Privacy by Design is a fundamental realignment of how we design and build digital services, with the crucial driving feature being the protection of user data.
Over the past thirty years, organisations have been building systems without giving much thought to privacy. Legacy solutions tend to be convoluted and difficult to maintain. We now need to get to the point where we start building software that protects people’s data from the ground up.
Privacy Enabling Technologies (PETs) like SICCAR keep trust and data privacy central to the development of digital solutions. Our approach, Privacy by Design, is backed up by seven key principles:
Principle 1: Proactive, not reactive; preventive, not remedial
Proactively look at the risk before you do anything else. Privacy by Design aims to prevent any privacy infractions from happening at a later stage. As an example, this is where a DPIA (Data Privacy Impact Assessment) comes in: identifying and minimising data protection risks before a project kicks off.
The SICCAR data-sharing platform was built with this principle in mind. By embedding permissions, we mitigate privacy risks. When you publish a process in SICCAR, you include its permissions which can’t be changed. If someone is not assigned a data item as part of the process, they will never get access to it.
Principle 2: Privacy as the default
Individuals should not have to take action to protect their privacy: it should be the standard.
In SICCAR, all data is encrypted by default and is only shared with people that need it. You would have to take regressive steps to make your personal data non-protected and non-private.
Principle 3: Privacy embedded into design
Privacy should never be an afterthought or add-on; it should be built into everything we do.
SICCAR uses transaction and wallets. Like bitcoin, it uses encryption protocols, but SICCAR even takes that one step further. Everything that goes on our ledger is encrypted, so privacy is the default, embedded into process design.
Principle 4: Full functionality – positive-sum, not zero-sum
Positive-sum is all about creating a win-win situation for all stakeholders. There should never be a ‘cost vs privacy’ issue, as it is perfectly possible to cater to both.
For instance, SICCAR reduces the impact of a data breach through privacy. If a data store is breached, and the attackers have access to a wallet, its data is encrypted. An attacker would have to decrypt every single transaction, only getting a little bit of data each time – and some transactions might not even carry personal information. Decrypting even a single transaction takes a very long time – decrypting millions of transactions is not possible in our lifetime.
Reducing the attack surface and knowing exactly what data everyone has also means that if a breach occurs, the organisation can contact everybody that’s on the ledger to inform them and let them know what remedial actions are being taken.
Principle 5: End-to-end security – full lifecycle protection
End-to-end security is about data being protected throughout its lifecycle, from start to finish.
As soon as data enters a system, it should be given permissions. If you don’t have access to a wallet, you don’t know what happens to it.
This level of security gives organisations transparency: they can completely reorganize their structure without exposing themselves to the partners or people in a ledger they’re with.
Use-to-use encryption in SICCAR ensures that there are no gaps in data security.
Principle 6: Visibility and transparency – keep it open
This principle is about making sure that you know who your partners are. SICCAR allows communication between supernodes through mutual trust between organisations.
Within an organisation we know exactly who has accessed data, with complete transparency. Outside the organisation this information is obfuscated – there is a record, but the user’s identity is hidden.
Organisations can be completely transparent about the processes they use and how data is accessed, without disclosing privacy sensitive information.
Moreover, when organisation share trusted high-quality data, the quantity of data that needs to be moved is minimised. This principle of minimum disclosure adds to the prevention of data spread and pollution.
Principle 7: Respect for user privacy – keep it user-centric
Keep the individual central by making sure a solution meets their needs and is user-friendly.
People should not have to over-share information – for instance, a utility bill is used as proof of provision of a service. If a supplier can provide that same information as direct attestation, rather than the provision of a bill, other private information doesn’t need to be surrendered.
At SICCAR we strive for a system where the responsibility for data sanity is delegated to the end user, not necessarily the data controller. Users are empowered to correct or delete their own data. With SICCAR, with the click of a button, personal data can be instantly removed across a network.
Speak with SICCAR to find out how you can utilise Privacy by Design for your organisation
We respect your privacy.