Privacy

Ensuring that people can decide if and how their personal information is collected, used, stored, and shared by digital products, platforms, services, and infrastructure

For dotPublic, Privacy means safeguarding the rights of every person to decide who knows what about them, and to be left alone by those who have no business with them.

For a public-serving entity, respecting a person's privacy means taking no information about them without their explicit consent, taking only what is needed to do the work or deliver the service, holding any information they take securely and in confidence, and never passing it on to anyone unless the person has explicitly agreed. It means not tracking the actions or behaviours of visitors to its services, and obtaining valid and active consent for any action it takes using a person’s data, including any communications with them.

Example requirements (illustrative)

These example requirements are grounded in established international standards, regulations, and laws, which are listed in full in the section below.

• Systems are designed according to principles of data minimisation, privacy by default, and resistance to unnecessary monitoring or profiling.

• Privacy and human-rights impact assessments are conducted and published before deployment of significant new systems involving personal data, AI, or behavioural monitoring.

• Personal data collected only where necessary for delivery of the stated public service or function.

• No non-essential cookies, trackers, or behavioural advertising technologies activated before explicit consent.

• Organisations publish a clear, human-readable explanation of what personal data is collected, why it is collected, how long it is retained, and who it is shared with.

• People can access, correct, export, and request deletion of their personal data through clear and accessible processes.

Standards, regulations, and laws informing this work

• Council of Europe (CoE) | Convention 108 and Protocols on the Protection of Personal Data
• Council of Europe (CoE) | European Convention on Human Rights (ECHR), Article 8
• EU | Artificial Intelligence Act (AI Act) 2024
• EU | Cyber Resilience Act (CRA) 2024
• EU | Data Act 2023
• EU | Digital Markets Act (DMA) 2022
• EU | Digital Services Act (DSA) 2022
• EU | ePrivacy Directive 2002
• EU | General Data Protection Regulation (GDPR) 2016
• EU | Network and Information Security Directive (NIS2) 2022
• International Organization for Standardization (ISO) | Information Security Management (ISO/IEC 27001) 2022
• International Organization for Standardization (ISO) | Privacy Architecture Framework (ISO/IEC 29101) 2018
• UK | Data (Use and Access) Act 2025
• UK | Online Safety Act (OSA) 2023
• UK | Privacy and Electronic Communications Regulations (PECR) 2003
• UK | UK General Data Protection Regulation (UK GDPR)
• US | National Institute of Standards and Technology (NIST) Privacy Framework

Organisations working in this area

• Alliance for Universal Digital Rights (AUDRi) | UK-based membership organisation
• An Coimisiún um Chosaint Sonraí / Data Protection Commission (DPC) | Irish government regulator
• Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) Federal Commissioner for Data Protection and Freedom of Information | German government regulator
• Bits of Freedom | Netherlands-based nonprofit
• Brussels Privacy Hub | Belgium-based research organisation
• Commission nationale de l'informatique et des libertés (CNIL) National Commission for Information Technology and Civil Liberties | French government regulator
• Digitalcourage | Germany-based nonprofit
• Electronic Privacy Information Center (EPIC) | US-based nonprofit
• Epicenter.works | Austria-based nonprofit
• European Data Protection Board (EDPB) | EU regulator
• First International Data Union (FIDU) | UK-based nonprofit
• The Glass Room | Germany-based project
• Human Rights for Digital Identity (HR4ID) | Global community
• Information Commissioner's Office (ICO) | UK government regulator
• International Organization for Standardization (ISO) | Switzerland-based standards organisation
• The Interpeer Project | Germany-based project
• Liberty | UK-based nonprofit
• MENA (Middle East and North Africa) Alliance for Digital Rights | Middle East and North Africa-based community
• Noyb (None of Your Business) European Center for Digital Rights | Austria-based nonprofit
• Office of the Australian Information Commissioner (OAIC) | Australian government regulator
• Proton Foundation | Switzerland-based nonprofit
• Privacy Guides | US-based nonprofit
• Privacy International | UK-based nonprofit
• Rebel Tech Alliance | UK-based nonprofit
• Since You Arrived | Global project
• YourDigitalRights.org | UK-based project