Users to get help with data protection

Systems designers are being encouraged to incorporate privacy-friendly features into IT products to help end users comply with data protection laws.

The UK Data Protection Commissioner is planning to produce a guide to help systems designers incorporate such features into IT systems. The guide will explain how designers can build systems that allow users to meet their obligations under data protection law, and encourage the application of Privacy Enhancing Technologies (Pets).

Recently introduced data protection laws in the UK place duties on users rather than designers. Including Pets at the design stage would help avoid costly systems changes when IT systems are found not to comply with data protection law.

The law says that processing of personal data should be limited to that which is necessary to achieve an objective, so systems should not process identifiable data where it can be reasonably avoided.

David Smith, assistant data protection registrar, said: "It could save a lot of time and expense." Achieving privacy compliance is "a lot cheaper if it is built in at the beginning rather than bolted on afterwards on discovering a system breaches to the Data Protection Act".

Recently, there have been privacy fears over hardware and software products that can assist in identifying users on the internet. Last year, for example, concerns were raised over the processor serial number in Intel's Pentium III chip. The Registrar says early recognition of privacy and data protection considerations at the design stage might have resolved these problems.

Smith said a classic example of a privacy design mistake was the poll tax system. It had a mandatory 'date of birth' field built into it which was later judged excessive under the Act, so the fields had to be rewritten.

Systems can help achieve data protection compliance by ensuring accuracy of personal data, for example, or including on-screen prompts and record responses to ensure that explicit consent is obtained to processing sensitive data.

Identity protectors, which control the release of the individual's true identity to the various processes in the information system, could be implemented in software, or as a physical token held by the individual, such as a smartcard.

The regulator hopes that the guide will lead to the incorporation of its principles in recognised design methodologies, such as the structured systems analysis and design method.