The term Privacy by Design can be traced to a collaborative project performed by the Information and Privacy Commission of Ontario, Canada, the Dutch Data Protection Authority and the Netherlands Organization for Applied Scientific Research in 1995. This concept was popularized by Ann Cavoukian, the Assistant Information and Privacy Commissioner of Ontario at the time. Cavoukian proposed a set of Foundational Principles that should govern the construction and operation of IT systems employing privacy data. These Principles were officially endorsed as an essential component of privacy protection at the 2010 Assembly of International Data Protection and Privacy Commissioners.
Cavoukian’s Privacy by Design Principles are a manifesto or call to arms, highlighting the importance of privacy data protection and underscoring the responsibility of commercial firms to safeguard the handling and processing of Personally Identifiable Information (PII). Cavoukian’s Principles have gained traction in global regulatory agencies. They are directly reflected in the European Union’s 2016 General Data Protection Regulation (GDPR), specifically in Article 25 which is entitled Data Protection by Design and Default. They are also selectively referenced in the 2017 ISO 29100 standard dealing with information technology, security techniques and privacy.
Cavoukian’s Principles were formulated in a very different era. The Privacy Act regulating the use of PII data within U.S. government agencies was passed in 1974. It was followed by HIPAA (Health Insurance Portability and Accountability Act) in 1996 and the European Union’s Data Protection Directive (forerunner of GDPR) in The Payment Card Industry Data Security Standard (PCI DSS) was one of the
first control frameworks designed to regulate the use of PII within private industry. It did not go into effect until 2006. From a technology perspective, SaaS applications, APIs, cloud service providers and mobile devices were virtually nonexistent in the late 1990s and early 2000s. The quantity and sensitivity of digital PII data employed by commercial firms was far less and widely publicized data breaches were far less common.
Views: 2
