Data Protection and Privacy are fundamental aspects of the lifecycle of a technology solution or service. The Design Authority (DA) will work with Departments to ensure that technical implications of Data Protection and Privacy are integral to any technology solution or service.
Technical designs must proactively consider privacy implications of data subjects and the DA, in conjunction with OCSIA, will ensure that they are an essential part of any technology design and deployment.
To evidence compliance with this Section of the TCOP, technical solutions or services must be able to demonstrate how Privacy by Design has been embedded.
The General Data Protection Regulation (GDPR)
The GDPR requires organisations to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is known as data protection by design and by default. Under the GDPR this concept is now a legal requirement and forms part of the focus on accountability.
The relevant Department, Board or Office is the data controller and is responsible for ensuring compliance with the GDPR. GTS, as a division of the Cabinet Office, or any third party outsourced provider is a data processor for technical solutions and services. It is also the responsibility of the data controller to ensure that the data processor provides sufficient guarantees in providing appropriate technical measures, safeguards, security measures and cyber-resilience based on risks and the sensitivity of the data.
For more information or advice about the GDPR, contact your Departmental Data Protection Officer (DPO) or OCSIA.
It is important to understand that the GDPR is not a technology specific regulation and that it also applies to personal data held in paper files. The collection, processing, storing, security, sharing and deletion of data is the responsibility of the relevant Department, Board or Office. It is essential that projects and programmes engage with the relevant DPO before commencing a project or change programme. The Design Authority is embedding Privacy by Design as best practice.
Privacy by design
All Projects, Programmes and changes must comply with the requirements governing Privacy by Design throughout the lifecycle of a technology solution or service.
The term "Privacy by Design" means embedding privacy into technology design. This requires developing privacy protecting approaches and configurations from initiation – intentionally and with forethought – through to decommissioning.
The seven foundational principles of Privacy by Design are:
-
Proactive not Reactive; Preventative not Remedial – do not wait for privacy risks to materialize, or offer remedies for resolving privacy infractions once they have occurred – aim to prevent them from occurring.
-
Privacy as the Default Setting - deliver the maximum degree of privacy by ensuring that personal data are automatically protected. If a citizen does nothing, their privacy still remains intact – it is built into the system, by default.
-
Embed privacy into design - privacy is an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.
-
Avoid false compromises - ensuring Privacy by Design should add value rather than compromise functionality. In addition to modern applications having flexible and configurable security modules as standard, Projects, Programmes and service owners should work with GTS to assist with smart integration tools and, if required, to support them to make design decisions that follow the principles outlined in the Embedding Privacy by Design section of the TCOP (7.4).
-
Full Lifecycle Protection - strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, resilient and securely destroyed at the end of the process, in a timely fashion.
-
Be transparent with users - assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives. Its component parts and operations remain visible and transparent to users and providers alike.
-
User-Centric Approach - keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.
Benefits of using Privacy by Design:
- Ensuring a proactive management of citizen privacy and reduce the risks of data theft.
- Improving transparency with regards to access and use of personal data
- Reducing Project change costs by identifying and preventing potential privacy issues earlier.
- Promoting and highlighting the risks of non-adherence to the GDPR.
- Continuous improvement and learning
- Developing a culture of privacy awareness
For more information about Privacy by Design visit Information Commissioner Website
Embedding Privacy by Design
Embedding Privacy by Design as part of the initial requirements is the most effective way to ensure compliance. The following principles must be considered at the design stage of any projects or programmes and may be appropriate for some solution or service changes.
Data Oriented design requirements
-
Minimise and limit – The amount of personal data collected and processed should be limited to what is lawful and what is strictly necessary. The data shall be deleted when storage is no longer required for the purposes.
-
Hide and protect – Personal data, and their interrelationships, should not be communicated, processed, or stored in plain view. By hiding directly identifiable personal data from plain view, the risk of abuse and the scope of potential incidents is significantly reduced. Examples include pseudonymisation, encryption, and aggregation of personal data.
-
Separate – By separating the processing or storage of several sources of personal data that belong to the same person, the possibility of creating complete profiles of one person is reduced. For example, personal data can, based on their purpose, be stored in separate databases, units, components and areas. Separation is also an effective means to achieve purpose limitation and to avoid linkability between different data sets. A fixed time should be set for automatic deletion in tables containing personal data. This can be done by access control to tables containing personal data, splitting database tables, and distinguishing between components, units and areas with a high level of trust and those with a lower level of trust.
-
Aggregate – In order to safeguard the protection of the data subject's rights, personal data should be collected and processed with as much aggregation as possible. You should avoid detailed personal data as much as possible, within the limitations of what can still have business value, and what is relevant to the purpose of collection and use. Examples include reducing the detail and sensitivity of personal data concerning individuals, and by removing unnecessary or excessive information whenever possible. To illustrate general trends or values, you can combine statistical data about large numbers of people without identifying individuals.
-
Data protection by default – All settings should, by default, be configured to the most privacy-friendly setting. The user should make a conscious choice to change any setting that would result in a less privacy-friendly configuration.
Process orientated design requirements
-
Inform – technology should be designed and configured so that the data subject is sufficiently informed on how the software works and how personal data is processed. When profiling or automated decision-making of personal data are being conducted the data subject should be informed on how it is being done. It is important to remember that special requirements apply if the software is aimed at children or vulnerable people. Explanations must use clear and plain language.
-
Control – For many Government services, the data subject has the right to control their own personal data. This includes a right to access, update, and/or has the right to be forgotten. Where automated decision-making is taking place, or decisions are being made without human intervention, the data subject can demand manual processing. Any technology solution or service should be designed so that the data subject can exercise these rights as easily as possible.
-
Enforce – Technical solutions or services should document how they safeguard the data subject's rights. The documentation should cover accountability and how the data protection regulation is enforced. It should be available for audits and inspections of the processing. This also includes artificial intelligence, profiling, and automated decision-making. Technical measures might include audit logs, access control or encryption.
-
Demonstrate – Technical solutions and services must be designed and developed so that the Data Controller has the ability to document and demonstrate how the requirements of Privacy by Design have been implemented. This may be required by the Information Commissioner, GTS Design Authority, subject access requests, Internal Audit or any other relevant purposes. Examples include documentation demonstrating reports from security audits, vulnerability scanning, security tests such as penetration testing, and reports on exercising data breach management.
In addition to these principles, GDPR regulations stipulate that a Data Protection Impact Assessment (DPIA) is completed for the lifecycle of a technical solution or service as part of the Project or change documentation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons. For more information or advice about the DPIA, contact your Departmental DPO.
