Introduction

After a brief introduction about privacy legislation, a number of privacy issues will be discussed. This discussion will explore organizational positioning and privacy awareness, as well as social and IT developments that affect both the perception of privacy and compliance with privacy requirements. The similarities and differences between privacy and security will be briefly considered. Next, a description will follow of the ways in which organizations have dealt with privacy issues since the introduction of legislation in this area, an overview that will be supported by recent KPMG research. This essentially involves a gradual but discernible development towards greater use of IT, culminating in the deployment of privacy-enhancing technologies. Finally, the main financial and implementation factors will be considered.

Development of privacy legislation

Privacy protection and privacy invasions have been around forever. Legislation existed to govern certain areas of privacy even in the Middle Ages, but the protection of privacy only really picked up steam after the second world war (for related and apparent reasons). The 1948 Universal Declaration of Human Rights states that territorial and communications privacy are considered fundamental rights.

The introduction and proliferation of IT in public and private organizations, and the privacy implications of its use and misuse, have provided a major impetus for further privacy legislation. The introduction of a privacy law in the German State of Hesse (1970) was followed by national laws in Sweden (1973), the United States (1974, applying exclusively to government), Germany (1977) and France (1978). This provided the basis for the OECD’s[OECD: Organization for Economic Cooperation and Development.] Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (1980) and the Council of Europe’s Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (1981).

The Council of Europe convention has been adopted by more than twenty countries, while the OECD Guidelines have also been incorporated in various national laws. As is generally well known, the European Union has been giving privacy great priority since the early nineties, culminating in the Data Protection Directive[European Directive EC95/46, also known as the European Data Protection Directive.] of 1995. This Privacy Directive came into force in various EU member states between 1995 and 2002, hence later than the deadline of October 1998 in most cases. Further background about the development of privacy laws is provided in [Koor01] and [EPIC06]. The rest of this article will focus solely on privacy of information and communications; physical and territorial privacy falls outside its scope.

Data protection requirements and responsibility

Assignment of responsibility for privacy within organizations can vary considerably. Usually, the task falls to a lawyer in the Legal Department, but it may also be assigned to the Security Officer, Risk Manager, or sometimes even a marketing expert or IT auditor who takes care of privacy “on the side.” In more mature organizations, privacy is often handled by a Privacy or Compliance Officer or department (when customer data is involved) or the HR department (when employee data is involved). Such organizations are also attentive to privacy governance.

The Privacy Officer role, once a part-time position, has in recent years undergone extensive professionalization in response to the full-time concern for privacy management.

In organizations where privacy is properly entrenched, privacy governance affects how these issues are handled. Practices may vary from a strong legalistic approach with stringent regulations and procedures to a balanced approach with emphasis on both organizational and IT measures. At the same time, communication between lawyers, process/system/data owners, project managers, IT professionals, marketeers and users remains a major obstacle to the proper design, implementation and enforcement of privacy protection. These individuals use different terminology and do not always appreciate each other’s point of view. Based on our experience, we dare to say that fewer than 10% of complex organizations operate in full compliance with privacy legislation.

Awareness

Increased privacy awareness usually correlates with legislative surges. Although there is limited research on the awareness of and compliance with privacy requirements, surveys have nevertheless revealed that the level of awareness also vacillates. Surrounding the introduction of privacy legislation in the eighties and early nineties, privacy issues were not only receiving attention from governments but from the business community as well. Under the pressure of these new laws, most large organizations developed privacy policies and sector regulations, in most case subsequently implementing only a part of them. Other major incentives arose that were not directly connected with new legislation but were instead due to external factors and IT developments.

• Use of the internet for personal data exchange: Sites requiring on-line accumulation of personal and credit card data were initially met with skepticism from users due to uncertainty about the consequences for privacy and security. As the popularity of social networks like Facebook, Friendster, MySpace, etc. has increased exponentially, they are eagerly being used to provide and disseminate a great deal of personal data. In response, privacy and security statements have been posted on some websites and self-regulating programs have been used to instill trust in others (TRUSTe, WebTrust, Europrise, etc.).
• Outsourcing and offshoring: The transfer of business processes and IT systems to third parties that may be located abroad and often outside the EU (e.g. Asian countries) is a trend that has increased privacy awareness. In practice, the privacy protection of these service providers is sometimes even more rigorously scrutinized than the privacy practices within the outsourcing organization. The result is the formulation of processor agreements and the inclusion of security and privacy clauses in contracts and service level agreements (SLAs).
• Global information systems, data center consolidation and shared service centers: Multinationals are increasingly being involved in global exchanges of personal data. Especially in situations where the central HR or CRM system is situated outside the EU (e.g. in the US), employees, works councils, and data protection authorities require additional privacy safeguards, such as (model) contracts and explicit consent.
• New technology: Various technical developments make it possible for personal data to be exchanged more intensively through still more channels, thus increasing privacy risks. Examples include cloud computing ([KPMG10a]), electronic patient records, RFID, smart cards for various applications (e.g. public transport), biometrics, telemedicine, DNA databases, online profiling ([KPMG10b]), smart energy meters, etc.
• Audits by data protection authorities: Privacy regulators have been conducting privacy audits in various sectors since the mid nineties, partly on their own initiative and partly in response to complaints. Fines have also been issued, but penalties in the EU still remain relatively modest, even if considerable sums are now being assessed in Spain and, since mid 2010, in the UK (up to £500,000). This enforcement activity has had a strong role in promoting awareness in such organizations as health-care institutions, police, commercial information agencies, financial institutions, municipal administrations, etc. Supervisory authorities in other sectors (e.g. finance and medicine) are showing increasing interest in including privacy in their inspections and reviews.
• Fraud and abuse of social service: Completely different concerns are raised by the legally expanded use made of public service databases to combat fraud. The parties involved only began to appreciate the privacy issues involved when such practices actually began to occur. In some instances, extensive database matching is being used to create an indiscriminate “digital dragnet” to catch illegal activity.
• Threat of terrorism: The terrorist threat has resulted in police and intelligence agencies acquiring increased powers that potentially compromise the privacy of suspects. Unfortunately, innocent civilians are also being affected, as demonstrated when the CIA obtained access to all the payment transactions routed through the SWIFT inter-banking network. To some extent, this access to sensitive personal data may be acceptable as it serves a higher purpose. At the same time, there is the danger that it creates a “Big Brother”-like situation. Insofar as direct conflict arises on this subject, politics and views about national security prevail over any individual privacy concerns.
• Media attention to privacy incidents (see Box 1 for some examples): The unlawful collection and misuse of personal data, otherwise known as identity theft, has become one of the biggest causes of fraud in the US, victimizing several hundred thousand Americans and involving losses in the billions of dollars annually.

Evolution in approaches to privacy

After the introduction of privacy legislation, the approach to privacy issues initially focused on policy, procedural and legal factors and the adoption of traditional security measures. This consisted of the following generic steps:

• Appointment of a privacy officer for the entire organization or for each domain (HR and customer information)
• Development of a privacy policy or sometimes a privacy manual
• Inventory of personal data processing (mostly this was narrowed down to listing the personal data stored on central systems, followed by subsequent high-level clarification of the objectives and processes of these systems)
• After the enactment of privacy legislation, reporting of these systems to the appropriate data protection authorities
• Formulation and implementation of guidelines and procedures for personal data disclosure and correction, etc. (e.g. “scripts” for use in all channels of customer interaction, such as the internet, call center or reception desk)
• Inclusion of security provisions in contracts and SLAs with business partners and service providers
• Implementation of traditional security measures such as logical access and the construction of “Fort Knox walls” to protect personal data.

There are under-appreciated issues with promoting privacy awareness and with the ongoing organizational and technical challenges of implementing a privacy policy – including issues in development projects for new services and/or systems. The use of privacy procedures has gradually expanded, and it has become necessary to introduce technical measures to enforce better compliance with privacy policies. As part of this technical implementation, organizations undergoing such a transition are adding enhanced authentication procedures (based on ownership attributes), differential screening with authorization profiles, programmed inspections and integrity testing with fictitious information. Personal data sent over public networks is also increasingly being encrypted.

Current status of privacy measures

Do we now have it all together? No, since a number of privacy principles are still not organizationally or technically guaranteed. They involve issues such as:

• Execution of a Privacy Impact Assessment to indicate the effects that new services, partnerships and systems have on privacy, as well as the privacy risks that should be mitigated or reduced
• Improving the quality of personal data (partly due to data duplication and poor design of master data management)
• Integration of privacy safeguards into the information and IT architectures
• Avoidance of excessive collection or combination of data due to such factors as increased computerization and interlinking of information systems throughout organizations
• Incorporation of strict privacy clauses in IT outsourcing contracts
• Secure communication with various types of third parties (e.g. e-mails with attachments containing personal data)
• Constant testing with anonymous personal data without loss of representativeness
• Flexibility to cope with situations, such as some active online internet users (“digital natives”) wishing to share more personal information than the rather ossified privacy legislation allows, as others paradoxically desire more (online) privacy protection while offering personal data to companies in exchange for economic benefits ([KPMG10c])
• Assigning access to data groups and individual fields containing sensitive personal data based on business roles or even on a dynamic need-to-know basis
• Logging which employees have accessed which personal data (especially of colleagues and celebrities)
• Processing of sensitive personal data either anonymously or by using pseudonyms
• Maintaining retention schedules and ensuring secure deletion and shredding of personal data (i.e. for eDiscovery)
• Requiring approval and records where data is provided to third parties, domestically or abroad (i.e. outside EU).

Previous findings and the results of our privacy survey (see Box 4) show that there is still a great deal to be done. This section will provide further detail on a number of measures, along with a set of ingredients for an improvement plan.

In this respect, it is important to tailor all activities to the specific organization. A limited application of measures guaranteeing privacy is not necessarily bad. The measures taken must be based on a deliberate consideration of costs and benefits (economically and socially). Of course, laws and regulations should always be considered. Having insufficient measures to ensure compliance with legislation is punishable by law. It is also important to realize that managing privacy risks, like all risk management processes, is a continuous and cyclical process.

An effective risk management program for privacy should provide a mechanism by which an organization can manage privacy risks in a manner consistent with its business goals and needs, legal obligations and expectations from the market. An effective approach starts with recognizing that privacy is not only a technical issue but also a strategic PR and HR issue, involving personal data in hard-copy format (e.g. HR files, print-outs, audio recordings, video tapes or even biometric data).

A program of privacy risk management requires combined expertise from a variety of departments and specialists (such as Legal, IT, Line Management, Security, Compliance, Marketing/Sales and Audit), and also requires professionals with experience in information risk management, business processes and privacy legislation.

It seems that external pressure in the form of stricter enforcement, higher fines and/or a publicized incident involving a privacy breach (e.g. large-scale identity theft) is necessary in order to place privacy on the management agenda. Pressures like these are the reasons why privacy issues have already been addressed in countries like the UK, Germany and the US. When will other countries experience similar urgency? That’s what it seems to take before the public will support a powerful privacy program.

Need for privacy-enhancing technologies

In answer to most of the above issues, technical measures can be applied to limit dependence on organizational procedures and privacy awareness, while ensuring consistency. The term “privacy-enhancing technologies” (PET) is used to identify all the IT resources that can be used to protect personal data. The section entitled “Forms of PET” provides further detail about the possible PET measures that can be applied.

The application and development of “Privacy by Design” and PET is a recognizable trend. As indicated above, the technique was initially used mainly to protect previously collected personal data. Nowadays PET is also being used by a limited number of organizations to implement technical measures close to the data source and to keep the quantity of identifying data to an absolute minimum. Wherever it is not necessary, identity is not established or is disconnected from other personal information. An important essential step involves organizations becoming critically selective of the personal details that they require to provide their services. Often, more data is accumulated out of mere habit and kept much longer than is necessary or allowed. This excess data must be managed and protected, while having no use and being therefore merely a source of costs and risks. The easiest way to avoid either is to limit data collection and processing to only what is strictly required for the business purposes for which the processing is taking place. No more and no less. An important issue in this respect concerns determining if the processing of personal data ([PKIO02]):

• is necessary (“identity rich”)
• is necessary to a limited extent (“identity poor”), or
• is avoidable or maintains anonymity (“identity free”).

Types of privacy technologies

Well-known and widely used elementary forms of PET are logical access security and encryption. Within logical access security, it is especially important to properly manage uniquely identifying personal information and corresponding authorization data. An important type of PET involves the segregation of data into multiple domains. One domain contains the identifying data, the other the remaining personal information. Financial, legal or medical data may be recorded in one or more domains – separate from the domain with the identity data. The data in each domain is not privacy-sensitive because it is not traceable to an individual. In this type of PET, identity-protection software ensures that only authorized system users can access or interlink the various data domains. A variant of data segregation involves a system function verifying the details that are stored in the database, without releasing these details. The function only responds to a query by answering yes/no or indicating a specific category. Figure 2 is a simplified graphic representation of the segregation of data into multiple domains.

Figure 2: Segregation of data into multiple domains with identity-protection software

Further integration of data and software is produced by a type of PET in which data can be accessed by means of specific software – the so-called privacy management system. In it, the translation of regulatory policy requirements is automated. For each data element and each system function, there is an immediate check verifying whether an activity is in accordance with the policy regulations. The ultimate type of PET involves anonymizing personal data. It includes software that does not collect the identifying personal data at all, or deletes IDs when the data is no longer required – preferably immediately after collection and initial processing. Ideally, this data does not even have to be saved. Anonymization is the strongest form of personal privacy protection, which by default meets all legal requirements. Anonymization is not always applicable in situations requiring personal data, which are better served by using one of the previously mentioned forms of PET.

Figure 3 shows a PET “stairs” diagram in which the effectiveness of the protection of personal data is governed by the applied PET type. The PET stairs do not represent a growth model and need not proceed to the “overflow point.” When an organization has implemented general PET measures, this does not mean that the organization must grow into “higher” levels of PET. The suitability of various types of PET is mainly dependent on the type and complexity of the information system, the desired ambition level and the sensitivity of personal data.

Figure 3: PET stairs

Broadly speaking, general PET measures are currently the most commonly applied, followed by separation of data and anonymization. The implementation of privacy management is in its infancy and is limited in scale.

PET costs

Is PET too expensive for your organization? No, there are several possible types of PET, ranging in cost. It is important to determine whether the costs associated with the solution are in proportion to the risks. Simple but powerful PET measures may bring about substantial improvement in data protection at little cost. To investigate whether a positive business case exists in your organization for the application of PET, three key questions must be answered. They are:

1. Will PET provide a significant contribution to the objectives of the organization?
2. What qualitative and quantitative benefits will PET provide in the organization?
3. What one-time and ongoing costs are required by PET?

The costs of PET can be significantly limited by taking account of privacy issues during the design stage. The quantitative and qualitative benefits of PET for the organization, society and the registered public or customers are substantial. The costs of including PET in the designs of most projects amount, on average, to only a few percent of the total budget and are therefore rapidly recovered. This relatively modest expense distinguishes them from other privacy measures that need to be incorporated into information systems after the design or development phase has been completed.

Cost levels are also affected by whether or not PET is being implemented in existing or newly developed systems. When PET is applied to existing systems, the costs are obviously higher than the costs involving new systems. The reason is that most of the costs of PET are one-off, and the one-time activities are part of the entire system development process. When PET-specific activities are retrofitted to existing systems, the latter must be adapted. As a result, certain activities are carried out twice, causing the costs of introducing PET to rise.

Implementing Privacy by Design

An important lesson from previous PET projects is that it is critical to consider the requirements for collecting personal data at a very early stage in the project. Such analysis involves determining the manner of data protection, the potential solutions and the associated costs and benefits. The subsequent conclusions will ensure that personal data collection is simply formulated as one of the essential (non-functional) requirements and is therefore naturally integrated into system design and development. Practical experience has certainly demonstrated that the later addition of PET into an information system is possible, but this upgrade runs sometimes deeper into the information system and underlying database than expected. In general, greater effort and higher costs are involved. And the same holds true when upgrading to advanced PET-related types and measures.

Table 1 represents the various stages that must be completed in order to successfully implement PET. PET-specific issues relating to each stage are indicated in the stage when they have to be addressed.

Table 1: Stages in the PET implementation plan

For an application of the Privacy by Design principle to the smart energy grid in Canada, see [IPCO10].

Future

We expect privacy and privacy-enhancing technologies to become an integral part of system development. The general public and consumers in particular demand that organizations handle personal data with great care and efficiency. Care and efficiency requires single registration at source and confidential usage throughout all the data processing stages in the system and any associated links in the information supply chain. To meet these demands and to guarantee the quality of data, organizations must make increasing use of IT solutions. In our view, the majority of governmental organizations will be the first to adopt privacy-enhancing technologies in one form or another, followed by companies that process sensitive personal data or that must comply with strict legislative and regulatory requirements (e.g. medical, pharmaceutical and financial sectors). The supply and demand of PET solutions will have to keep pace with these developments.

Conclusion

It seems that external pressure in the form of stricter enforcement, higher fines and/or a widely publicized incident of privacy breach, such as large-scale identity theft, has to come about before privacy is placed on the management agenda. Reasons like these have led to privacy issues being addressed in countries like the UK, Germany and the US. When will other countries suffer the same compulsion? Only then does it seem that there is enough support to execute a powerful privacy program.

Our privacy survey (see Box 4) indicates that organizations in both the public and private sectors experience substantial difficulties in implementing privacy measures and complying with legal provisions, even after 20 years of legislation. Nevertheless, these organizations have a positive opinion about the quality of their privacy protection. They primarily base this view on the fact that they have implemented a number of procedural and technical measures, mainly on the operational level. Framework and preparatory measures at the strategic or tactical levels are, however, often lacking.

Privacy protection is still predominantly being approached in response to compliance requirements; the positive economic effects are barely acknowledged. Furthermore, the adequacy of implemented measures are seldom evaluated. Despite many organizations believing that they are privacy compliant, it is hoped that future organizations will be able to back up such optimistic claims with privacy audits or certificates and the absence of major privacy incidents.

Implementing technical measures not only enables more effective and efficient data protection; the use of technical measures specifically requires a critical examination of personal data collection, its necessity and the need for its protection. This approach increases the integrity and confidentiality of the data and enables a more effective and efficient processing of personal data. Privacy-enhancing technologies need to become less a series of measures intended to ensure compliance with procedures and more a set of privacy provisions directly incorporated in the design of IT systems and infrastructure.

We therefore wish to conclude this article with the following high-level business case for Privacy by Design.