The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Privacy by design

What is ‘privacy by design’?

Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as an after-thought or ignored altogether.

Although this approach is not a requirement of the Data Protection Act, it will help organisations comply with their obligations under the legislation.

The ICO encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:

  • building new IT systems for storing or accessing personal data;
  • developing legislation, policy or strategies that have privacy implications;
  • embarking on a data sharing initiative; or
  • using data for new purposes.

We would like to see more organisations integrating core privacy considerations into existing project management and risk management methodologies and policies.

Benefits of taking a ‘privacy by design’ approach

Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:

  • Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
  • Increased awareness of privacy and data protection across an organisation. 
  • Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.  

Privacy Impact Assessments 

Privacy Impact Assessments (PIAs) are an integral part of taking a privacy by design approach. Our Conducting privacy impact assessments code of practice explains the principles which form the basis for a PIA. A PIA assists organisations in identifying and minimising the privacy risks of new projects or policies. It also considers how organisations can integrate PIAs into existing project management and risk management methodologies and policies.

See our topic guide on PIAs for more information.

ICO guidance and other resources

The ICO has a range of guidance and practical advice which can assist organisations when developing new projects.

Seven foundational principles of privacy by design

The Information & Privacy Commissioner of Ontario has taken a leading role in developing the privacy by design concept, establishing seven ‘foundational principles of privacy by design’. These principles will be relevant for UK data controllers too.