Privacy by Design

Privacy by Design (PbD) is a set of seven principles that the Information and Privacy Commissioner of Ontario developed during the 1990s, which became a globally recognised framework for the protection of privacy.  PbD seeks to proactively embed privacy into the design specifications of information technologies, organizational practices, and networked system architectures.  The PbD framework can help institutions plan for compliance with the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act by having them consider privacy implications early on.



  1. Proactive not Reactive: The PbD approach attempts to anticipate and prevent privacy-invasive events before they happen.
  2. Privacy as the Default Setting: Ensure that personal data is automatically protected in any given IT system or business practice, so that if an individual does nothing, their privacy still remains intact.
  3. Privacy Embedded into Design: Privacy should be embedded into the design and architecture of IT systems and business practices.
  4. Full Functionality – Positive-Sum, not Zero-Sum: PbD seeks to accommodate all legitimate interests and objectives in a “win-win” manner, balancing seemly opposing interests, such as security and privacy.
  5. End-to-End Security – Full Lifecycle Protection: PbD extends throughout the entire lifecycle of the data involved, from start to finish.
  6. Visibility and Transparency: It seeks to assure all stakeholders that component parts and operations remain visible and transparent, to users and providers alike.
  7. Respect for User Privacy – Keep it User-Centric: Above all, it puts the interests of the individual by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.