Tom Young, Computing, Thursday 4 December 2008 at 16:34:00

Information Commissioner Richard Thomas is urging organisations to put privacy protection at the top of their procurement and development criteria

A strategy to encourage businesses and public-sector bodies to build privacy guards into their IT and management systems from scratch was launched last week by the Information Commissioner.

The Privacy By Design scheme aims to discourage organisations from bolting on information security as an afterthought and instead to build it in from the start.

Information Commissioner Richard Thomas, who recently received new powers and a pay rise, said technology must play a key part in privacy protection especially as the amount of personal information being stored by organisations such as banks, retailers and healthcare providers continues to increase rapidly.

“Although we have seen massive change in the capability of organisations to exploit modern technology that uses our information to deliver services, that has not been accompanied by a similar drive to develop new effective technical and procedural privacy safeguards,” he said.

A holistic lifetime approach to privacy will make controls stronger, simpler to implement and harder to bypass, said Thomas.

But there are a number of barriers preventing organisations from implementing privacy-enhancing technologies (PETs) and taking a privacy-by-design approach. There is a lack of awareness of the importance of the issue at an executive level; traditional risk models often ignore the importance of personal information; and increasing use of collaborative technology means more and more data is being shared in an uncontrolled way.

These problems could be solved by committing to PETs, but organisations are wary of using specific products for fear the technology may become out of date – ­ increasing use of service-oriented architecture, Web 2.0 and cloud computing will add to these fears. But further research and regulator-approved standards could help solve these problems, according to the Information Commissioner.

“Successful initiatives should be developed into practical standards, and buyers encouraged to demand better privacy functionality from vendors,” says the report.

There are a number of technologies that can help:

• Privacy management tools enable a person to track their personal data and see who is handling it, and can also advise someone of the privacy consequences of their information being processed by a particular organisation.

• Privacy metadata attaches tags to personal information which provide rules and conditions on how that information can be used.

• Privacy protection tools hide a person’s identity online, allowing them to make purchases, visit web sites, and use public services without having their IP address tracked – ­ thus concealing their location.

Many privacy experts agree that user-centric identity management frameworks may represent the strongest tool yet for protecting personal information.

In this model, users carry all personal information themselves and grant limited access to organisations that must come to the user to access the information they need. In this way firms cannot pass data on to a second organisation – ­ they would have to approach the user independently – ­ and are able to obtain only the exact details they need.

Stuart Room, a partner at law firm Field Fisher Waterhouse, said organisations that do not keep up to speed with technological development could find themselves in trouble. “The law requires you to take account of these things, and some of them are already on the market,” he said.

Watch our video roundtable

For more on the Privacy by Design strategy and the issues surrounding privacy-enhancing technologies, watch Computing’s video roundtable and listen to the views of two experts in the field – assistant information commissioner Jonathan Bamford and privacy lawyer Stuart Room. The video is available at: www.computing.co.uk/tv

Full published article at: http://feeds.computing.co.uk/c/554/f/10982/s/27efd38/l/0L0Scomputing0O0Ccomputing0Canalysis0C22317540Cwatchdog0Ewants0Ecure0Eprivacy0E4378882/story01.htm

This entry was posted on Thursday, December 4th, 2008 at 2:01 pm and is filed under Public Sector. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.