What is a Privacy Impact Assessment (PIA)?
The PIA is a framework for identifying and managing risk to privacy and confidentiality where information which can or could identify individuals (‘personal data’) is being used (‘processed’) in any way. It helps RoS to:
- Comply with legal obligations to protect personal data
- Undertake risk assessment in a structured way
- Manage and control risk appropriately and proportionately
- Record evidence that risk assessment has been conducted
The PIA process should always be proportionate to risk – a low risk proposal will merit a short PIA focussing on key risk/s, with a higher risk proposal meriting a more detailed PIA.
A PIA should be initiated at an early stage in a project or proposal –as soon as a clear idea of the project or proposal exists, prior to, or as part of, project approval.
The PIA can be iterative if this is appropriate – an initial or early stage PIA may be revisited and updated as the project evolves. In this way the PIA can easily be used within an agile approach, iterated in line with project milestones.
Why is the PIA necessary?
RoS complies with the law governing the use of personal data. To ensure that this is the case, RoS has a corporate risk appetite informing its use of personal data – this appetite is currently ‘Minimalist’, meaning that RoS seeks to operate ultra-safe delivery options when processing personal data.
The PIA ensures that proposals to use personal data are in line with the law and our risk appetite. It is an essential aspect of our approach to managing information risk, and is operated for the benefit of the organisation and all RoS colleagues.
When is a PIA appropriate? (Screening)
Wherever there is a change to the way personal data is being used, a PIA should be considered.
RoS is likely to view a PIA as appropriate wherever any of the following apply:
- Collection of new personal data is required
- Use of personal data (new or existing) for a new purpose (doing something new)
- Change to the way personal data is being processed (used)
- Disclosure or sharing of personal data to/with third parties (partners, clients, suppliers)
- Change to systems or suppliers of solutions processing personal data
- Proposals which will make decisions about individuals which will affect them
- Making direct contact with individuals, or direct marketing
- Proposal involves ‘sensitive personal data’
- Any proposal with a potential impact on individual privacy
RoS is unlikely to view a PIA as appropriate wherever any of the following apply:
- No processing (use) of personal data is required
- Change to systems which has negligible impact on processing of personal data
Colleagues can contact the Data Protection Officer (DPO) to confirm whether a PIA is appropriate. Where a PIA is not appropriate, this should be confirmed in writing with the DPO and the IAO made aware.
Embedding the PIA process in procurement
Where procurement activities are part of a project, then the PIA will follow the project methodology and governance. Where it is not covered by a project it should form part of the sourcing strategy.
The Procurement Lead will take the recommendation from the PIA section of the Sourcing Strategy and conduct either a proportionately scaled PIA.
Once completed, PIAs should be revisited at any major changes (to technologies, processes or policies.) Before publishing any PIA internally, it must be approved by the Data Protection officer and the relevant IAO.
The relevant Project Boards (or in the case of procurements the Head of Procurement) should request and review all PIA related documentation as part of their management responsibilities.