Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
232 Best Practices and Privacy by Design Included in this appendix are additional examples of best practices, checklists, and guiding privacy principles. The FIPPs core principles are: 1. The collection limitation principle. There should be limits on the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. 2. The data quality principle. Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date. 3. The purpose specification principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 4. The use limitation principle. Personal data should not be disclosed, made available, or other- wise used for purposes other than those specified, except (a) with the consent of the data subject, or (b) by the authority of law. 5. The security safeguards principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure. 6. The openness principle. There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller. 7. The individual participation principle. Individuals should have the right: a. To obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to them; b. To have data relating to them communicated to them, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intel- ligible to them; c. To be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial; and d. To challenge data relating to them and, if the challenge is successful, to have the data erased, rectified, completed, or amended. 8. The accountability principle. A data controller should be accountable for complying with measures that give effect to the principles stated previously (IAPP n.d.). An FTC report (FTC 2012a) elaborated on the recommended practices from a 2010 FTC preliminary report (FTC 2010). Building on its 2010 preliminary report that had recommended A P P E N D I X L
Best Practices and Privacy by Design 233  that businesses build privacy protections into their operations as described by privacy by design, the 2012 FTC report proposed best practices that offer simplified choices that give consumers more meaningful control, and would increase the transparency of data collection and use practices. ⢠Companies should incorporate into their practices substantive privacy protections, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy. ⢠Companies should maintain comprehensive data-management procedures throughout the life cycle of their products and services. ⢠Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the companyâs relationship with the consumer or are required or specifically authorized by law. ⢠For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes. ⢠Privacy notices should be clearer, shorter, and more standardized to enable better compre- hension and comparison of privacy practices. ⢠Companies should provide reasonable access to the consumer data they maintain, and the extent of access should be proportionate to the sensitivity of the data and the nature of its use. ⢠All stakeholders should expand their efforts to educate consumers about commercial data privacy practices (FTC 2012a).235 ⢠The bulk of these recommendations mirror provisions in BIPA and other state laws regulat- ing the collection, use, retention, and sharing of biometric data (FTC 2012a). Privacy-by-Design Checklist For examples of other checklists, see Prescott 2020 and Information Commissionerâs Office n.d. Privacy-by-design principles are shown in Figure L-1. Another useful checklist was compiled in connection with the U.K. 2019 legislation to implement Article 25 of the GDPR: ⢠We consider data protection issues as part of the design and implementation of systems, services, products, and business practices. Source: InterVISTAS Consulting, Inc. Figure L-1. Privacy-by-design principles.
234 Airport Biometrics: A Primer ⢠We make data protection an essential component of the core functionality of our processing systems and services. ⢠We anticipate risks and privacy-invasive events before they occur and take steps to prevent harm to individuals. ⢠We only process the personal data that we need for our purposes(s), and we only use the data for those purposes. ⢠We ensure that personal data are automatically protected in any IT system, service, product, or business practice, so that individuals should not have to take any specific action to protect their privacy. ⢠We provide the identity and contact information of those responsible for data protection both within our organization and to individuals. ⢠We adopt a plain-language policy for any public documents so that individuals easily under- stand what we are doing with their personal data. ⢠We provide individuals with tools so that they can determine how we are using their personal data and whether our policies are being properly enforced. ⢠We offer strong privacy defaults and user-friendly options and controls, and we respect user preferences. ⢠We only use data processors that provide sufficient guarantees of their technical and organi- zational measures for data protection by design. ⢠When we use other systems, services, or products in our processing activities, we make sure that we only use those whose designers and manufacturers take data protection issues into account. ⢠We use privacy-enhancing technologies to assist us in complying with our data protection by design obligations (Information Commissionerâs Office n.d.). Recent EU developments include the 2019 EU Data Protection Guidelines (4/2019) on the GDPR requirements for Data Protection by Design and by Default (European Data Protection Board 2019).236 The draft guidelines (which were open for comment until January 2020) proposed measures and guidance addressing data protection by design, data protection by default, data subjectsâ rights, safeguard requirements, practical guidance on the application of the principles, and certification. Thus, the guidelines propose guidance on what data protection obligations mean in practice and how to implement the data protection principles effectively. Similarly, the EU published guidelines on consent describing the elements of valid consent [i.e., under GDPR article 4(11)] (European Data Protection Board 2020a). The EU also published Guidelines (2/2020) on GDPR provisions on transfers of personal data between EU and non-EU public authorities and bodies (European Data Protection Board 2020b). Endnotes 235. See also FTC 2012b. 236. See also European Data Protection Board 2020a and European Data Protection Board 2020b. For a comprehensive summary of the elements of data protection by design and by default, see Boardman et al. 2019. www.twobirds.com/en/news/articles/2019/global/edpb-publishes-guidelines-on-data-protection- by-design-and-by-default.
