Bake privacy in products, services from the start: Cavoukian

Ontario privacy commissioner Ann Cavoukian is calling on technology-oriented organizations to make privacy a core functionality in the products and services they develop, instead of bolting it on after the fact in a band aid approach to protecting the end user.

That way, said Cavoukian, “it gets baked into your design architecture, it becomes part of your code.”

She issued the challenge to businesses along with the release of her annual report, entitled 2010 IPC Annual Report: Be Proactive. Avoid the Harm, that highlights the problems with taking a reactive approach to privacy and information access.

The privacy commissioner has been pushing into the public spotlight the concepts of Privacy by Design and Access by Design in an effort to make privacy and information access a natural and expected component of processes and technologies.

Traditionally, she said, there’s been what she calls a “zero-sum model” where privacy capabilities get the short end of the stick relative to business functionality, security or marketing.

“It has always been one or the other … We’re saying, ‘Reject that. Get rid of it,’” said Cavoukian.

Her message resounds well with Hydro One Networks Inc. The Markham, Ont.-based utilities provider has designed privacy into its smart grid and smart metre initiatives that help customers conserve energy.

Rick Stevens, vice-president of asset management at Hydro One said, practically, what privacy by design means for the organization is that such “non-functional” requirements still undergo the same due diligence at the initial planning stage.

“When we look at new uses of customer information, we spend time up front understanding the requirements for the information and looking at how we design systems upfront to ensure that customer privacy is maintained,” said Stevens.

While Stevens acknowledges that, in some organizations, privacy can get sidelined when “trade offs” are made, he believes that systems should nonetheless be built to be future-proof.

Another Canadian organization, The Ontario Lottery and Gaming Corp., based in Toronto, installed privacy-protective facial-recognition technology to identify members of the Voluntary Self-Exclusion program who want to be banned from entering gambling institutions, such as casinos. If no match is made with those in the database, then the facial image is automatically deleted.

Cavoukian wants organizations to share their privacy and information access initiatives so that, in turn, those best practices can be relayed to others. Already, Hydro One’s experience with its Smart Grid initiative is being applied in the U.S. with San Diego Gas & Electric, a utilities provider interested in baking privacy into its dynamic pricing program.

The message isn’t being confined to North America. This summer, the privacy commissioner’s office will release a whitepaper on how a utilities provider in Berlin, Germany, is embedding privacy and information access in its organization.

“We’re trying to get an EU presence, a U.S. presence, and we already have a Canadian presence,” said Cavoukian.

Follow Kathleen Lau on Twitter: @KathleenLau

Related Download
Next-generation IPS and firewall Sponsor: HP
Next-generation IPS and firewall
Next-generation enterprise firewalls (NGFW) include intrusion prevention system (IPS) technology that enables them to spot and block cyber attacks. But they do not replace IPS solutions—you need both. This HP business white paper shows how NGFW and next-generation IPS (NGIPS) are complementary security solutions that work together to secure your network.
Register Now