Privacy by design

What you share, and who you share it with, should be up to you. Here we look at how we design and architect for privacy, and give users control over their information.

It’s not PII

There’s no way it’s PII

It was PII

a twitter data privacy haiku

Without data, what is insurance?

Insurance is an information business. It always has been; in the past, underwriters and actuaries would elicit information from potential customers, and then refer to huge tables to help them decide which risks to cover, and how to set premiums. While this manual work still goes on today in large parts of the insurance world, these days the same process is conducted electronically for the majority of retail insurance products. In order to get a price for something as simple as travel or car insurance, prospective customers are asked to divulge great swathes of information about themselves, their family, their history and assets; and sometimes this includes extremely personal details, such as their medical history.

And it’s not just when policies are taken out that information is the name of the game. The same is true when it comes to claims time, where large quantities of customer information are again requested, pored over, verified, and then filed away. 

From the insurer’s perspective, this is understandable: they want to know as much as they can about the risk they’re taking on before coming up with a price. And then before paying out, they want to make sure any claim is legitimate.

But what about all that data? Who will it be shared with? Who will have access to it? How long will it be kept? How securely will it be stored? Might it be sold to third parties like advertisers that will then hound those customers with “relevant offers”?

Privacy is the responsibility of the entire organisation

At many companies, privacy and data security often fall under the remit of a particular person or department, and they get to decide how customer data is managed. 

At Open, we believe that rather than rely solely on a small number of experts, our customers’ privacy is everyone’s responsibility. What this means in practice, is that whenever a decision needs to be made about data or privacy, everyone gets to speak up and say what feels right or wrong. Frequently, this results in a healthy debate that influences the decision that is made. 

These debates highlight how complex some of the issues are in this space. And while it’s always tempting to codify our stance on a particular topic, when faced with complexity, it tends to be difficult to do this exhaustively. Instead, we try to define and agree on a small set of principles that guide our thinking and decision-making in the space.

At Open, we use 3 core principles to inform data architecture and privacy design 

1. Users must be in control

Settings must be carefully designed to put users in control of their data. This means they should not only understand, but also be allowed to choose, what happens to their information, how it’s used and with whom it’s shared. They should always be able to adjust these settings. And, of course, they must also be able to review, amend, and delete information whenever they wish.

2. End-to-end security

We follow the core idea of privacy by design. This means having privacy and security embedded into the system prior to the first element of information being collected, and extending securely throughout the entire lifecycle of the data involved.

3. Regularly test privacy designs against community expectations

We’ve seen countless examples of businesses operating within the law, yet failing to meet community expectations when it comes to privacy. This is why we believe it’s imperative to regularly test the way that we apply our privacy policy with customers and stakeholders, and regularly ask the question “just because we can, does it mean we should?”.

Where to from here?

We don’t profess to have solved all of the problems and issues that plague the privacy space. Instead, as with many challenges we try to overcome at Open, we are on a journey. A journey of continual self-examination, questioning and collaboration, a journey that hopefully continues on a positive trajectory as more answers become clear, and as the expectations of the wider community evolve.

We’d love to hear how other businesses are engaging with communities to understand changing expectations. Let us know about your views and if you have any questions please let us know.