Personal data. Photo: Peter Howell

Privacy by design: Keeping union digital projects data safe

What is ‘Privacy by design’?

‘Privacy by design’ is the mindset we need to adopt when designing any data collection that involves personal data. 

It’s about being proactive and thinking about the rights of individuals and how you can protect those rights by keeping their data safe. 

The Information Commissioner’s Office (the UK’s data protection regulator) describes it as ensuring

“that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle.”

In a nutshell it’s about considering data protection and privacy issues upfront in everything we do. 

Why is it important?

Privacy by design started as a sensible voluntary code for organisations to follow. But 2018’s General Data Protection Regulations (GDPR) made it a legal requirement for you to think and act in this way (i.e. to ensure data protection is considered from the design of something new and throughout the lifecycle of the use of that data).

You need to be aware that if things go wrong and the Information Commissioner’s Office (ICO) investigates a breach of security, you will be asked to demonstrate how you have thought about privacy by design in the setup of your service or product.

When does privacy by design practically kick in?

You need to think about privacy by design when you are:

  • developing new systems, services, products and processes that involve processing personal data;
  • developing organisational policies, processes, business practices and/or strategies that have privacy implications;
  • changing the physical design of a system where personal data is discussed or can be viewed;
  • embarking on data sharing initiatives;
  • using personal data for new purposes;
  • changing systems, services, products, processes and business practices that involve personal data.

Who is responsible for this?

Exact processes will differ between unions, but broadly:

  • Your union’s leadership are responsible for building a culture where privacy by design is at the heart of the union’s work;
  • Managers are responsible for ensuring that data protection requirements are taken account of when designing or changing products, services and procedures, and that privacy by design is reflected in the union’s internal processes and procedures;
  • Staff and reps carrying out voluntary work for the union are responsible for carrying out the practical elements of thinking through, documenting and implementing privacy by design in their work.

How do I ‘do it’?

Firstly, you need to recognise when you are about to start doing something new with personal data or change something that involves personal data. When this happens you need to stop to think ‘privacy/data protection’.

Many unions have have appointed their own internal Data Protection Officer. Find out who yours is. They will likely have a process in place to help you decide how to approach the situation, and work out whether you need to complete a Data Protection Impact Assessment (DPIA). If they don’t – try the ICO’s DPIA screening checklist.

A DPIA is a process that will help you identify the data protection risks of a project, and minimise them. It can also be a useful process to work through the implications of a project, even where you don’t think the risk is very high.

However, conducting a DPIA is a legal requirement when you are conducting data processing that is likely to be high risk. It needs to be completed BEFORE designing your service/product and collecting the data you require.

A DPIA allows you to demonstrate the technical and organisational measures you need in order to ensure your processing complies with the GDPR.  The Data Protection Officer will be able to provide support with assessing risks and solutions but cannot complete the form for you.  The risks and solutions will then be owned by the area of the organisation responsible for the change. 

Your Data Protection Officer will advise you on how to approach a DPIA, but you may also find this ICO checklist document helpful.

The completed forms need to be saved as part of your GDPR compliance evidence. Some organisations choose to publish them, to establish transparency, but this is isn’t obligatory.

If your DPIA identifies a high risk, and that you can’t mitigate it, you will need to check with the ICO before proceeding.

Good luck!

Nobody setting out on a new project gets excited by seeing a checklist before they even get started, but this process helps build a firm foundation to keep yourself and your members’ data safe.

Following these steps will mean you’ve considered privacy and personal data as part of the design of your new services and projects.