Privacy Law and Policy Reporter
Blair Stewart, manager of Codes and Legislation at the Office of the Privacy Commissioner NZ, examines the advantages of systematic privacy assessment for new technology and for projects with a major impact on privacy.
Discussion of privacy impact assessments (PIAs) is not new. David Flaherty in Protecting Privacy in Surveillance Societies (Chapel Hill, 1989) suggests a genesis in the 1970s. However, another Canadian colleague remarked to me to the effect that, since everybody thinks that privacy impact assessments are such a good idea, someone should try doing one. Such cynicism is a little misplaced as the process has been tentatively used in a variety of jurisdictions but not, perhaps, in the comprehensive and systematic way which would make a real impact in privacy terms. Neither, of course, is terminology always used consistently and some processes, such as those employed by Cabinet committees, can be similar to a privacy impact assessment without carrying that label. In this article I hope to explain what I mean by `privacy impact assessment' and explain how a PIA process might work.
In my view, the NZ Privacy Act 1993 is a relatively `light-handed' piece of legislation which leaves considerable discretion with agencies as to how to handle personal information. Privacy impact assessments might help to marry the discretion allowed under the Act with a degree of accountability to the public where a significant privacy erosion will be caused by the actions of an agency or government. Furthermore, a PIA might tackle wider privacy issues such as intrusion, which are not yet well handled in mainstream privacy laws, rather than simply information privacy and data protection.
Existing levels of privacy, which are not perfect, are rarely enhanced. However, privacy is often diminished in small and large ways, sometimes gradually, sometimes suddenly. The PIA process might enable some of those changes to be predicted in advance and challenged. Sometimes the result will be that an initiative might be stopped. More often it might mean the exercise of an informed choice by society to opt for a more privacy friendly, but equally effective, alternative. On other occasions society, governments or corporations will pursue their objectives regardless of the privacy consequences -- but that ought to be an open process by which the people affected (the public) know what is being done to them. PIAs will enhance such accountability.
This article aims to promote further discussion through a series of questions and answers. It does not offer the last word on these questions. I hope that others will come forward with different or better answers or perhaps additional questions.
There is no statutory definition of a PIA in NZ or Australia. Nor is there any internationally accepted definition. To promote discussion I tentatively suggest that a PIA is a process whereby a conscious and systematic effort is made to assess the privacy impacts of options that may be open in regard to a proposal. An alternative definition might be that a PIA is an assessment of any actual or potential effects that the activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.
I should confess that the two definitions are derived from definitions of environmental impact assessment but with the substitution of the word `privacy' where `environment' would normally appear. I have chosen to do this not simply for convenience but because I have observed some correlations between environmental impact assessment and privacy impact assessment.
A PIA may be desirable to:
The process needs to be systematic. It needs to identify the right questions and seek to answer them. It must draw upon competent sources of expertise. There needs to be a public element in the process. To be credible, that there needs to have a degree of independence at an appropriate stage.
The PIA process is not an objective in itself. It will often be linked to a proposal for which some organisation will have a decision-making role. Accordingly, the PIA process needs to be integrated into decision-making processes. For a central government proposal, the PIA process needs to be integrated into departmental decision-making and the Cabinet committee process. At a local government level a committee or the council itself will need to have the PIA set before it. In the private sector a range of different solutions will be possible, and an appropriate approach may need to be crafted on a case-by-case basis, but ultimately a corporation which commissions a PIA would need to integrate that process into its decision-making systems and develop a way to act on the results.
Normally, in my view, PIAs should be prepared by what I will call a `lead agency'. The Privacy Commissioner should concentrate on reviewing the completed PIA. A lead agency will be the agency which is driving the proposal which is perceived to carry with it a privacy risk. Sometimes there will be a clear lead agency. For example, if there is a proposal to establish electronic road tolls it would likely be the road authority, such as Transit NZ (although if a private company was proposing a toll road with electronic pricing it might be that private company).
The purpose of having a lead agency prepare the PIA is similar to the reason why an applicant for a resource consent will prepare (or more usually commission) an environmental impact assessment. It is consistent with the notion that the agency which is seeking in some way to upset the environment, or intrude on privacy, should make its case to explain the effects and how they are proposed to be mitigated. Having the lead agency undertake the PIA means that agency `owns the problem' and will be committed to finding solutions, better alternatives, and, once the project is undertaken, to make those solutions work. If the PIA is simply prepared by an outside organisation then an agency would be freer to disown the problem or disregard the assessment.
Additionally, it is a matter of resources. A small oversight agency, such as the Office of the Privacy Commissioner, does not have the resources to undertake assessments of the variety of projects which might warrant a PIA. The lead agency will already have assembled the expertise to develop the project in any case and addressing the consequences for privacy, where that is a significant feature of the proposal, will not normally be onerous. Even where a considerable amount of original research is required, at some expense, it is more appropriate that that expense should fall on the agency proposing to diminish privacy than anywhere else.
Another reason why a lead agency, rather than the Privacy Commissioner's office, should prepare a PIA is that many proposals, particularly in the initial stages, will not be public knowledge. On occasion, corporations and government agencies may wish to undertake a preliminary PIA without disclosing this fact in the public arena. Some such initiatives may never proceed for technical or financial reasons. Having the lead agency undertake the PIA itself means that it can retain commercial confidentiality if the proposal never gets off the ground.
Sometimes a lead agency may need to be created from a collection of agencies. For example, if various telephone companies proposed to introduce a new service having privacy implications, the PIA process might be undertaken by a working party. If three or four of the banks proposed to undertake some technological initiative, having privacy implications, but other banks had no intention of doing so, it may be that sector would need to choose between utilising an existing industry wide group or convening a group just of the banks involved. A law enforcement-related PIA might be undertaken by an inter-departmental committee from justice, police, corrections and courts.
Sometimes there will be no conceivable lead agency and in these cases the Privacy Commissioner might, if the PIA process suited, undertake a similar assessment process himself. An example might be regarding the greater use of e-mail communication in commercial offices. We may recognise that this practice is occurring, and see that it has some privacy risks or implications, but there is no single or collective entity which is driving that technological change.
Having identified a lead agency, who has the skills to undertake the assessment? Although there is only a limited number of people who would claim to have undertaken what we would recognise as a PIA there is, in fact, a pool of people with some of the necessary skills. Given the experience that lawyers, policy makers and privacy officers now have with privacy legislation there is indeed a significant body of skilled people to draw on in NZ on privacy issues. Expertise in the technical area is readily available to tap into.
The following elements may bear on the decision as to who to involve in the process.
A variety of skills will be required for which one individual may not be solely competent. He or she would need legal skills, writing skills, investigative or consulting skills, technical skills and skills in policy formation. A talent for `lateral thinking' may be valuable. The co-ordinator will be the key person and that person will draw on the skills of others. A co-ordinator might be a manager, lawyer, accountant, consultant, policy analyst or any other persons having the suitable overall skills. He or she may need some knowledge of privacy law and issues as well as knowledge of the technical issues.
The person or people preparing the PIA will need to know what their role is and the degree to which they are independent in carrying out their activity. Sometimes, the independence will not be found in the staff preparing the PIA, who might be under the direct control of management, directors or ministers, but is in the independence of the resulting audit or review. Accordingly, the necessary degree of independence may be found in the role of the Privacy Commissioner or other credible independent review process.
The PIA must be integrated into decision-making or management processes and involve, or have access to, people with `stop-go' powers in relation to a project.
There is currently no law that states categorically that an agency may not undertake a certain activity without first producing a PIA. The absence of such a provision is not surprising nor does it necessarily mean that a PIA could not be required. If we use the analogy with environmental impact assessments (EIAs) there was, for many years, no statutory basis on which EIAs were required. While there is now clearer statutory underpinning of the process in the Resource Management Act, EIAs were, for many years, prepared in response to government policy and the requirement of an oversight agency, the Commission for the Environment. Some of the same features are already present in the privacy field.
We already have in government policy, manifested through the Cabinet Office Manual, a requirement in certain circumstances for departments to signify that a proposal `complies with' the information privacy principles, public register privacy principles and information matching guidelines. This is not as precise as would be desirable for PIAs since it is directed towards `compliance' than assessing future impact. However, assessing future compliance has some similarities to forecasting future impact. Similarly, there is an oversight agency. It would certainly be open to the Privacy Commissioner under his functions to undertake privacy impact assessments. In certain circumstances the Commissioner could certainly request an agency to prepare a PIA. On occasion, it may arguably be possible for the Commissioner to require the production of a PIA under functions conferred, for example, in relation to information matching.
However, this article is concerned with establishing a case for PIAs in the future. It is fair to say that there is little statutory basis at present for PIAs. However, they might be required in the future, for example, by:
No. A compliance audit usually involves an attempt to find out where an agency currently stands in relation to compliance with the law and to identify steps to avoid non-compliance with the law in the future. Accordingly, a privacy compliance audit tries to see where an agency presently stands in relation to compliance with the Privacy Act 1993. Normally the first step for such an audit is to undertake a stocktake of current personal information holdings and then to examine the processes and circumstances by which, and in which, information is collected, used and disclosed by the agency. The `snapshot' or `stocktake' provides a basis on which a specialist adviser will assess current compliance with the Privacy Act and suggest how problems may be remedied or avoided.
The privacy impact assessment process, on the other hand, is not usually predicated on an examination of an agency's current practices but is directed towards a proposal for the future. In large measure, PIAs are directly not simply towards issues of legal compliance but the policy choices involved in answering the questions `ought we to do this?' and `is there another, better way of doing this?'. The question of legal compliance will be simply one of many concerns -- technical, social, or legal. Indeed, if a new endeavour is to be established by legislation -- as many government projects are -- by definition, legality is assured.
However, there are some inter-relationships between privacy compliance audits and PIAs. An agency which has audited its practices is more likely to be alive to the issues which will be relevant in a PIA. The skills in privacy compliance auditing will be similar to those needed for a PIA. Knowledge of current practices, through the analysis involved in a privacy compliance audit, will often be relevant to a PIA since new initiatives rarely arise `out of the blue' but more usually build on what is currently done.
How might the PIA process be taken to a stage where it can significantly contribute to the enhancement of privacy protection in NZ? In my view, the process can be significantly enhanced without initially needing to seek new legislative authority. More experience can be gained through the use of PIAs by government departments, business and others. Already, a PIA process is used as part of the assessment process for new information matching programs in NZ. Apparently some businesses, as an adjunct to privacy compliance audits, already undertake a form of PIA although any such initiatives are not yet undertaken on the public and independent basis described in this paper.
In my view, there are several avenues for enhancing the use of PIAs in NZ and elsewhere.
Blair Stewart, Manager, Codes and Legislation, Office of the Privacy Commissioner, NZ. This paper was presented at the Privacy Issues Forum, Christchurch on 13 June 1996.