Privacy by design

The Norwegian Directorate of eHealth with kjernejournal was the winner of the privacy by design competition 2017 in Norway. A solution many in the public and private sectors can look to as an example of privacy by design in practice, said the jury.

To promote privacy by design in practice Norwegian Data Protection Authority launched a competition last year. The 5th of March 2018 the winners were announced on a seminar on the topic. The full seminar (in Norwegian) was also streamed.

Guidelines on privacy by design

The Norwegian Data Protection Authority has, together with experts and developers, created a guide for privacy by design and default for all phases of software development. It's available in both Norwegian and English.

The guidelines was developed to help organisations understand and comply with the requirement of data protection by design and by default in article 25 of the General Data Protection Regulation (GDPR), entering into force 25th May 2018. 

The guide was launched in August 2017 with a lot of interest and has since then become popular and also attracted attention internationally, as well as also entered the curriculum at some teaching places in Norway.

Call for good examples

Along with the launch of the guidelines were also the competition for privacy by design in practice launced. The Norwegian Data Protection Authority aims to promote privacy-enhanced digitalisation and the competition was created to bring forward more good examples, reward efforts and encouragement to work further on the topic. 

21 contributions came in, where 19 of them have agreed that the information will be shared publicly. They varied from very detailed to shorted descriptions, and came from both smaller and larger companies and entailed, e.g. intelligence solutions, security solutions, ways to control data. 

This was the first time this award was given in Norway. They have similar prices in Barcelona, which has developed into a rather big event, including international contributions.

3 important components of privacy

On the seminar, Martha Eike and Veronica Jarnskjold Buer, representatives from the Norwegian Data Protection Authority, also presented 3 components of the new privacy regulation GDPR they wanted to highlight. That they said could also maybe considered be low-hanging fruits for privacy by design.

1. Data minimization

Building on the principle of data minimization, Principle 5c of the GDPR Regulation, personal data must be relevant, adequate and limited to what is necessary for the purpose for which they are being processed.

If it is not necessary to have personally identifiable information in order to achieve the purpose, then the regulation says that it should be avoided. It can also be relevant to assess the amount of personal data to be collected.

For example, a map app that shows the road from A to B, so it's OK to use my location data to know where I when it is in use, but does not have access to who I am, to my photos. Online newsletters do not really need more than just the email address.

Use privacy as the default setting, as the default is often what will be used.

2. Consent

When processing information, the main basis must be given in regulations or consent. 

Consent must be active and it must be voluntary to give consent, a real choice. If voluntary consent, you should also be able to withdraw. 

A good solution does not confuse privacy statement that deals with how your personal information is taken care of and the contract with the provider who created the app or solution. 

There is a difference between privacy statement, consent and contract.There are examples of where these are mixed together. The regulation says that this is not OK. The terms of Google was mentioned as one example where privacy statement, consent and contract appears merged together. 

3. Information

In order to give consent information is essential. It should be specific for what is consent for. E.g. information on purpose, how the data will be used, processed, stored or deleted. Perhaps you find that you want to change it, so it might be important that you  ask again. "Now we want to do something else"-

The information needs to be easy to understand in a language the target user is familiar with. In terms of children, if the  child is under 13 years, then the parents should give consent. 

More on all these aspects can be seen in the streamed video (in norwegian).

Competition on privacy by design in practice

Key criteria for the competition were: 

1. Make it easier for individuals to use their rights. Strengthen individuals control of their own information
3. Make it easier for businesses to comply with the privacy policy
4. Strengthen information security around personal information

The jury consisted of 5 votes: Maria Bartnes (Sintef), Lillian Røstad (ISF), Dag Wiese Schartum (UiO), Torgeir Waterhouse (IKT-Norge) og Datatilsynets representanter (representatives from the Norwegian Data Protection Authority): Veronica Jarnskjold Buer og Martha Eike.

Of the  21 contributions, 3 finalists (random order) presented shortly at the seminar.

The University of Oslo - data collection via web and mobile. UiO presented an online form used for sensitive data and clinical studies, but also for other questionnaires.The tool helps the data processor while protecting privacy.

The Norwegian Directorate of eHealth (NDE) - kjernejournal. Contains important information about your health. Give healthcare professionals quick access to selected and important health information, regardless of where you are treated.

Bouvet - SESAM. Has been working to democratize data, on the basis that there is a lot of power in data, and on making data available, the civil right to own personal data, see what is stored about them etc. The Sesam portal supports e.g. consent management, data portability, secure login.

Winner: The Norwegian Directorate of eHealth

The Norwegian Directorate of eHealth with Kjernejournal (Summary Care Record) was the winner of the 2017 competition. 

The jury said that the winner gives clear information about the solution to the registrant, has documented developmental methods that follow the privacy principles from the guide of the Norwegian Data Protection Authority and that the solution strengthens information security around personal information. More on the jury's assessment.

The winner is also a national solution that affects many.  A solution many in the public and private sectors can look to as an example of  privacy by design in practice.  

The competition will also be run this year, and the call  is open. Deadline for submission is 1. December.