Privacy by design: It’s soccer, not golf

Powered By

The creator of privacy by design (PBD) is none other than fellow Canadian Dr Ann Cavoukian, the past information and privacy commissioner of Ontario. 

Shameless and (very) weak claims to reflected glory aside, Cavoukian is universally recognised for her groundbreaking work in privacy and data security, but she’s less well-known for having invented a whole new team sport from the dying ashes of a more solitary one.

Back in the mists of time – i.e. the 1980s – privacy was mainly an individual (lawyer’s) game. Like golf. And the focus was on quasi-legal matters – policies, privacy notices and obtaining consent to handle individuals’ personal information (PI). 

With the dawn of the computer age, the explosion of the internet, Big Data and global corporations trading in personal data, organisations began to realise that lawyers were only one part of the equation. 

That point became abundantly clear in 2022 following the Optus, Medibank and a host of other highly publicised data breaches. Previously unknown players suddenly entered the public consciousness: forensic IT experts, cybersecurity specialists, data practitioners, network architects, risk analysts – and the list goes on. Of course, those privacy players were always there, working diligently in the background as a team, along with the lawyers.

Cavoukian became famous for recognising that fact – that privacy isn’t a solitary game, like golf. Rather, it’s a team sport, like soccer.

Sporting analogies aside, one of Cavoukian’s core contributions was to articulate simple, but ingenious principles that can help organisations manage their PI and privacy risks. There are seven key PBD principles and you can hear Cavoukian explain them in her own words in this interview from Cybersecurity Tribe.

In particular, Cavoukian advocated for privacy issues to be incorporated, by design, at the ‘front end’ of any new project, service offering or processes involving PI. Rather than fixing privacy issues after the fact (i.e. after a data breach), Cavoukian’s mantra was simple – be proactive, not reactive. Take preventative, not remedial measures. 

In other words, organisations need to build teams of experts to design technical and business processes that will (hopefully) stop data breaches before they occur. Simple, right?

While PBD principles may seem obvious, their practical implementation can be a very different kettle of fish. That was made clear by a friend who related a story about a past employer. That friend spoke about their IT group (literally) begging their executives for a very small bump-up in resources that would help to solve a serious IT risk. Those pleas fell on deaf ears for 12-18-24 months. 

No surprise, IT staff began to leave the organisation. And for those who stayed, they were incredibly stressed. 

When discussing increasingly serious IT risks, the friend mentioned that the issues were on their legal team’s radar, as well as being on the organisation’s enterprise risk register. Of course, no one had told IT any of that. And the IT crew hadn’t sat down with legal for years. 

Frustrated, the friend mentioned the problem to another business unit and learned about money set aside for a problem that was similar to the risks faced by IT and legal. The penny dropped – and the IT team got its funding, along with a share for legal. Why? Because my friend had followed the bouncing (data, IT and legal) ball across the organisation.

While that may sound like a fairytale, it actually happened – albeit with some changes to disguise identities. 

Regardless of the specifics, this story raises a series of questions for Commonwealth agencies, the first of which is: do we know what our colleagues are focused on? And a follow-up question: are there areas in my own organisation that are experiencing similar issues? Could we join forces? 

Are there cross-departmental or all-of-Commonwealth initiatives that might help different business units in my own agency, or in sister-and-brother organisations? Do we have a privacy committee – and who’s on it? Are the lawyers talking to IT, or are they talking past each other? 

Is our privacy risk framework effective? And are the risk mitigation strategies really working to address our actual risks – or are those risks borrowed from another organisation and an earlier era? Are we working together to develop simple, but effective ‘smart’ IT solutions that won’t cost the earth?

Another question comes to mind: are PBD principles important? Simple answer – yes. 

The Office of the Australian Information Commissioner (OAIC) has consistently advocated for organisations to adopt PBD principles. In fact, it’s action item #1 in the OAIC’s Privacy Management Plan Template. Those same principles are a consistent theme animating the government’s Response to the Privacy Act Review, along with a focus on developing baseline technical and business solutions that will “bake in” PBD practices. 

And that raises another key question. When the privacy reforms land in calendar 2024, will Commonwealth agencies and other organisations be ready and capable of embedding PBD principles into their BAU activities? 

To my mind, that requires a high level of openness, along with a willingness to challenge operating protocols in a respectful but pointed manner. That’s in line with Cavoukian’s PBD Principle #6 (Visibility and Transparency – Keep it Open). 

Of course, being open is easier said than done. And it’s a lot easier to dismiss the lawyers speaking incomprehensible legalese, while the IT crew talks in binary code. 

Duolingo aside, there’s no readily available translation software. But by asking questions and working with your colleagues, that’s probably the best way to excel at Cavoukian’s favourite team sport.