Asia must adopt 'data protection by design' in IoT era

Data privacy needs to be ingrained into the minds of businesses and engineers, especially as Internet of Things and mobile devices become more widely used.
Written by Eileen Yu, Senior Contributing Editor

Businesses in Asia must start embedding data privacy into their products and services right from the start, so they can ensure consumers will have the strongest level of protection.

This need for "privacy by design" would be especially critical as more people adopt Internet of Things (IoT), putting more of their personal data to greater exposure, said Ann Cavoukian, executive director for privacy and big data institute at Ryerson University.

Speaking via a pre-recorded video presentation at Data Privacy Asia 2016 conference in Singapore, she said third-party monitoring involved in such devices removed users' control of their information. The US Federal Trade Commission (FTC), for instance, had expressed concerns that user data collected by 12 mobile health and fitness apps were found to have shared the information with 76 different parties.

"There is an essential need to embed privacy into IoT and mobile devices by design," Cavoukian urged, stressing the need to also put focus on engineers. "Most are still wrapped up in [building] the basic infrastructure for IoT [and], as a result, the more abstract ideas such as personal privacy can quickly fall by the wayside."

She noted that programmers must realise the need to embed privacy into the main software codes, and added that the community needed to raise awareness about this requirement.

Cavoukian created the Privacy by Design framework, which was formally recognised in October 2010 by regulators at the International Conference of Data Protection Authorities and Privacy Commissioners as a key component in privacy protection. The FTC later included the model as one of three recommended practices for protecting online privacy.

The Privacy by Design framework evangelises the need to embed privacy into the design specifications of information technologies, networked systems as well as corporate practices. The guidelines are available 38 languages.

Cavoukian explained that it espoused a "positive-sum" model, which was built on the premise that security and privacy both could be provided without involving unnecessary tradeoffs between either one.

The framework encompasses seven key principles, including implementing privacy as the default setting, visibility and transparency, and user-driven control. It also lists nine application areas such as surveillance cameras in mass transit systems, biometrics in gaming facilities, mobile communications, remote home healthcare, and big data and data analytics.

Cavoukian added that adopting the Privacy by Design model would help companies, including those in Asia, ensure compliance with the upcoming European Union's General Data Protection Regulation, which would come into effect May 2018. The legislation would mark the first time privacy and data protection by design as well as privacy as the default were included in a privacy statute, she said.

The GDPR also would mandate the appointment of a data protection officer, which could drive conversations around the need to make such roles a profession.

Singapore, for one, currently was exploring this possibility, according to Yeong Zee Kin, assistant chief executive and commission member of Personal Data Protection Commission (PDPC), which was responsible for regulating the country's Personal Data Protection Act.

He said the commission "wish to, and intent to pursue" the possibility of professionalising data protection officers, but would need to first review key areas. Businesses, for example, would first need to be encouraged to appoint data protection officers, Yeong said. These officers also would need to be able to contribute constructively, so training would be another important starting point, he said.

He added that the Workforce Development Agency currently provided a basic and advanced training programme in this aspect. The PDPC was exploring options to determine whether these could be expanded to include some form of certification, which could also allow data protection officers to retain the certified skillsets as they move from one organisation to another.

These professionals then could gather from different verticals to form associations and communities of practice, he said, and collaborate to identify and solve challenges in the various sectors.

All these various components would need to come together to provide the landscape in which professional data protection officers could thrive, Yeong said.

Editorial standards