Privacy Law and Policy Reporter
Privacy impact assessment (PIA) has been mentioned in the privacy literature from the 1980s and implemented in jurisdictions from the early 1990s. In the absence of any internationally recognised definition I have previously suggested two alternative definitions:
PIA may be desirable to assess risks:
Whether PIA concerns a major national initiative or a small endeavour of a single department or company, there are certain common elements that need to be addressed in deciding the PIA process to follow. The following should be considered:
PIA may be distinguished from a privacy compliance audit. A compliance audit involves an attempt to find out where an agency currently stands in relation to compliance with the law and to identify steps to avoid non-compliance with the law in the future. While there are similarities between PIA and privacy compliance audits, since they use some of the same skills and seek to avoid privacy problems, compliance audits are primarily directed towards meeting the requirements of the law, whereas PIA should go much further to identify optimum privacy options and solutions.
Systematic and appropriate PIA offers significant benefits for the protection of privacy. However, PIA will only bring the full benefits when the process is undertaken on a competent and credible basis. This involves a systematic process carried out by competent people, independent from those driving the proposal, whose ultimate report is used in decision-making and made public. The process can be worse than useless if undertaken by incompetent people. It may be irrelevant if it has no bearing on decision-making. It is open to manipulation if undertaken by the people driving the proposal unless there is a rigorous check upon its findings. If the resultant privacy impact reports are not made public the process will fail to achieve its full potential.
Disappointingly, I have seen PIA:
It is not surprising that PIA is sometimes poorly undertaken. In the absence of appropriate in-house or consultant privacy or data protection expertise, many agencies turn to professional advisers such as lawyers and accountants with mixed degrees of success. Others try a ‘do it yourself’ approach and place the task with a staff member or subcommittee. Often the results are creditable but they naturally suffer from lack of expertise and available time, and from a close identification with the agency’s proposal.
One of the principal objectives of PIA is to sheet responsibility for privacy impacts back to the agencies undertaking new projects. Many other means of tackling privacy issues, such as having an external body establish a set of rules, guidelines or prohibitions, may encourage agencies to simply comply with the letter of the law. With significant new applications of technologies it is desirable that agencies take a greater degree of responsibility. PIA, in this sense, fits neatly with initiatives to encourage adoption of Privacy Enhancing Technologies (PETs). While the law does not oblige agencies to adopt PETs, it is desirable that they consider doing so. PIA will help agencies to identify the use of PETs as an option and to consider the risks, costs and benefits of doing so compared with other technology.
Privacy and data protection commissioners have a central role in respect of the protection of privacy. However, they invariably have small budgets and few staff. It is absurd to expect that commissioners can assess all the various technological initiatives likely to impact upon citizens’ privacy in the coming years. The responsibility must be shared. PIA helps to do this, with commissioners critiquing or auditing the resultant privacy impact reports. They might use a privacy impact report if subsequently undertaking a compliance audit.
A significant benefit of PIA is the public availability of information on the projected effects of a proposal. Once the privacy impact report is made public it allows interested persons to seek to influence the proposal through contacting the relevant agency or through democratic processes. In many cases, a privacy impact report will allay public concern by giving them the information and reassurance that they need. The reports will also be of assistance in other endeavours which propose to use the same technology or a variant upon it. In later years, the public document may also be used to re-evaluate the proposal and ensure that it remains within the original guidelines intended to protect privacy.
PIA is not a substitute for the legal protection of privacy and the granting to individuals of enforceable entitlements. The process fits with whatever legal regime a jurisdiction has. If there is a data protection or privacy law in place PIA will help ensure that individual entitlements are not undermined, that agencies are assisted in complying with the law, and that regulatory agencies have information upon which to base decisions.
If concern for individual privacy is not sufficient to motivate agencies, many will still be concerned about their reputation and the reaction of consumers to privacy-invasive endeavours. There are examples of commercial applications of technologies, such as caller ID or electronic look-up services, meeting angry consumer resistance because of a lack of respect for privacy. In a number of such cases there were equally effective applications in the technology which appropriately respected privacy. One commentator has dubbed PIA as an ‘early warning system’ for corporations which value their reputation.
A detailed and systematic checklist should be developed before undertaking a PIA. Examples of checklists or templates for PIA developed in several contexts can be found in:
There are a number of common features to all PIAs. The starting point will be a description of how a proposal will use and process personal information. This should be tackled in a systematic way from the collection, generation or obtaining of personal information through its holding, storage, security, use and disclosure. Announcing a new proposal to affected people without adequate explanation may lead to a cautious or hostile reaction which may be unwarranted if the true position were known. Conversely, the public may remain unconcerned or complacent at a proposal because they do not recognise the risks or they presume that what is being proposed is similar to an existing practice with which they are familiar. Accurate description is a step towards identification of risks.
It is usually desirable for a PIA to include an assessment of an alternative to achieve the desired objective. Accordingly, identification of the objective is essential. This will usually be set by the agency concerned rather than the person co-ordinating the PIA. Obviously there is a risk that an agency may define the objective in such a way that no alternative is feasible. Nonetheless, there can be consideration of options at both the macro and micro levels. If no broad alternative is available to the proposal or technology selected there may still be a value in a PIA to better understand the impacts and also to make small adjustments within the preferred technology.
The description and analysis of the proposal is assisted by reference to applicable international and national privacy standards. In many jurisdictions there is a premier set of principles or standards in national privacy or data protection laws. Otherwise there are international standards, the main ones being:
Depending upon the proposal being assessed there may be supplementary international or national guidelines. Occasionally these will be specified in national law, for example, the public register privacy principles in the Privacy Act 1993 (NZ). In others, reference may be made to guidelines issued by such bodies as the Council of Europe, EU, ILO, OECD, UN and ISO.
With respect to each information aspect of the proposal there will be a number of issues to be addressed. The issues will be readily apparent when the relevant literature is studied and the international or national privacy standards are compared to the proposal. For example, in relation to collection of personal information, an assessment might seek to ask and answer questions such as:
These questions are simply a starting point and a complete or appropriate list would be devised with reference to the relevant international and national standards and the features of the technology or proposal. Several of the checklists mentioned earlier pose relevant questions.
Many of the projects to be assessed will be novel. Nonetheless, the same technology may have been trialed in another jurisdiction. Accordingly, an international literature search will be part of the assessment process. Inquiries may be made of experts or officials in other jurisdictions who may be expected to have some knowledge of the subject matter. Research to identify and evaluate risks of a proposal will need to be undertaken. Consultation with people likely to be affected is usually desirable.
Finally, PIA is not complete unless it contributes to a decision-making process. Typically PIA will lead to findings as to the privacy risks of a proposal, the significance of those risks, and the availability of alternatives to achieve the agency’s objectives which carry fewer privacy costs. A clear privacy impact report will provide the information for decision makers to exercise their powers. Sometimes the PIA will seek to quantify the effect on privacy, which may be beneficial or detrimental, as a contribution to a broader cost benefit analysis being imposed on a project. In some cases the privacy impact report will offer recommendations.
PIA brings advantages to all the players involved in the introduction of a new technology. It can assist agencies in ensuring that they comply with applicable laws, do not unduly intrude on privacy and protect their reputations. It benefits privacy commissioners by sharing responsibility for the protection of privacy with agencies, since no commissioner is funded to act as a ‘privacy policeman’ in respect of every application of new technology. Finally, PIA can empower individuals to exercise their rights under privacy laws and as a consumer. Public availability of privacy impact reports will lead to greater understanding of the implications of new technology. In some cases, the process will reassure the public. In others, it will provide information that people, in an individual or collective capacity, need to influence the way that technology impacts on their private lives.
Blair Stewart, Assistant Commissioner, Office of the Privacy Commissioner, New Zealand.
This is an abridged and revised version of a paper presented to the Privacy Law & Business 9th Data Protection Authorities’ Workshop, ‘Biometric Identification: Challenging or enhancing privacy rights?’, Santiago de Compostela, 15 September 1998.