use the data for those purposes;
- Personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy;
- The identity and contact information of those responsible for data protection are available both within your organisation and to individuals;
- You adopt a ‘plain language’ policy for any public documents so that individuals easily understand what you are doing with their personal data;
- You provide individuals with tools so they can determine how you are using their personal data, and whether you are properly enforcing your policies; and
- You offer strong privacy defaults, user-friendly options and controls, and respect user preferences.
Many of these relate to other obligations in the PDPA, such as transparency requirements, documentation, Data Protection Officers and DPIAs. This shows the broad nature of data protection by design and how it applies to all aspects of your processing. Our guidance on these topics will help you when you consider the measures you need to put in place for data protection by design and by default.
The Norwegian data protection authority (Datatilsynet) has produced guidance on how software developers can implement data protection by design and by default.