There is a transport card in Belgium that is now being digitalized and that will be extended the coming years to other means of public transport. It seems logical - one card for one person for all his means of public transport - but for a privacypreserving architect it is a real headache. Privacy is easier to maintain when information is dispersed and it is not possible to link them. The more information is linked and integrated or - worse - reformatted into one coherent database instead of 10 different ones - even if there are sometimes ways to find some information between the different databases - the bigger the threats are for privacy. And the bigger are the consequences if the card is lost or the central database is breached or its information (backuptapes) is lost.
This is where privacypreserving technology comes in. This is not accesscontrol. Accesscontrol is only a way to control who may access this total coherent integrated database - the privacyrisk. Privacypreserving technology makes it possible to only give the data that is useful and to mask the data that is not useful personally but statistically.
So they say that this card needs to keep the three last trips of a person because one can only change the lines of transport within the hour.
Seems reasonable and logical. But why is this information on a fully paid 'all lines anytime' card where you can switch as long as you want as many times as you want ? And why is the information not limited to the lines one takes instead of the station (wipe out the station information on the badgereader and only send the lines information) and so on.
When one reads how the card functions and what information is kept and linked one can clearly see that the people around the table when he project was started were transportmanagers and marketingpeople. A privacyofficer would have changed all that while making the objective needs of the planners possible. But that information would be globalized and would be anonymous (datamasking).
On the contrary with datamasking one could have collected much more information than they have now without all the continuing never ending battles around privacyconcerns.
It is not personalisation that is important in datamining because with personalisation comes a whole bunch of privacyconcerns that may derail your multimillion project anytime. It is globalisation of the information and datamining for realtime trends that is important.
It is possible that they do this. But they never said so. And they never said so because they have no privacyofficer who can explain this and guarantee this.
In the States big government agencies and public utilities and companies have a special privacy officer. Just to be sure that they keep privacy in mind from the beginning of a project and that it doesn't derail their multiyear multimillion projects because they have forgotten to integrate it in its architecture, process and communication.
And it is not because it is not illegal that it is acceptable. This is surely the case with privacy.