Privacy Impact Assessments (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. The GDPR is far from being merely a technical regulation and one intention of the GDPR is to engender good business ethics with regard to the handling of sensitive data and information.
Data controllers must carry out Data Protection Impact Assessments (DPIAs) to evaluate the origin, nature, particularity and severity of the privacy risk to individuals before processing personally identifiable information. The DPIA should also include any measures, safeguards and mechanisms to remove or reduce the identified risks. A DPIA is a specialised form of a PIA that is related to the handling and processing of data.
The processes and practices implemented by organisations should reflect the methodology of using a Privacy by Design approach to business systems. Undertaking a PIA/DPIA is not a mandatory part of the GDPR, but in doing so, organisations can show that they are compliant with the Act.
Conducting a PIA is designed to accomplish three main goals:
- Ensuring conformance with applicable legal, regulatory, and policy requirements for privacy.
- Determining the risks and effects.
- Evaluating protections and alternative processes to mitigate potential privacy risks.
What Does a PIA apply to?
PIAs/ DPIAs are often applied to new projects, because this allows greater scope for influencing how the project will be implemented. A PIA can also be useful when an organisation is planning changes to an existing system. When used to review an existing system the organisation needs to ensure that there is a realistic opportunity for the process to implement necessary changes to the system. The purpose of the PIA is to ensure that privacy risks are minimised while allowing the aims of the project to be met whenever possible. The types of situations where it may be appropriate to carry out a PIA include the following:
- New IT systems for storing and accessing personal data.
- Data sharing initiatives where two or more organisations seek to pool or link sets of personal data.
- A proposal to identify people in a particular group or demographic AND initiate a course of action.
- Using existing data for a new and unexpected or more intrusive purpose.
- New surveillance systems or the application of new technology to an existing system (for example adding Automatic number plate recognition capabilities to existing CCTV).
- New databases that consolidate information held by separate parts of an organisation.
- Legislation, policy or strategies which will impact on privacy through the collection of use of information, or through surveillance or other monitoring.
What is Privacy Risk?
Privacy is essentially the right of individuals to be let alone, and Privacy Risk is primarily about assessing the risk to the individuals affected, in terms of the potential for damage or distress by inappropriate disclosure. Harms can be tangible, such as financial loss, or it may be personal, such as loss of social standing or harm to personal relationships.
There will also be corporate risks to be considered when carrying out the project, such as the financial and reputational impact of a data breach. Projects with higher risk levels and which are more intrusive are likely to have a higher impact on privacy.
The legislation for most organisations impacts areas of informational privacy – the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others.
Privacy Intrusion can include the collection of information through the surveillance or monitoring of how people act in public or private spaces and through the monitoring of communications whether by post, phone or online and extends to monitoring the records of senders and recipients as well as the content of messages.
Risks to consider in assessing the informational privacy of a project include identifying:
- Inaccurate, insufficient or out of date information.
- Excessive or irrelevant information collection.
- Disclosure of personal information without consent and the misuse of such information.
- How long data is kept for.
- Information disclosed to those who the person it is about does not want to have it.
- Where information is used in ways that are unacceptable to or unexpected by the person it is about.
- Information not being kept securely.
Privacy risk is highly contextual and its’ impact is different for different organisations. What is important, however, is to minimise the risk of harm to individuals by considering the nature of the relationship between the organisation and the individual data subject, the reasonable expectations of how the activity of individuals will be monitored; the expectations of the level of interaction between an individual and an organisation and the level of understanding of how and why particular decisions are made about people.
The backdrop to the legislation is respect for the individuals’ private life that should be interfered with only when it is necessary to meet a legitimate social need, as outlined in Article 8 of the European Convention on Human Rights.
The PIA Process
The process that is followed is outlined in the diagram below, and the key is to start the process early on in the stages of a project to ensure that any risks are flagged in the early stages. Issues and risks should be recorded in a project Privacy Risk register.
The data privacy aspects of a project are considered in depth in the second step – describing the information flows. No methodology is prescribed for this step, but the methods that data professionals and analysts could use include data flow diagrams, privacy data models, Entity-Relationship diagrams, data access models, interface and data exchange details, and data storage models. These should include locations of any on or off premises storage as well as backup and security regimes.
An assessment of the privacy risks inherent in a project is dependent upon identifying the risks to the data (and information like documents, forms, etc.) whilst at rest, in transit and in use. From these assessments, the options and costs of implementing security and privacy mitigating controls (process changes, document sensitivity tagging, encryption, access controls, storage policies) can be identified for incorporation into the project.
Customers will be reassured that the organisations which use their information have followed best practice and a PIA should improve transparency and make it easier for them to understand how and why their information is being used.
The process of conducting the assessment will improve how organisations use information which impacts on individual privacy, and reduce the likelihood of the failing to meet legal obligations by providing evidence that the privacy aspects of a project were considered.
Conducting a PIA/ DPIA will help an organisation to build trust with the people using their services and the actions taken during and after the process can improve an organisation’s understanding of their customers. Implementing the PIA process into projects enhances the trustworthiness credentials of companies.
Identifying problems early can lead to simpler and less costly solutions. A PIA can also reduce the ongoing costs of a project by minimising the surface area of information being collected and used, and devising more straightforward processes.
More generally, consistent use of PIAs will increase the awareness of privacy and data protection issues within an organisation and ensure that all relevant staff involved in designing projects think about privacy at the early stages of a project.
Although the implementation of PIAs and DPIAs into projects appears to be daunting it should flow naturally from a consideration of the impact of new and updated systems on the privacy concerns on customers. Incorporating these steps into an early assessment of projects which handle sensitive information can ensure business information is handled ethically and in a manner compliant with the principles of the GDPR.
ICO Code of Practice and Guidelines
The GDPR and Data Minimisation