# Privacy by design policy
# Bare Act
# Section 22(1)
Every data fiduciary shall prepare a privacy by design policy, containing
(a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;
(b) the obligations of data fiduciaries;
(c) the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
(d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
(e) the protection of privacy throughout processing from the point of collection to deletion of personal data;
(f) the processing of personal data in a transparent manner; and
(g) the interest of the data principal is accounted for at every stage of processing of personal data.
# Section 22(2)
Subject to the regulations made by the Authority, the data fiduciary may submit its privacy by design policy prepared under sub-section (1) to the Authority for certification within such period and in such manner as may be specified by regulations.
# Section 22(3)
The Authority, or an officer authorised by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements of sub-section (1).
# Section 22(4)
The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority.