< Back

Share |

Assessing technology privacy risks using Privacy Impact Assessments

June 2013

The use of computing technology is beginning to move away from traditional desktops to a different model based on computer applications that are integrated with the everyday objects around us, including the clothing and other items that we wear.

This evolution to a more 'all pervasive' approach to computing is likely to mean more of our information will be collected when we interact, in a seamless way, with objects and items incorporating computing technologies.

For this reason it is increasingly important that the development of new applications including those incorporating wearable computing technology takes account of the privacy implications for individuals. One way to achieve this is by conducting a Privacy Impact Assessment ("PIA").

What is a Privacy Impact Assessment?

Book pagesA PIA is a tool to help an organisation that is developing a project that will involve the collection and use of information about individuals to help identify, assess and alleviate any privacy risks associated with the project. The PIA is essentially a framework to help an organisation anticipate issues, organise its thoughts on any privacy impacts and consider how best these can be avoided.

Why conduct a PIA?

Although there is at present no obligation under UK data protection law to complete a PIA, data controllers are encouraged by the Information Commissioner's Office (ICO) to adopt PIA's for projects where there may be genuine risks to the privacy of individuals. There is also a presumption by the Cabinet Office that central government departments will use the PIA process for their technology projects. In other countries there is similar support for the use of PIA methodologies and, looking ahead, Article 33 of the draft EC data protection Regulation proposes to make PIAs mandatory for data controllers where their processing present risks to data subjects.

Legal reasons aside, there are also important commercial reasons for completing a PIA. It is far better to understand and avoid any risks at the early stages of a technology project, than attempt to 'bolt-on' expensive solutions after the event.  A PIA can also anticipate risks that might give rise to negative press or damage commercial reputation, as well as help an organisation recognise how best to communicate with the public about a product in order to anticipate and alleviate any potential privacy concerns.

Assessing when to use a PIA

Sledge hammerWhether a PIA is needed and the scope of the PIA will depend on the type of project. Clearly there is no value to a business in adopting a sledgehammer approach of a full-scale formal assessment of privacy risks for all projects. Certain projects may present no risks to the privacy of individuals and a PIA would be inappropriate. In other cases a project may be limited in scope or impact meaning that a scaled-down approach to the PIA is more appropriate. 

The ICO has published a handbook on conducting PIAs. The handbook includes a list of screening questions to help organisations assess whether a PIA is recommended and what level of PIA to adopt.  In broad terms a PIA will typically be recommended in cases where a project involves (but is not limited to):

  • New or intrusive information technologies - examples may include smart cards, radio frequency identification (RFID) tags or near field computing (NFC) tools, location tracking technology, image recording and/or surveillance or profiling or data mining technologies.
  • Use or reuse of identifiers, existing identifiers or intrusive identity authentication processes - examples may include digital signatures, use of an identifier used for multiple other purposes or biometric or financial identifiers.
  • New or significantly changed handling of data on individuals – such as collecting significant amounts of new data on individuals, using data in a new context, consolidating, profiling or transferring data across multiple systems.
  • Processing of data which is exempt from legislative privacy protections – for example use of law enforcement or national security information systems.
  • Multiple organisations or changes to data handling arrangements – including, sharing of data across data silos or other new or changed data handling policies or practices that may be intrusive or unclear to individuals.

What should a PIA cover?

Whether a full or a small scale PIA process is followed, the ICO recommends that these should have phases, tasks within phases and deliverables in much the same way as traditional project management methodologies.

The five phases of a PIA include:

  • Preliminaries - ensuring there is a clear basis for the PIA to be carried out.
  • Preparation - laying the groundwork, such as identifying stakeholders and planning.
  • Consultation and analysis - meeting stakeholders, analysis of risk, logging and sharing findings with a view to reaching and implementing decisions.
  • Documentation - reporting on the process and outcomes.
  • Review and audit – Checking that changes to the product from the PIA process are implemented and work in practice.

Type writerPIA's may yet become a legal obligation in the future if the proposals in Article 33 of the draft EC data protection Regulation are adopted, however completing a PIA should be seen as more than just a legal box-ticking exercise. It can also form an important part of an organisation's overall risk assessment approach to project management, ensuring that broader information privacy risks are assessed alongside specific information security and assurance considerations.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Data stream
Sally Annereau

Sally Annereau      

Sally looks at why organisations should consider using a Privacy Impact Assessment process and what this involves.

"It is far better to understand and avoid any risks at the early stages of a technology project, than attempt to 'bolt-on' expensive solutions after the event."