Privacy by design for financial services
Privacy should be integrated into a product’s initial design—not retrofitted later
The rapid evolution of digital payments is altering the landscape of India and is serving as a model for other countries. The entry point for the Indian consumer is increasingly digital and remote, resulting in a revolutionary change in the way financial services are delivered. A consequence of the shift to digital has been the creation and collection of vast amounts of customer information. Fittingly, India also stands at the forefront of the debate over data protection, helping to shape the global dialogue on next-generation ways to protect data.
One way to advance that effort would be to incorporate Privacy by Design (PbD), a concept developed by Ann Cavoukian—the former information and privacy commissioner for the Ontario province in Canada—in the 1990s.
At its core, PbD is the idea that privacy should be integrated into a product’s initial design—not retrofitted later. The approach has many merits. Addressing privacy issues at an early stage is often simpler and less costly. It can also help companies avoid legal entanglements and public relations nightmares around privacy issues. Starting in May, PbD will be a requirement in the European Union as part of a new set of data protection regulations to protect personal information throughout the economy.
Cavoukian developed seven principles to help companies, such as financial services providers, integrate PbD into their businesses.
1. Be proactive not reactive, preventative not remedial: Anticipate and prevent privacy-invasive events before they happen. Just because a firm’s information practices are legal doesn’t mean that they’re wise. PbD calls for thinking about whether consumers and regulators might react negatively to new uses of information.
2. Make privacy the default setting: Since defaults tend to be the setting most people use, it is important that those settings be privacy protective. In other words, consumers should not have to change their settings to protect their privacy. For example, email addresses should not be used for marketing and transaction records should not be shared with other companies without affirmative customer consent.
3. Embed privacy into design: Privacy should not be bolted on as an add-on, after the fact. It should be integral to the system without diminishing functionality. Giving customers the ability to transfer their records to another firm (portability) enhances competition by making it easier for new firms to enter the market. As part of their initial design, apps and web pages could be programmed to process such transfer requests.
4. Adopt a win-win approach: Building privacy into a product’s design doesn’t necessarily mean trading off other features: privacy isn’t a zero-sum game. Firms that adopt thoughtful PbD may be better positioned to win and maintain consumer trust. Keeping customer records indefinitely—long after they are useful—can pose an unnecessary risk if there is a security breach. Adopting a disposal programme for outdated records protects both firms and their customers from the risk of improper disclosure.
5. Employ end-to-end security: PbD extends security throughout the entire life cycle of data, ensuring that data is securely retained and then securely destroyed at the end of the process. In some cases, this would call for encryption of data both in transit and while stored on a company’s computers, making the information useless to hackers. It also means that bank records should not be thrown out in the trash unless they have been shredded or burned.
6. Show visibility and transparency: Business practices and the technology should be operated according to stated promises and objectives, subject to independent verification. Even if privacy policies often go unread by customers, they can still serve as a standard for companies to meet and be evaluated against.
7. Demonstrate respect for user privacy: Empowering data subjects to play an active role in the management of their own data may be the single most effective check against abuses and misuses of privacy and personal data. This includes providing individuals access to information and the opportunity to dispute and have corrected information that is incorrect, incomplete, or out of date. The Digital Locker, part of the India Stack, can be a tool for individuals to control who accesses their information while creating an auditable record of when their records are accessed.
Imagine how a PbD requirement might work in practice. A financial institution wants to offer a new money transfer service through consumers’ mobile devices. One of many privacy issues that might arise is who has access to consumers’ payment transfer history? Some consumers might not want everyone who uses the service to know who they transact with. If the financial institution does not stop to think about potential privacy issues, it might miss a major consumer concern.
PbD requires this thought process and gives direction about how to address issues that are identified. How would that work in this case? With privacy as the default, instead of having to retrofit its system, transaction records would not automatically be shared. But, for those consumers who don’t mind, or even prefer, to have their transaction histories shared, the system, as part of its design, could permit them to choose—by opting in—such sharing.
Using PbD principles, the privacy thought process will occur again and again during the design phase, helping to prevent privacy crises and promoting good consumer-oriented business practices.
David Medine is a senior adviser at Consultative Group to Assist the Poor
Comments are welcome at firstname.lastname@example.org.