The technological evolution of data and analytics capabilities has made it possible to collect, store and analyze massive amounts of data in real time and with relatively low cost. However, privacy challenges may arise when personal data is collected and analyzed. Personal data must be managed and protected carefully and according to the legislation and the data privacy standards.
Personal data
First, you must identify what is personal data.
All data related to an identified or identifiable natural person are personal data. This could include, for instance, an e-mail address, employee ID or IP address. Note that even the personal data that can no longer be attributed to a specific person without the use of additional information, i.e. pseudonymised personal data, is still personal data and the processing is subject to data protection regulations. Instead, anonymized personal data (it is impossible to identify individuals) is no longer considered as personal data.
Sensitive personal data refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or sex life. Also, for instance, genetic and biometric data and social security number are considered specific categories of personal data and their use is subject to even stricter rules.
Basic principles for processing personal data
The six basic principles for processing personal data include:
- Lawfulness, fairness, and transparency
Identify an appropriate, lawful basis for your processing. Process data fairly in ways the data subjects could reasonably expect. Comply with the transparency obligations of the right to be informed.- Purpose limitation
Collect personal data only for specified, explicit and legitimate purposes and document them. Do not use data for other purposes.- Data minimization
Limit the amount of personal data collected to what is actually needed for the defined purposes.- Accuracy
Check the accuracy of personal data and keep it up to date.- Storage limitation
Keep data only as long as it is necessary for the purposes of the processing.- Integrity and confidentiality
Keep the data secure against unauthorized or unlawful processing, and against accidental loss, destruction, or damage. Use appropriate technical and organizational measures to protect it.
In CGI, the industry best standards and practices are implemented in our frameworks.
Taking privacy into consideration
In practice there are several ways you must consider privacy in analytics and solution development. Here you will find some examples of considerations you should take into account.
Privacy should be considered from the beginning of the delivery planning, and the privacy related goals, objectives, and business requirements reviewed in every step of the development. Privacy must be considered also for any changes made or new functionalities added. Privacy related responsibilities must be assigned and privacy-specific risks and their mitigation strategies considered. In CGI, we use Data Privacy and Security Checklists (DPSC) for documenting the risk assessments made in the opportunity planning phase.
If processing personal data on behalf of a customer, you must strictly comply with the client’s / data controller’s instructions, and the data protection legislation.
Privacy by design and by default in practice
Access to personal data must be limited by role, sensitivity and need. Secure and restrict unauthorized access to individuals’ personal data. For instance, access to highly confidential health data need to be secured through several security controls, for instance, physical security, encryption and multifactor / risk-based authentication.
Use “opt-in” services instead of “opt-out” solutions for personal data (by default, do not share personal data unless the data subject intentionally chooses to allow it, except in cases where collecting personal data is necessary and allowed for the defined purposes). Limit the amount of data collected to what is strictly necessary for the purposes. For instance, if collecting the address of the data subject is not necessary for the purpose, do not collect it. Favour data pseudonymization techniques when possible (keep direct identifiers separate so that identification is not possible without additional, separately-held information).
When collecting, processing, storing or disclosing personal information, endeavor being consistent and predictable. Check the accuracy of the data collected, record the source and the changes made (use log files). Use the most privacy protective option as the default setting when possible.
Prior to personal data collection, ensure informed consent processes are implemented when needed. For instance, you can use a pop up window to provide specific privacy information before the user consents to their data being collected. Enable individuals to request a copy, corrections or a deletion of their personal data, when applicable. The system should be able to identify personal data. Enable the system to support the right to be forgotten. Allow the individuals to object having their data collected e.g. for marketing or profiling purposes. Do not use data for other purposes than it was collected. For instance, if personal data is collected in an online survey, the data cannot be used for other purposes than the one(s) defined in the survey.
Use only fictional or anonymized data for testing purposes. Encrypt personal data that is considered to be at risk due to type, technical environment, business context, volume and/or other considerations. Do not store personal data longer than what is required to fulfill the purpose for its collection (or as required by law or regulations), and after that ensure it is disposed appropriately. For instance, there may be special time limits for keeping financial data for tax purposes, but the personal data collected for delivering a purchase may not be needed after it has been delivered (and an applicable complaint period).
If disclosures to third parties are necessary, obtain informed consent from data subjects as applicable. Ensure that any access to or transfer of personal data is secure and subject to a prior information and/or approval where applicable. Any third-party solutions used or integrated in the solution must be assessed and compliant with the privacy laws, requirements and policies. For instance, check the security of the code of an open source solution before using it. Ensure also that privacy notices and contacts are easily accessed from anywhere in the solution.
Privacy and security considerations are a must
Privacy and security aspects must always be considered when planning and developing analytics or other services and solutions using personal data. They are an integral part of the service design, and data protection safeguards are to be built into the solutions from the earliest stage of the development and ensured throughout the data life cycle. This way, we enhance the legal certainty and strengthen the trust.
Privacy by design and by default cannot be added later on, it must be included from the beginning.
The blog is written by Arja Virta.
Kirjoittajasta
CGI Suomen asiantuntijat
Kirjoituksia asiantuntijoiltamme
CGI on kansainvälisesti suomalainen digitalisaatiokumppani. Suomessa noin 3 800 asiantuntijaa konsultoivat asiakkaitamme liiketoiminnan ja ICT-ratkaisujen kehittämisessä. Tällä profiililla julkaisemme kirjoituksia CGI:n eri asiantuntijoilta.
