What is a Privacy Impact an Information Governance Risk Assessment?
An Information Governance Risk Assessment (
...
IGRA)
...
is a
...
tool to identify and manage risk to
...
information
...
.
...
- Comply with legal obligations to protect personal data
- Undertake risk assessment in a structured way
- Manage and control risk appropriately and proportionately
- Record evidence that risk assessment has been conducted
...
The PIA can be iterative if this is appropriate – an initial or early stage PIA may be revisited and updated as the project evolves. In this way the PIA can easily be used within an agile approach, iterated in line with project milestones.
Why is the PIA necessary?
RoS complies with the law governing the use of personal data. To ensure that this is the case, RoS has a corporate risk appetite informing its use of personal data – this appetite is currently ‘Minimalist’, meaning that RoS seeks to operate ultra-safe delivery options when processing personal data.
The PIA ensures that proposals to use personal data are in line with the law and our risk appetite. It is an essential aspect of our approach to managing information risk, and is operated for the benefit of the organisation and all RoS colleagues.
When is a PIA appropriate? (Screening)
Wherever there is a change to the way personal data is being used, a PIA should be considered.
RoS is likely to view a PIA as appropriate wherever any of the following apply:
- Collection of new personal data is required
- Use of personal data (new or existing) for a new purpose (doing something new)
- Change to the way personal data is being processed (used)
- Disclosure or sharing of personal data to/with third parties (partners, clients, suppliers)
- Change to systems or suppliers of solutions processing personal data
- Proposals which will make decisions about individuals which will affect them
- Making direct contact with individuals, or direct marketing
- Proposal involves ‘sensitive personal data’
- Any proposal with a potential impact on individual privacy
RoS is unlikely to view a PIA as appropriate wherever any of the following apply:
- No processing (use) of personal data is required
- Change to systems which has negligible impact on processing of personal data
...
Embedding the PIA process in procurement
Where procurement activities are part of a project, then the PIA will follow the project methodology and governance. Where it is not covered by a project it should form part of the sourcing strategy.
The Procurement Lead will take the recommendation from the PIA section of the Sourcing Strategy and conduct either a proportionately scaled PIA.
Once completed, PIAs should be revisited at any major changes (to technologies, processes or policies.) Before publishing any PIA internally, it must be approved by the Data Protection officer and the relevant IAO.
...
IGRA stands for Information Governance Risk Assessment. The purpose of an IGRA is to identify and manage risk to information, it has two elements:
- Understanding and controlling information security risks
- Understanding and controlling privacy risks where personal data is processed
The process can be initiated by any RoS colleague on behalf of the RoS Information Asset Owner (IAO). It allows the IAO to understand the risks arising from a proposal and to agree on any controls they wish put in place to manage that risk.
The IGRA helps RoS colleagues to:
- Understand and manage the risk to their objectives
- Control those risks proportionately and appropriately
- Comply with our legal obligations to protect information
- Evidence that risk has been considered, and that the IAO has given approval
- Ensure risks and control actions are appropriately owned and understood
Proportionality and appropriateness are key principles. We try to ensure that the process is proportionate to risk and in line with the risk appetite for the information / system in question.
More information on the Information Governance Risk Assessment process can be found here.