What is
...
an Information Governance Risk Assessment?
1. A PIA is a process that helps assess privacy risks to individuals in the collection, use and disclosure of information. PIAs help identify privacy risks, foresee problems and bring forward solutions.
Why should an organisation complete a PIA?
2. To confirm the following:
- To identify privacy risks to individuals
- To identify privacy and Data Protection compliance liabilities for an organisation
- To protect an organisation’s reputation
- To instil public trust and confidence in a procurement
- To avoid expensive “bolt-on” solutions
- To inform a communications strategy
When should an organisation complete a PIA?
3. A PIA must be carried out at an early stage of development of a new project or where a major procurement is not classed as a project, or when considerable change is planned in a policy or system e.g. a Contract Change Notice (CCN) is being considered. It must always be assumed that a PIA may radically alter the direction of a policy or procurement, or even in some cases stop a procurement altogether, and thus early assessment is crucial. The sooner privacy issues are identified the sooner risks can be responded to.
4. A decision not to carry out a PIA for a new or changed policy or procurement must be recorded along with the reason for this decision.
Should a PIA be conducted for every procurement?
5. Not every procurement will require a PIA. The Information Commissioner’s Office (ICO) envisages PIAs being used only where a procurement (project) is of such wide scope, or will use personal information of such a nature, that there would be genuine risks to the privacy of the individual. PIAs will usually be recommended where a change in the law will be required, new technology is being used or where private or sensitive information which was originally collected for a limited purpose is going to be reused in a new way.
Completing a PIA – Initial assessment and screening process?
6. Pre-PIA screening questions from the ICO PIA Handbook should be completed to see which level of PIA is required. Examples and further explanation of these are included in the table below.
Completing a Full Scale PIA
7. This includes a more in-depth internal assessment of privacy risks and liabilities. It analyses privacy risks, consults widely with stakeholders on privacy concerns and brings forward solutions to accept, mitigate or avoid them.
Completing a Small Scale PIA
8. This is similar to a full scale PIA, but is less formalised. It requires less exhaustive information gathering and analysis and is more likely to be used when focusing on specific aspects of a procurement.
Embedding the PIA process in procurement
9. Where procurement activities are part of a project then the PIA will follow the project methodology and governance. Where it is not covered by a project it should form part of the sourcing strategy. Pre-PIA screening should be carried out to establish whether a PIA is necessary – and if it is – whether it should be the full scale or small scale version. This will be undertaken by the Procurement Lead and a representative from the Security and Assurance Team The Sourcing Strategy will indicate what decision has been taken and what option is being taken forward.
10. The Procurement Lead will take the recommendation from the PIA section of the Sourcing Strategy and conduct either a small scale PIA or a more formal, structured and consulted full scale PIA.
11. Once completed, PIAs should be revisited at any major changes (to technologies, processes or policies.) Before publishing any PIA internally, it must be approved by the Director of Legal Services in their capacity as Data Protection officer.
12. The relevant Project Boards (or in the case of procurements the Head of Procurement) should request and review all PIA related documentation as part of their management responsibilities.
Screening questions for Privacy Impact Assessments
1.Criteria for Data Protection Act Compliance Checks
| Area / Question | Question | Explanation |
|---|---|---|
| DPA / 1.1 | Does the project involve the handling of any data that is personal data, as that term is used in the Data Protection Act? | Personal data’ means data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual |
2.Criteria for Privacy Law Compliance Checks
| Area / Question | Question | Explanation |
|---|---|---|
| Privacy Law / 2.1 | Does the project involve any activities (including any data handling), that are subject to privacy or related provisions of any statute or other forms of regulation, other than the Data Protection Act? | In particular consider other forms of regulation such as:
|
| Privacy Law / 2.2 | Does the project involve activities (including any data handling) that are subject to common law constraints relevant to privacy? | In particular consider confidential data relating to a person, as that term would be understood under the common law of confidence and the tort of privacy as it develops through case law |
| Privacy Law / 2.3 | Does the project involve any activities (including any data handling) that are subject to less formal good practice requirements relevant to privacy? | In particular consider industry standards, e.g. ISO27002 Information Security Standard or industry codes such as the NHS Code of Practice on Confidentiality |
3.Criteria for a Small Scale PIA
| Area / Question | Question | Explanation |
|---|---|---|
Technology / 3.1 | Does the project involve new or inherently privacy-invasive technologies? | Examples include smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining and logging of electronic traffic. Technologies that are inherently intrusive or are new & sound threatening excite public concern & represent risk. In order to answer this question consideration should include:
|
Justification / 3.2 | Is the justification for the new data-handling unclear or unpublished? | Individuals are generally much more accepting of measures, even measures that are somewhat privacy-intrusive, if they can see that the loss of privacy is balanced by some other benefits to themselves or society as a whole. On the other hand, vague assertions that the measures are needed 'for security reasons', or 'to prevent fraud', are much less likely to calm public disquiet. |
Identity / 3.3 | Does the project involve an additional use of an existing identifier? | The public understand identifiers enable organisations to collate data about an individual & that they can be used for multiple purposes to enable consolidation. They are also aware of the increasingly onerous registration processes and document production requirements imposed by organisations. From the perspective of the Procurement Lead, these are warning signs of potential privacy risks. |
| Identity / 3.4 | Does the project involve use of a new identifier for multiple purposes? | |
| Identity / 3.5 | Does the project involve new or substantially changed identity authentication requirements that may be intrusive or onerous? | |
Data / 3.6 | Will the project result in the handling of a significant amount of new data about each person, or significant change in existing data-holdings? | The degree of concern about a project is higher where data is transferred out of its original context. The term 'linkage' encompasses many kinds of activities, such as the transfer of data, the consolidation of data-holdings, the storage of identifiers used in other systems in order to facilitate the future searches of the current content of records, the act of fetching data from another location (e.g., to support so-called 'front-end verification'), and the matching of personal data from multiple sources. |
| Data / 3.7 | Will the project result in handling of new data about a significant number of people, or a significant change in the population coverage? | |
| Data / 3.8 | Does the project involve new linkage of personal data with data in other collections, or significant change in data linkages? | |
Data handling / 3.9 | Does the project involve new or changed data collection policies or practices that may be unclear or intrusive? | |
Data handling / 3.10 | Does the project involve new or changed data quality assurance processes and standards that may be unclear or unsatisfactory? | |
Data handling / 3.11 | Does the project involve new or changed data security arrangements that may be unclear or unsatisfactory? | |
Data handling / 3.12 | Does the project involve new or changed data access or disclosure arrangements that may be unclear or permissive? | |
Data handling / 3.13 | Does the project involve new or changed data retention arrangements that may be unclear or extensive? | |
Data handling / 3.14 | Does the project involve changing the medium of disclosure for publicly available information in such a way that the data becomes more readily accessible than before? | |
Exemptions / 3.15 | Will the project give rise to new or changed data-handling that is in any way exempt from legislative privacy protections? |
4.Full Scale Privacy Impact Assessment
| Area / Question | Question | Explanation |
|---|---|---|
Technology / 4.1 | Does the project apply new or additional information technologies that have substantial potential for privacy intrusion? | Examples include, but are not limited to, smart cards, radio frequency identification RFID tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining, and logging of electronic traffic. |
Identity / 4.2 | Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes? | Examples include a digital signature initiative, a multi-purpose identifier, interviews and the presentation of identity documents as part of a registration scheme, and an intrusive identifier such as biometrics. All schemes of this nature have considerable potential for privacy impact and give rise to substantial public concern and hence present project risks. |
Identity / 4.3 | Might the project have the effect of denying anonymity & pseudonymity or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions? | Many agency functions cannot be effectively performed without access to the client's identity. On the other hand, many others do not require identity An important aspect of privacy protection is sustaining the right to interact with organisations without declaring one's identity. |
Multiple organisations / 4.4 | Does the project involve multiple organisations, whether they are government agencies (e.g. in 'joined-up government' initiatives) or private sector organisations (e.g. as outsourced service providers or as 'business partners')? | Schemes of this nature often involve breakdown of personal data or identity silos & may raise questions about data protection act compliance. This breakdown may be desirable for fraud detection and prevention or business process efficiency. However data & identity silos often provided effective privacy protection. Particular care is needed in relation in preparation of a business case that justifies privacy invasions of projects involving multiple organisations. Compensatory protection measures should be considered. |
Data / 4.5 | Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals? | The Data Protection Act at s.2 identifies categories of 'sensitive personal data' that require special care including racial & ethnic origin, political opinions, religious beliefs, trade union membership, health conditions, sexual life, offences & court proceedings. Other categories of personal data may give rise to concerns such as financial data, particular data about vulnerable individuals, data which can enable identity theft & addresses or phone-numbers of 'persons at risk' who may suffer physical harm if traced |
Data / 4.6 | Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database? | Examples include intensive data processing such as welfare administration, health care, consumer credit, and consumer marketing based on intensive profiles. |
Data / 4.7 | Does the project involve new or significantly changed handling of personal data about a large number of individuals? | Any data processing of this nature is attractive to organisations and individuals seeking to locate people, or to build or enhance profiles of them. |
Data / 4.8 | Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources? | This is an especially important factor. Issues arise in relation to data quality, the diverse meanings of superficially similar data-items, and the retention of data beyond the very short term. |
Exemption & exceptions / 4.9 | Does the project relate to data processing which is in any way exempt from legislative privacy protections? | Examples include law enforcement and national security information systems and also other schemes where some or all of the privacy protections have been negated by legislative exemptions or exceptions. |
Exemption & exceptions / 4.10 | Does the project's justification include significant contributions to public security measures? | Measures to address concerns about critical infrastructure and the physical safety of the population usually have a substantial impact on privacy. Yet there have been tendencies in recent years not to give privacy its due weight. This has resulted in tensions with privacy interests, and creates the risk of public opposition and non-adoption of the programme or scheme. |
Exemption& exceptions / 4.11 | Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation? | Disclosure may arise through various mechanisms such as sale, exchange, unprotected publication in hard-copy or electronically-accessible form, or outsourcing of aspects of the data-handling to sub-contractors. Third parties may not be subject to comparable privacy regulation because they are not subject to the provisions of the Data Protection Act or other relevant statutory provisions, such as where they are in a foreign jurisdiction. Concern may also arise in the case of organisations within the UK which are subsidiaries of organisations headquartered outside the UK. |
An Information Governance Risk Assessment (IGRA) is a tool to identify and manage risk to information.
IGRA stands for Information Governance Risk Assessment. The purpose of an IGRA is to identify and manage risk to information, it has two elements:
- Understanding and controlling information security risks
- Understanding and controlling privacy risks where personal data is processed
The process can be initiated by any RoS colleague on behalf of the RoS Information Asset Owner (IAO). It allows the IAO to understand the risks arising from a proposal and to agree on any controls they wish put in place to manage that risk.
The IGRA helps RoS colleagues to:
- Understand and manage the risk to their objectives
- Control those risks proportionately and appropriately
- Comply with our legal obligations to protect information
- Evidence that risk has been considered, and that the IAO has given approval
- Ensure risks and control actions are appropriately owned and understood
Proportionality and appropriateness are key principles. We try to ensure that the process is proportionate to risk and in line with the risk appetite for the information / system in question.
More information on the Information Governance Risk Assessment process can be found here.