At a conference on the ‘surveillance society’ in Manchester the
ICO will say that the data breach at HM Revenue and Customs was a
watershed and will call for organisations to implement new
safeguards to help protect individuals’ privacy.
The ICO is launching a privacy impact assessment handbook to
help organisations address the risks to personal privacy before
implementing new initiatives and technologies. By carrying out a
privacy impact assessment, the ICO says organisations will also
increase public confidence in data collection.
A privacy impact assessment (or PIA) is simply a process for
evaluating a proposal to identify its potential effects upon
individual privacy and data protection compliance; to examine how
any detrimental effects might be overcome; and to ensure that new
projects comply with the data protection principles
Deputy Commissioner David Smith said: “Very often the collection
and use of personal information is essential and beneficial to
modern life but many people do not realise that data collection is
at the heart of surveillance. Each time someone gives away their
personal information they leave electronic footprints which build
up a picture of every aspect of their daily lives.”
“It is essential that before introducing new systems and
technologies, which could accelerate the growth of a surveillance
society, full consideration is given to the impact on individuals
and that safeguards are in place to minimise intrusion,” he said.
“Privacy impact assessments are a common sense approach to help
organisations develop privacy friendly ways of working.”
Privacy impact assessments are not new but are most commonly
undertaken in Canada, New Zealand, Australia, Hong Kong and the US,
particularly in the public sector. In the US and the Province of
Alberta in Canada, privacy impact assessments and their publication
are mandatory for certain new developments.
In the UK, privacy impact assessments are not mandatory, but Dr
Chris Pounder, a privacy law specialist with Pinsent Masons and
editor of Data Protection Quarterly, said that the Data Protection
Act deals with them indirectly.
“There is a principle in the Act that deals with security and
calls for a risk assessment to be performed in relation to the safe
processing of personal data by an organisation,” he said. “Also,
under the principle that relates to the transfers of personal data
to territories outside the European Economic Area, there is a need
to do a risk assessment in the context of that territory.”
“All a Privacy Impact Assessment does, in one sense, is extend
the risk assessments that need to be done under these two
principles, to all the eight principles under the Act," said
Pounder. "This means, in theory, that all Principles should be
assessed prior to the commencement of any processing".
