This paper is a joint work led by the computer science academics at the Indian Institute of Technology, New Delhi in collaboration with the Future of Finance Initiative at Dvara Research. Read the full paper here.
Governments around the world are trying to build large data registries for effective delivery of a variety of public services. However, these efforts are often undermined due to serious concerns over privacy risks associated with collection and processing of personally identifiable information. While a rich set of special-purpose privacy-preserving techniques exist in computer science, they are unable to provide end-to-end protection in alignment with legal principles in the absence of an overarching operational architecture to ensure purpose limitation and protection against insider attacks. This either leads to weak privacy protection in large designs, or adoption of overly defensive strategies to protect privacy by compromising on utility.
In this working paper, the authors present an operational architecture for privacy-by-design based on independent regulatory oversight stipulated by most data protection regimes, regulated access control, purpose limitation and data minimisation. They briefly discuss the feasibility of implementing the proposed architecture based on existing techniques. They also present some sample case studies of privacy-preserving design sketches of challenging public service applications.
The complete paper can be read here.