Privacy by Design

Identity in the Information Society, Aug 2010

In view of rapid and dramatic technological change, it is important to take the special requirements of privacy protection into account early on, because new technological systems often contain hidden dangers which are very difficult to overcome after the basic design has been worked out. So it makes all the more sense to identify and examine possible data protection problems when designing new technology and to incorporate privacy protection into the overall design, instead of having to come up with laborious and time-consuming “patches” later on. This approach is known as “Privacy by Design” (PbD).

Article PDF cannot be displayed. You can download it here:

https://link.springer.com/content/pdf/10.1007%2Fs12394-010-0055-x.pdf

Privacy by Design

In view of rapid and dramatic technological change, it is important to take the special requirements of privacy protection into account early on, because new technological systems often contain hidden dangers which are very difficult to overcome after the basic design has been worked out. So it makes all the more sense to identify and examine possible data protection problems when designing new technology and to incorporate privacy protection into the overall design, instead of having to come up with laborious and time-consuming patches later on. This approach is known as Privacy by Design (PbD). - PbD is adjuvant for all kinds of IT systems designated or used for the processing of personal data. It should be a crucial requirement for products and services provided to third parties and individual customers (e.g. WiFi routers, social networks and search engines). Many users have only limited IT skills and hence are not in a position to take relevant security measures by themselves in order to protect their own or others personal data. Therefore, in connection with these IT procedures, basic protection is always necessary (privacy by default). Moreover, providers have to enable users to better protect their personal data, for example by providing appropriate privacy tools (access controls, encryption, provisions for anonymous use). The idea of incorporating technological data protection into IT systems is not completely new. Recital 46 of Directive 95/46 of the European Union for example refers to the requirement that appropriate technical and organizational measures have to be taken both when designing the processing system and during processing itself, particularly in order to maintain security. However, PbD goes beyond maintaining security. PbD includes the idea that systems should be designed and constructed in a way to avoid or minimize the amount of personal data processed. Key elements of data minimization are the separation of personal identifiers and content data, the use of pseudonyms and the anonymization or deletion of personal data as early as possible. The following examples demonstrate how PbD can help improve data protection: For several years now, Germany has been preparing to introduce an electronic health card (elektronische Gesundheitskarte, eGK) a smart card with an embedded microprocessor which allows additional functions, in particular verifying ones digital identity within the telematics infrastructure of the health-care sector. The smart card will initially contain the cardholders administrative data which are already on the magnetic health insurance card. The possibility to store additional data (such as prescription drug records, emergency medical information, electronic patient records) is to be added later. With the new electronic health card, data protection for patients should at least be no worse than under the current system. The intention is even to improve transparency for insured persons and give them extensive options for using their medical data. Cardholders are to have control over the data in all the applications they choose, and to be able to decide themselves as far as possible how much of their health-related data should be stored on the smart card and in the telematics infrastructure and how it should be used. The smart card is to be designed with technical features giving cardholders the ability to manage their own data and the rights to access that data. The card and the telematics infrastructure must be simple enough for cardholders to use. Processes suitable for everyday use which enable ordinary users to actively exercise their data sovereignty and rights as patients are a basic prerequisite for introducing the electronic health card and operating the telematics infrastructure. Efforts to modernize the health-care sector must pay attention to strengthening patient sovereignty and patients rights and to expanding patients participation. If the use of IT in the health-care sector were to focus only on improving costeffectiveness and speeding up processing times while neglecting data protection and patients rights, it would find little acceptance and would have little chance of being implemented. This is why the technical processes must be suitable for everyday use by all insured persons, so they can actively exercise their rights of participation and control. In this way, the electronic health card and telematics infrastructure offer the chance to improve access to health data, optimize medical treatment and at the same time enhance patients control over their own data. The technology used must guarantee lasting compliance with the principles of data protection. Lastly, the entire technical infrastructure must be oriented above all on benefiting patients. All components, interfaces, services and processes in the health telematics must function optimally and meet the requirements of data protection and data security. Everyone involved in developing the electronic health card has agreed to abide by the following principles: (1) Data sovereignty: The insured person has extensive control over his/her health data to be processed in the electronic health card or the telematics infrastructure. The voluntary medical applications can be used only with the express consent of the insured person and specific access granted by him/her. (2) Voluntary basis: Health data are to be stored only on a voluntary basis, at the discretion of the insured person. No preferential or discriminatory treatment is allowed on the basis of data access granted or denied by the insured person. (3) Extent of data: The insured person must be able to decide which health data are included and when they should be deleted. (4) Data access: The insured person must be able to decide on a case-by-case basis which service provider (physician, pharmacist, midwife, etc.) has access to which data. (5) Right to information: The insured person has the right to read his/her own data and the right to information about them and all processes concerning them. (6) Ability to check: The insured person must be able to use logs to check who accessed which data and when. The technical processes currently being tested and the robust security mechanisms built into the smart card and the telematics infrastructure are intended to ensure compliance with these data protection principles and thus also the active participation of insured persons in granting access and managing their medical information and access rights. Data protection and data security have been taken into account when designing the processes and technology. All the components which are essential to data securitythat includes all components involved in encrypting data and ensuring the authenticity of participantsmust be certified in accordance with a protection profile of the Common Criteria in order to verify their trustworthiness. All userspatients, insured persons and members of the health professions m (...truncated)


This is a preview of a remote PDF: https://link.springer.com/content/pdf/10.1007%2Fs12394-010-0055-x.pdf
Article home page: https://link.springer.com/article/10.1007/s12394-010-0055-x

Peter Schaar. Privacy by Design, Identity in the Information Society, 2010, pp. 267-274, Volume 3, Issue 2, DOI: 10.1007/s12394-010-0055-x