Versions Compared

Old Version 1

changes.mady.by.user Brody Smith

Saved on

compared with

New Version 2

changes.mady.by.user Brody Smith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What is a Privacy Impact Assessment (PIA)?

 1. A The PIA is a process that helps assess privacy risks to individuals in the collection, use and disclosure of information. PIAs help identify privacy risks, foresee problems and bring forward solutions.

Why should an organisation complete a PIA?

 2. To confirm the following:

  • To identify privacy risks to individuals
  • To identify privacy and Data Protection compliance liabilities for an organisation
  • To protect an organisation’s reputation
  • To instil public trust and confidence in a procurement
  • To avoid expensive “bolt-on” solutions
  • To inform a communications strategy

When should an organisation complete a PIA?

 3. A PIA must be carried out at an early stage of development of a new project or where a major procurement is not classed as a project, or when considerable change is planned in a policy or system e.g. a Contract Change Notice (CCN) is being considered. It must always be assumed that a PIA may radically alter the direction of a policy or procurement, or even in some cases stop a procurement altogether, and thus early assessment is crucial. The sooner privacy issues are identified the sooner risks can be responded to.

  

4. A decision not to carry out a PIA for a new or changed policy or procurement must be recorded along with the reason for this decision.

 

Should a PIA be conducted for every procurement?

 5. Not every procurement will require a PIA. The Information Commissioner’s Office (ICO) envisages PIAs being used only where a procurement (project) is of such wide scope, or will use personal information of such a nature, that there would be genuine risks to the privacy of the individual. PIAs will usually be recommended where a change in the law will be required, new technology is being used or where private or sensitive information which was originally collected for a limited purpose is going to be reused in a new way.

 

Completing a PIA – Initial assessment and screening process?

 6. Pre-PIA screening questions from the ICO PIA Handbook should be completed to see which level of PIA is required. Examples and further explanation of these are included in the table below.

 

Completing a Full Scale PIA

 7. This includes a more in-depth internal assessment of privacy risks and liabilities. It analyses privacy risks, consults widely with stakeholders on privacy concerns and brings forward solutions to accept, mitigate or avoid them.

Completing a Small Scale PIA

 8. This is similar to a full scale PIA, but is less formalised. It requires less exhaustive information gathering and analysis and is more likely to be used when focusing on specific aspects of a procurementframework for identifying and managing risk to privacyand confidentiality where information which can or could identify individuals (‘personal data’) is being used (‘processed’) in any way. It helps RoS to:

-          Comply with legal obligations to protect personal data

-          Undertake risk assessment in a structured way

-          Manage and control risk appropriately and proportionately

-          Record evidence that risk assessment has been conducted

The PIA process should always beproportionate to risk – a low risk proposal will merit a short PIA focussing on key risk/s, with a higher risk proposal meriting a more detailed PIA.

A PIA should beinitiated at an early stagein a projector proposal –as soon as a clear idea of the project or proposal exists, prior to, or as part of, project approval.

The PIA can be iterative if this is appropriate – an initial or early stage PIA may be revisited and updated as the project evolves. In this way the PIA can easily be used within an agile approach, iterated in line with project milestones.

 

Why is the PIA necessary?

RoS complies with the law governing the use of personal data. To ensure that this is the case, RoS has a corporate risk appetite informing its use of personal data – this appetite is currently ‘Minimalist’, meaning that RoS seeks to operate ultra-safe delivery options when processing personal data.

The PIA ensures that proposals to use personal data are in line with the law and our risk appetite. It is an essential aspect of our approach to managing information risk, and is operated for the benefit of the organisation and all RoS colleagues.

 

When is a PIA appropriate? (Screening)

Wherever there is a change to the way personal data is being used, a PIA should be considered.

RoS is likely to view a PIA as appropriate wherever any of the following apply:

  • Collection of new personal data is required
  • Use of personal data (new or existing) for a new purpose (doing something new)
  • Change to the way personal data is being processed (used)
  • Disclosure or sharing of personal data to/with third parties (partners, clients, suppliers)
  • Change to systems or suppliers of solutions processing personal data
  • Proposals which will make decisions about individuals which will affect them
  • Making direct contact with individuals, or direct marketing
  • Proposal involves ‘sensitive personal data’
  • Any proposal with a potential impact on individual privacy

RoS is unlikely to view a PIA as appropriate wherever any of the following apply:

  • No processing (use) of personal data is required
  • Change to systems which has negligible impact on processing of personal data

Colleagues can contact the Data Protection Officer (DPO) to confirm whether a PIA is appropriate. Wherea PIA is not appropriate, this should be confirmed in writing with the DPO and the IAO made aware.

 

Embedding the PIA process in procurement

 9. Where procurement activities are part of a project, then the PIA will follow the project methodology and governance. Where it is not covered by a project it should form part of the sourcing strategy. Pre-PIA screening should be carried out to establish whether a PIA is necessary – and if it is – whether it should be the full scale or small scale version. This will be undertaken by the Procurement Lead and a representative from the Security and Assurance Team The Sourcing Strategy will indicate what decision has been taken and what option is being taken forward. 

 10. The Procurement Lead will take the recommendation from the PIA section of the Sourcing Strategy and conduct either a small scale PIA or a more formal, structured and consulted full scale proportionately scaled PIA.

 11. Once completed, PIAs should be revisited at any major changes (to technologies, processes or policies.) Before publishing any PIA internally, it must be approved by the Director of Legal Services in their capacity as Data Protection officer and the relevant IAO.

 

 12. The relevant Project Boards (or in the case of procurements the Head of Procurement) should request and review all PIA related documentation as part of their management responsibilities.

 

Screening questions for Privacy Impact Assessments

 

1.Criteria for Data Protection Act Compliance Checks 

 

 

Area / QuestionQuestionExplanation
DPA / 1.1

Does the project involve the handling of any data that is personal data, as that term is used in the Data Protection Act?

Personal data’ means data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

 

2.Criteria for Privacy Law Compliance Checks

 

Area / QuestionQuestionExplanation
Privacy Law / 2.1

Does the project involve any activities (including any data handling), that are subject to privacy or related provisions of any statute or other forms of regulation, other than the Data Protection Act? 

In particular consider other forms of regulation such as:

  • The Human Rights Act, in particular Schedule 1, Article 8 (Right to Respect for Private and Family Life) and Article 14 (Prohibition of Discrimination)
  • The Regulation of Investigatory Powers Act 2000 and Lawful Business Practice Regulations 2000
  • The Privacy and Electronic Communications Regulations 2003
  • The Data Retention (EC Directive) Regulations 2007
  • In the case of government agencies, the statutes under which the agency or programme operates
  • Statutes that impose regulatory conditions on the manner in which the organisation operates
  • Sectoral legislation, e.g. Financial Services and Markets Act 2000
Statutory codes, e.g. the Information Commissioner’s CCTV Code of Practice. 
Privacy Law / 2.2Does the project involve activities (including any data handling) that are subject to common law constraints relevant to privacy? In particular consider confidential data relating to a person, as that term would be understood under the common law of confidence and the tort of privacy as it develops through case law 
Privacy Law / 2.3Does the project involve any activities (including any data handling) that are subject to less formal good practice requirements relevant to privacy? In particular consider industry standards, e.g. ISO27002 Information Security Standard or industry codes such as the NHS Code of Practice on Confidentiality

 

3.Criteria for a Small Scale PIA

 

...

Technology

...

Does the project involve new or inherently privacy-invasive technologies?

...

Examples include smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining and logging of electronic traffic. Technologies that are inherently intrusive or are new & sound threatening excite public concern & represent risk.  In order to answer this question consideration should include:

  • whether all of the information technologies that are to be applied in the project are already well-understood by the public;
  • whether their privacy impacts are all well-understood by the organisation, and by the public;

...

Justification

/ 3.2

...

Is the justification for the new data-handling unclear or unpublished?

...

Identity / 3.3

...

Does the project involve an additional use of an existing identifier?

...

.

...

Data / 3.6

...

Will the project result in the handling of a significant amount of new data about each person, or significant change in existing data-holdings?

...

Data handling / 3.9

...

Data handling / 3.10

...

Data handling / 3.11

...

Data handling / 3.12

...

Data handling /

3.13

...

Data handling / 3.14

...

Exemptions / 3.15

...

 

4.Full Scale Privacy Impact Assessment 

 

Area / QuestionQuestionExplanation

Technology  / 4.1

Does the project apply new or additional information technologies that have substantial potential for privacy intrusion?

Examples include, but are not limited to, smart cards, radio frequency identification RFID tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining, and logging of electronic traffic.

Identity / 4.2

Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes?Examples include a digital signature initiative, a multi-purpose identifier, interviews and the presentation of identity documents as part of a registration scheme, and an intrusive identifier such as biometrics. All schemes of this nature have considerable potential for privacy impact and give rise to substantial public concern and hence present project risks.

Identity / 4.3

Might the project have the effect of denying anonymity & pseudonymity or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions?Many agency functions cannot be effectively performed without access to the client's identity. On the other hand, many others do not require identity An important aspect of privacy protection is sustaining the right to interact with organisations without declaring one's identity.

Multiple organisations / 4.4

Does the project involve multiple organisations, whether they are government agencies (e.g. in 'joined-up government' initiatives) or private sector organisations (e.g. as outsourced service providers or as 'business partners')?Schemes of this nature often involve breakdown of personal data or identity silos & may raise questions about data protection act compliance.  This breakdown may be desirable for fraud detection and prevention or business process efficiency. However data & identity silos often provided effective privacy protection.  Particular care is needed in relation in preparation of a business case that justifies privacy invasions of projects involving multiple organisations. Compensatory protection measures should be considered.

Data / 4.5

Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals?

 

The Data Protection Act at s.2 identifies categories of 'sensitive personal data' that require special care including racial & ethnic origin, political opinions, religious beliefs, trade union membership, health conditions, sexual life, offences & court proceedings.

Other categories of personal data may give rise to concerns such as financial data, particular data about vulnerable individuals, data which can enable identity theft & addresses or phone-numbers of 'persons at risk' who may suffer physical harm if traced

Data / 4.6

Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database?

Examples include intensive data processing such as welfare administration, health care, consumer credit, and consumer marketing based on intensive profiles.

Data / 4.7

Does the project involve new or significantly changed handling of personal data about a large number of individuals?

Any data processing of this nature is attractive to organisations and individuals seeking to locate people, or to build or enhance profiles of them.

Data / 4.8

Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources?

This is an especially important factor. Issues arise in relation to data quality, the diverse meanings of superficially similar data-items, and the retention of data beyond the very short term.

Exemption &  exceptions / 4.9

Does the project relate to data processing which is in any way exempt from legislative privacy protections?Examples include law enforcement and national security information systems and also other schemes where some or all of the privacy protections have been negated by legislative exemptions or exceptions.

Exemption &  exceptions / 4.10

Does the project's justification include significant contributions to public security measures?

Measures to address concerns about critical infrastructure and the physical safety of the population usually have a substantial impact on privacy. Yet there have been tendencies in recent years not to give privacy its due weight. This has resulted in tensions with privacy interests, and creates the risk of public opposition and non-adoption of the programme or scheme.

Exemption& exceptions / 4.11

Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?

 

Disclosure may arise through various mechanisms such as sale, exchange, unprotected publication in hard-copy or electronically-accessible form, or outsourcing of aspects of the data-handling to sub-contractors.

Third parties may not be subject to comparable privacy regulation because they are not subject to the provisions of the Data Protection Act or other relevant statutory provisions, such as where they are in a foreign jurisdiction. Concern may also arise in the case of organisations within the UK which are subsidiaries of organisations headquartered outside the UK.