The Information Commissioner's Office (ICO) has outlined a draft new code of practice on conducting PIAs (55-page / 491KB PDF) which it said will help businesses decide whether to carry out a PIA and, if so, the processes they should follow.
According to the ICO's draft code, which is open to consultation until 5 November, PIAs should be carried out at a time when new projects are planned, or when revisions are intended to existing practices. It said businesses conducting PIAs should ensure that their project plans are sufficiently flexible to allow for amendment in the event that the outcome of PIAs identify privacy issues that need to be addressed.
A PIA can be conducted for any new project involving the use of personal data, the ICO said. However, it is a particularly suitable tool for businesses to use when they are introducing new IT systems for storing and accessing personal information, planning to participate in a new data sharing initiative with other organisations, initiating actions based on a policy of identifying particular demographics, or intending to use existing data collected for a "new and unexpected or more intrusive purpose", the watchdog said.
A privacy impact assessment (or PIA) is simply a process for evaluating a proposal to identify its potential effects upon individual privacy and data protection compliance; to examine how any detrimental effects might be overcome; and to ensure that new projects comply with the data protection principles. In the UK, the Data Protection Act (DPA) does not oblige organisations to conduct privacy impact assessments, but the ICO said they are useful tools for organisations to use to help them comply with the requirements set out in the DPA. Reforms to the EU data protection framework could see PIAs become mandatory for certain kinds of personal data processing.
"A PIA is designed to go further than a straightforward compliance check against the DPA or other legislation," the ICO said. "A compliance check is more likely to focus on ensuring that any processing of personal data complies with the DPA and other relevant legislation. A PIA should go beyond this and include a wider understanding of privacy concerns. In particular a PIA should prompt organisations to think about a project from the perspective of the individuals affected."
"As the DPA is the key driver of PIAs, privacy of personal data will lie at the core of the assessment but focusing on the general concept of privacy will bring many benefits. And it is more efficient for organisations to address privacy risks in one process," it added.
The ICO said that organisations carrying out PIAs should consult internally and externally with individuals that would be involved or affected by planned projects. It said consultation need not be seen as a "separate step" from the processes involved in conducting PIAs.
"Consultation is an important part of a PIA and allows people to highlight privacy risks and solutions based on their own area of interest or expertise," the ICO said. "Consultation can take place at any point in the PIA process."
"Internal consultation will usually be with a range of internal stakeholders to ensure that all relevant perspectives are taken into account. External consultation provides the opportunity to get input from the people who will ultimately be affected by the project and to benefit from wider expertise," it said.
The ICO's draft code includes a number of "screening questions" businesses can ask themselves to determine when a PIA is need.
"The purpose of the PIA is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible," the ICO said. "Risks can be identified and addressed at an early stage by analysing how the proposed uses of personal information and technology will work in practice. This analysis can be tested by consulting with people who will be working on, or affected by, the project."
"A PIA will help ensure that an organisation is taking a proportionate approach to the use of personal data. It requires organisations to identify why a project is necessary and what it is aiming to achieve. The PIA will then help to achieve these aims without a disproportionate impact on privacy. Conducting a PIA does not have to be complex or time consuming but there must be a level of rigour in proportion to the privacy risks arising," it said.
The draft code is a follow up to a privacy impact assessment handbook the ICO launched previously in 2007 to help organisations address the risks to personal privacy before implementing new initiatives and technologies.
Last month the ICO issued an enforcement notice to Hertfordshire Constabulary in which it ordered the force to stop using Automatic Number Plate Recognition technology to process individuals’ personal information unless, following a privacy impact assessment, the activity could be justified.
“The UK has long played a leading role in promoting PIAs,” said data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com. “Under proposed EU data protection reforms, PIAs could soon be put on a statutory footing. They are a useful tool for practitioners to use for projects of any appreciable scale, although there are definitely issues in how they can best be executed. For those reasons a code of practice from the ICO and its consultation on the issue is good news and to be welcomed.”