Privacy by design awards offer some interesting insights

May 9, 2022 |

The concept of Privacy by design has been in existence since the 1990.  It has been hugely influential and a very important set of principles for businesses and government in developing and maintaining an adequate privacy structure. It is described by the Australian Information Commissioner as:

‘Privacy by design’ is a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures. This means building privacy into the design specifications and architecture of new systems and processes.

It’s more effective and efficient to manage privacy risks proactively, rather than to retrospectively alter a product or service to address privacy issues that come to light.

The CyberCX Privacy has awarded  Design Awards for organisations who have successfully implement privacy by design.  The awards for 2022have been announced

The results are:

Overall winner:  Apple

2022 Top Performer: Australian Corporate: National Australia Bank

2022 Top Performer: Federal Government:  Australian Broadcasting Corporation
2022 Top Performer: State Government:  Service NSW
Principle 1: Proactive not Reactive; Preventative not Remedial: 2022 Top Performer Apple
Principle 2: Privacy as the Default Setting:  2022 Top Performer Apple
Principle 3: Privacy Embedded into Design:  2022 Top Performer Airbnb
Principle 4: Full Functionality – Positive-Sum, not Zero-Sum: 2022 Top Performer BP
Principle 5: End-to-End Security – Full Lifecycle Protection: 2022 Top Performer Uber Eats
Principle 6: Visibility and Transparency – Keep it Open:   2022 Top Performer Australian Broadcasting Corporation
Principle 7: Respect for User Privacy – Keep it User-Centric: 2022 Top Performer Australian Broadcasting Corporation

CyberCx grouped organisations into 11 sectors being:

1   Banking & Finance

2 Telco & Technology

3 General Insurance

4 Media

5 Government

6   Transport & Travel

7   Health, Fitness & Leisure

8   Property & Utilities

9   Retail

10 Food & Grocery

11 Social Media

The overall findings are:

  • The Telco & Technology sector performed the strongest overall across all 7 Privacy by Design Principles by positive privacy practices including by publishing privacy and security blogs posts, and minimising the use of negative practices which result in ‘reactive’ approaches to privacy management. Other sectors with the most outstanding individual brands were in the Banking & Finance and Governments sectors, many of which have taken proactive measures to implement Privacy by Design.

  • The brands that differentiated themselves from the rest and performed better:

    • turned privacy into a competitive business advantage by taking a privacy by default approach to their communications and designing their products;

    • designed customer interfaces for user transparency and trust, taking proactive steps to meaningfully inform users about how they were handling user’s personal information, and

    • made user privacy management easy, by developing user-centric privacy dashboards that provide users with greater control over their personal information.

  • The brands that performed the worst: had poor Privacy Policies in place that did not meet legislative privacy requirements, performed poorly on readability tests, and were less accessible to users embedded more privacy invasive tracking technologies as part of a user’s web browsing experience than the average brand, and engaged in more third-party data sharing, including with advertising companies than the average brand.

Regarding each Principle CyberCx noted:

  • Principle 1: Organisations must be privacy-centric and take a proactive approach that anticipates and manages privacy risks before they occur, rather than a reactive, ad-hoc approach to responding to privacy intrusive events. Privacy by Design comes before- the-fact, not after  The best performing sector is Banking & Finance.  The worst performing sectors are Social Media, Retail, and Food & Grocery sectors.
  • Principle 2: Privacy by Default practices ensure that users don’t have to worry about their privacy settings when engaging online as the maximum degree of privacy protections are built into settings. No action is required on the part of the individual to protect their privacy ? it is built into the system, by default. The best performer was  the Government sector. This score was achieved, in part, by implementing the principle of data minimisation when collecting personal information. The worst peformers were Social Media platforms through their practices requiring the collection of personal information from individuals where there were few controls in place to allow individuals to opt-out of collection.  CyberCx drew particular attention to tracking technologies finding  that brands used tracking technology ranging from capturing how users move their mouse, to using trackers to send user data to third-party companies stating.
    • 54 out of 100 brands loaded at least 7 or more advertising trackers on their web platforms. Of those 54 bands, 20 of those brands loaded over 15 ad trackers on a webpage
    • CyberCX found that 26 out of 100 brands loaded three or less third- party cookies. 49 out of 100 brands loaded 10 or more third-party cookies on their webpages

    • 85 out of 100 brands used canvas finger printing and 95 out of 100 brands use canvas font finger printing. that 70 out of 100 brands used session recording software.
    • 87 out of 100 brands used some form of keyloggers. CyberCX did not determine whether these keyloggers were deployed for legitimate or malicious purposes

    • 38 out of 100 brands used Facebook pixels

    • 69 out of 100 brands used Google Analytics

  • Principle 3: When designing the architecture of systems, websites, mobile applications or software, privacy should be embedded into all design aspects – not bolted on at the end, after the fact. While there was relatively consistent performance across the 11 sectors Banking & Finance was  the top performer. It was no surprise that the Media sector produced the lowest average score, in part due to the use of keyloggers on their web platforms.  .
  • Principle 4: Organisations that take a positive-sum, “win- win” approach integrate privacy with other legitimate objectives and interests, suchas security or user experience – this avoids trade-offs or limitations on functionality from occurring should users want to share less personal information.  The best performer was that the Government sector performed best  in the Full Functionality category, in part, by allowing users to access web platform features and services without having to register and provide personal information for superficial encounters. The worst performing sector was the Retail and Transport & Travel sectors were closely matched in terms of scores. This is in part due to the requirement for individuals to provide more information than is strictly necessary when accessing web platform features, goods and services.
  • Principle 5: Organisations can protect users’ personal information by implementing end-to-end security throughout the personal information lifecycle. This includes from when data is collected, to when it has served its purpose and can be destroyed.  Six sectors were closely matched in averaged security metrics with the remaining 5 sectors lagging slightly behind. Positive scores were due to affecting positive practices such as achieving an A+ ratingfor Qualys SSL Labs analysis of a given web platforms and Transport Layer Security (TLS) protocol configuration. Other positive practices included not using third-party cookies and tracking technologies such as advertising trackers, canvas fingerprinting, and engaging in session recording. Not surprisingly the Media sector underperformed compared to other sectors due to widespread use of session recording, failure to enforce HSTS and secure first-party cookies.
  • Principle 6:   To build accountability and trust, organisations should be open and transparent about their privacy policies and data practices, letting users know upfront about what they’re doing.  The Banking & Finance sector was the top performer with General Insurance, and Telco & Technology closely behind. Positive performances were due in part to comprehensive, layered, and accessible privacy policies and notices. The Social Media sector consistently produced lower scores on average due to factors such as low Flesch readability scores for their privacy policies and a lack of clear, appropriately detailed privacy notices.
  • Principle 7: To ensure user-centred privacy, organisations can implement safeguards and features that make privacy management easy. This includes by using strong privacy defaults, meaningful notices, and user- friendly options and controls.  The General Insurance and Media sectors performed best by demonstrating a public commitment to privacy via the publication of blog posts or other media on privacy and cyber security issues. Five of the 11 sectors surveyed produced consistently lower average scores overall due to challenges around the ease with which individuals could access information about the brands personal information management practices. Brands also consistently omitted user controls around the operation of third-party cookies on their web platforms.Most Australian based websites did not provide users the option to control what cookies, tracking technologies and analytics technologies operated on their web platforms  

The key insights by CyberCX regarding the principles themselves are:

  • regarding Principle 1 – Strong performers turned privacy into a competitive business advantage by taking a privacy by default approach. Some leading brands found in the Telco & Technology sector developed and published Privacy Principles that guide in the design of their products and service offerings, and published advice to consumers on privacy and cyber security
  • regarding Principle 2 – Good practices observed include accessed services and cookie banners not having the most permissive privacy settings by default, and the availability of opt in/out settings. Leading brands were found in the Government sector
  • regarding Principle 3 – Brands that performed well made it easy for users to exercise their privacy rights through the use of privacy dashboards and cookie banners that facilitated meaningful control of user’s privacy settings. Leading brands were found in the Transport & Travel, Telco & Technology, and Government sectors.
  • regarding Principle 4 – Strong performance was achieved by brands that balanced seemingly opposing interests, such as security and privacy. Leading brands were found in the Food & Grocery, and Telco & Technology sectors.
  • regarding Principle 5 – Several positive privacy practices were engaged by brands, including a strong encryption in transit granted by the latest Transport Layer Security (TLS) protocols and ciphers, by implementing Multi-Factor Authentication (MFA), and by enforcing the HTTP Strict Transport Security (HSTS). Leading brands were found in the Telco & Technology and Social Media sectors.
  • regarding Principle 6 – Strong performers made the overall presentation of privacy related information, privacy features and easy and clear to understand. Notable practices brands engaged in include publishing their Privacy Management Plan. Leading brands were found in the Banking & Finance and General Insurance sectors
  • regarding Principle 7 -Brands that performed well designed their platforms for user privacy. Leading brands come from the Media, General Insurance and Telco & Technology sectors.

CyberCX had recommendations for privacy law reform.  It recommended shifting the onus away from individuals and towards organisational accountability by employing an accountability-based privacy model by:

  • by legislating  “privacy by design and default,” across the Australian Privacy Principles (APPs), an approach  similar to the approach taken in the European Union with the General Data Protection Regulation

  • strengthening personal information handling practices across the APPs – for example through enhanced transparency, data collection and consent requirements.

Leave a Reply