Hoepman comments
These strategies help IT architects to support privacy by design early in the software development life cycle, during concept development and analysis. Using current data protection legislation as point of departure we derive the following eight privacy design strategies:
- MINIMISE,
- HIDE,
- SEPARATE,
- AGGREGATE,
- INFORM,
- CONTROL,
- ENFORCE, and
- DEMONSTRATE.
The strategies also provide a useful classification of privacy design patterns and the underlying privacy enhancing technologies. We therefore believe that these privacy design strategies are not only useful when designing privacy friendly systems, but also helpful when evaluating the privacy impact of existing IT systems.
Privacy by design [5] is a system design philosophy that aims to improve the overall privacy1 friendliness of IT systems. Point of departure is the observation that privacy (like security) is a core property of a system that is heavily influenced by the underlying system design. As a consequence, privacy protection cannot be implemented as an add- on. Privacy must be addressed from the outset instead. The fundamental principle of privacy by design is, therefore, that privacy requirements must be addressed throughout the full system development process. In other words starting when the initial concepts and ideas for a new system are drafted, up to and including the final implementation of that system. Privacy by design is gaining importance. For example, the proposal for a new European data protection regulation [10] explicitly requires data protection by design and by default. It is therefore crucial to support developers in satisfying these requirements with practical tools and guidelines.
As explained in Section 2, an important design methodology is the application of so called software design patterns. These design patterns refine the system architecture to achieve certain functional requirements within a given set of constraints. During soft- ware development the availability of practical methods to protect privacy is high during actual implementation, but low when starting the project. Numerous privacy enhanc- ing technologies (PETs) exists that can be applied more or less ’off the shelf’. Before that implementation stage, privacy design patterns can be used during system design. Significantly less design patterns exist compared to PETs, however. And at the start of the project, during the concept development and analysis phases, the developer stands basically empty handed.
This paper aims to close this gap [13,26]. Design patterns do not necessarily play a role in the earlier, concept development and analysis, phases of the software develop- ment cycle. The main reason is that such design patterns are already quite detailed in nature, and more geared towards solving an implementation problem. To guide the de- velopment team in the earlier stages, we define the notion of a privacy design strategy. Because these strategies describe fundamental, more strategic, approaches to protecting privacy, they enable the IT developer to make well founded choices during the concept development and analysis phase as well. These choices have a huge impact on the over- all privacy protection properties of the final system.
The privacy design strategies developed in this paper are derived from existing pri- vacy principles and data protection laws. These are described in section 3. We focus on the principles and laws on which the design of an IT system has a potential impact. By taking an abstract information storage model of an IT system as a point of departure, these legal principles are translated to a context more relevant for the IT developer in section 4. This leads us to define the following privacy design strategies: MINIMISE, HIDE, SEPARATE, AGGREGATE, INFORM, CONTROL, ENFORCE and DEMONSTRATE. They are described in detail in section 5.
We believe these strategies help to support privacy by design throughout the full software development life cycle, even before the design phase. It makes explicit which high level decisions can be made to protect privacy, when the first concepts for a new information system are drafted. The strategies also provide a useful classification of pri- vacy design patterns and the underlying privacy enhancing technologies. We therefore believe that these privacy design strategies are not only useful when designing privacy friendly systems, but that they also provide a starting point for evaluating the privacy impact of existing information systems.