:class: important, dropdown
Your security and digital privacy when using new technologies is fundamental and must never be treated as optional.
Privacy by Design comes before-the-fact, not after.
This implies:
* A clear commitment, at the highest levels, to set and enforce high standards of privacy − generally
higher than the standards set out by global laws and regulation.
* A privacy commitment that is demonstrably shared throughout by user communities and stakeholders,
in a culture of continuous improvement.
* Established methods to recognize poor privacy designs, anticipate poor privacy practices and
outcomes, and correct any negative impacts, well before they occur in proactive, systematic, and
innovative ways.
:class: important, dropdown
Privacy by Default means: Do not collect private data. Period. Just don't do it.
If this simple is too easy, minimal use:
* Purpose Specification – the purposes for which personal information is collected, used, retained and
disclosed shall be communicated to the individual (data subject) at or before the time the information
is collected. Specified purposes should be clear, limited and relevant to the circumstances.
* Collection Limitation – the collection of personal information must be fair, lawful and limited to that
which is necessary for the specified purposes.
* Data Minimization − the collection of personally identifiable information should be kept to a strict
minimum. The design of programs, information and communications technologies, and systems
should begin with non-identifiable interactions and transactions, as the default. Wherever possible,
identifiability, observability, and linkability of personal information should be minimized.
* Use, Retention, and Disclosure Limitation – the use, retention, and disclosure of personal
information shall be limited to the relevant purposes identified to the individual, for which he or she
has consented, except where otherwise required by law. Personal information shall be retained only as
long as necessary to fulfill the stated purposes, and then securely destroyed.
:class: important, dropdown
Strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion.
Without strong security, there can be no privacy.
* Security − Entities must assume responsibility for the security of personal information (generally
commensurate with the degree of sensitivity) throughout its entire lifecycle, consistent with standards
that have been developed by recognized standards development bodies.
* Applied security standards must assure the confidentiality, integrity and availability of personal data
throughout its lifecycle including, methods of secure destruction, appropriate encryption,
and strong access control and logging methods.
:class: important, dropdown
Visibility and transparency are essential to establishing accountability and trust.
* Accountabilty – The collection of personal information entails a duty of care for its protection.
Responsibility for all privacy-related policies and procedures shall be documented and communicated
as appropriate, and assigned to a specified individual. When transferring personal information to third
parties, equivalent privacy protection through contractual or other means shall be secured.
* Openness – Openness and transparency are key to accountability. Information about the policies and
practices relating to the management of personal information shall be made readily available at no additional cost to individuals.
* Compliance – Complaint and redress mechanisms should be established, and information
communicated about them to individuals, including how to access the next level of appeal. Necessary
steps to monitor, evaluate, and verify compliance with privacy policies and procedures should be
taken.