Week four of Cyber Security Awareness Month explores privacy by design — embedding privacy into every system, process and decision from the start.

Privacy by design starts with respect for personal information. At its core, it’s about building privacy into systems, processes and decisions from the beginning, not adding it later as an afterthought. It means starting any project by asking key questions: What personal information are we going to ask for? Is collecting this information necessary or merely helpful? Does the benefit of this information outweigh the privacy risks? Are there reasonable alternatives to collecting it? These questions can prompt discussions about what a project truly needs and help avoid over-collection of data.

“Beginning with a privacy mindset means each decision is made with respect for others’ privacy as a principle,” says Sarah Lowy, the university’s director of privacy. “It reduces the risks associated with privacy breaches and ensures compliance with legal requirements as set out in the Freedom of Information and Protection of Privacy Act (FIPPA).”

Starting with this approach also leads naturally to discussions about who should have access to this information, how it needs to be protected, how long it needs to be stored and other decisions critical to protecting personal information.

“Privacy by design makes privacy simple, meaningful and built-in,” says Ashley Langille, privacy analyst, Information Security. “It builds trusted standards that stand the test of time and empower people across borders.”

By embedding privacy into our core values and planning for it from the start, we strengthen trust between the university and the people whose information we hold. That trust allows U of T to innovate responsibly, conduct world-class research and support our community with confidence.

The Learner Experience Unit (LEU) in Temerty Faculty of Medicine applied privacy by design when developing an online disclosure form for learners to report concerns about mistreatment. Because these reports often include sensitive personal information, the team prioritized confidentiality and secure data management from the outset.

Working with MedIT and Postgraduate Medical Education, the LEU created a secure database with access limited to authorized staff, allowing cases to be tracked responsibly while protecting individual privacy. This infrastructure supports accountability across the faculty by enabling the secure collection, analysis and reporting of data.

“Our partners have brought so much thought and care to ensuring data is managed ethically, securely and in compliance with FIPPA,” says Reena Pattani, director of learner experience, Temerty Medicine. “Their contributions have enabled significant innovation within the LEU.”

For researchers, the use of identifiable data (including health data) brings special considerations and the need for additional diligence. The Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2) sets national standards for safeguarding participant information and ensuring ethical handling of research data.

The Research Information Security Program (RISP) supports researchers with guidance on:

• Anonymizing data: Protect privacy while maintaining data usefulness.
• Securing systems: Encrypt data, patch devices, secure research spaces and plan for secure travel.
• Consulting experts: Assess risks and safeguard sensitive research data.

Learn more at Data Security Standards for Confidential Data in Research.

Have questions about privacy? Contact the U of T FIPP Office at privacy@utoronto.ca or create an Enterprise Service Centre ticket.