Guidance

Make privacy integral

Make sure citizens’ rights are protected by integrating privacy as an essential part of your system.

To meet point 7 of the Technology Code of Practice your plan or design must show how you are using privacy by design.

You’ll have to explain how you’re doing this as part of the spend control process.

About the EU General Data Protection Regulation

The Information Commissioner’s Office (ICO) provides information about the GDPR. The Technology Code of Practice summarises the key points.

The GDPR came into force on 25 May 2018. It’s about protecting citizens’ personal data when it is being processed or moved.

You must comply with this new regulation and consider the ethical and appropriate use of data and technology.

GDPR is adopting privacy by design as part of the regulation. There is a legal requirement in the GDPR for the protection of citizens’ data to be included from the start of the design process. GDPR includes upfront penalties for not complying.

Maintaining the privacy of citizens’ personal data includes security. Privacy also includes how citizens:

  • consent to the use of their personal data
  • have the right to have personal data erased
  • have the right to restrict the processing of personal data
  • have the right to data portability so they can access and move their personal data

How privacy by design will help your programme

Your technology project or programme will benefit from:

  • being proactive about privacy and reducing the risks of data theft
  • identifying potential privacy issues earlier when they are easier and cheaper to solve
  • better awareness of privacy issues across the organisation
  • adherence to GDPR when it comes into law

How to embed privacy by design

The Data Protection Act 2018 contains details about how the EU General Data Protection Regulation (GDPR) applies in the UK. The ICO provides information on the Data Protection Act 2018 and how it compliments the GDPR.

The ICO also has a guide to data protection and suggest using Privacy Impact Assessments (PIAs) as part of your project or programmes risk management process. The following questions from the PIA code of practice are useful to consider:

  1. Will the project or programme involve the collection of new information about individuals?
  2. Will individuals have to provide information about themselves to the project or programme?
  3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
  4. Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
  5. Does the project or programme involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.
  6. Will the project or programme result in you making decisions or taking action against individuals in ways that can have a significant impact on them?
  7. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be private.
  8. Will the project or programme require you to contact individuals in ways that they may find intrusive?
Published 6 November 2017
Last updated 5 June 2018 + show all updates
  1. Inclusion of a link to the new Data Protection Act 2018 and associated information from the Information Commissioner's Office
  2. First published.