History of Privacy Impact Assessments


  • Privacy by Design
  • History of Privacy Impact Assessments
  • Features of a Privacy Impact Assessment?
  • Why do a PIA?
  • Features of a Good PIA
  • Steps in a Privacy Impact Assessment
  • Supply Chain PIAs
  • PIA Reports
  • Ethics & Social Licence
  • APP Questions to Consider

A Choice

  • Privacy Invading Technologies (PITs) or
  • Privacy Enhancing Technologies (PETs)
PITs or PETs

Privacy by Design

  • 1960s: Developed by architecture and building firms for physical privacy
  • 1990s: Ann Cavoukian in Canada applied the concept to information privacy
  • Goal is to embed privacy into the product and service lifecycle for businesses and government
  • Has been widely endorsed by privacy regulators around the world
  • 2018: included as an obligation in Article 25 of the GDPR

Privacy by Design

  1. Proactive, not Reactive; Preventative, not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into Design
  4. Full Functionality
  5. End−to−End Security − Full Lifecycle Protection
  6. Visibility and Transparency − Keep It Open
  7. Respect for User Privacy − Keep it User−Centric

History of Privacy Impact Assessments

  • Late 1960s: Fair Information Practices
    • The “self−discipline on the part of the executive branch will provide an answer to virtually all of the legitimate complaints against excesses of information−gathering” − William Rehnquist 1971 (US Justice Dept, later Chief Justice of the Supreme Court)
    • FIP concerns led to the 1980 OECD Guidelines designed to “advance the free flow of information and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries”
    • 1995−> Privacy Impact Assessments emerge
      • Inspired by Environmental Impact Assessments
      • “A belated public reaction against privacy invasive actions”; OR
      • “A natural development of rational management techniques”

–   Roger Clarke 2009

–   Early leaders: Canada and New Zealand

  • 2018: EU’s GDPR Article 35 − PIAs are now mandatory where there are high risks, with fines for non−compliance

Why do a PIA?

  • Builds trust by the public and employees in the organisation
  • Reduces reputation risk
  • Reduces management time
  • Helps improve decision−making
  • Reduces legal expenses
  • Minimises probability of causing costly privacy harms
  • Enables organisation to demonstrate its compliance and risk maturity capability
  • Minimises probability of adverse findings during an audit or regulator investigation
  • Evidence that the organisation acted appropriately to attempt to minimise the probability of privacy harms

Features of (good) PIAs

  • Is a form of risk management
  • Performed on a project or initiative (distinct from a privacy strategy)
  • Anticipatory in nature (in advance of or parallel to an initiative − f. an audit)
  • Broad in scope (looks also at the interests of those affected − f. an internal costƒbenefit analysis)
  • Broad scope of analysis (not just strict compliance with legal obligations, legitimacy, proportionality, participation, ethics and social licence are also considered)
  • Both problem and solution focused
  • Emphasises the assessment process (future consequences)
  • Requires intellectual engagement from senior stakeholders (not a mere checklist)
  • PIA Report is made publicly available, signed off by senior management (subject to any security concerns, where a summary is published)
  • Contributes to “organisational memory”

Steps in a PIA

  1. Determine whether a PIA is necessary (threshold analysis)
  2. Identify the PIA team, its terms of reference, resources and time frame
  3. Prepare a PIA Plan − who does what, when and with whom will you consult
  4. Agree on the budget for the PIA
  5. Project description (link to corporate strategy, external environment and competitive landscape)
  6. Identify relevant stakeholders
  7. Analyse the information flows and privacy framework
  8. Privacy impact analysis
  9. Consult with stakeholders
  10. Check the project complies with relevant legislative requirements
  11. Identify risks and possible solutions
  12. Formulate recommendations
  13. Prepare and publish the PIA Report
  14. Implement the Recommendations
  15. Third−party review andƒor audit of the PIA & its implementation
  16. Update the PIA if there are any changes
  17. Incorporate identified risks into a centralised risk register
  18. Embed Privacy awareness throughout the organisation and ensure accountability

A PIA Flow− chart (Vict)

A PIA Flow− chart (Vict)

Supply Chain PIAs

  • Privacy risks emerge not only within a business itself, but also within its supply chain
  • Evidence that suppliers have undertaken effective PIAs may be required
  • Privacy officers might prioritise suppliers based upon their privacy risk profiles
  • High−risk: on−site visits and privacy audits may be necessary
  • Low−risk: sight the supplier’s privacy or infosec policies

In the EU, “High risk” business strategies have two of the following features:

  • evaluation or scoring, including profiling and predicting;
  • automated decision making with legal or similar effect;
  • systematic monitoring including of public accessible areas, in particular where there may be a lack of awareness of the monitoring;
  • processing of sensitive data, which in this context includes not only data defined as “special category” data under the GDPR, but data which may be generally considered as increasing possible risks individuals eg, financial data that may be used for payment fraud;
  • large scale processing, which should be considered by reference to factors such as the number of data subjects (whether the specific number or the proportion of a relevant population), the volume and range of the data, the duration or the permanence of the data and the geographical extent of the processing;
  • data set matching or combinations;
  • processing of information in relation to vulnerable data subjects where there is an imbalance of power between the controller and the individual eg, children, employees or vulnerable segments of the population such as asylum seekers;
  • innovative use of technological organisational solutions such as biometrics or the internet of things;
  • cross border transfers taking into account the country of destination, the possibility of further transfers and the likelihood of transfers based on derogations rather than exemptions; and
  • prevention of exercise of rights or the use of a service or contract eg, credit reference screening (which would also come under the evaluation or scoring category) resulting in an individual being denied a loan

PIA Reports

Sets out:

  • The scope of the PIA undertaken and its methodology;
  • A summary of the consultative processes undertaken
  • a description of the project
  • A map of the information flows
  • Analysis of the privacy issues and risks arising from the PIA, (including compliance, ethical, social licence and best−practice perspectives)
  • Recommendations to manage identified privacy issues and risks
  • The business case justifying privacy intrusion and its implications, where treatment or mitigating access has not been recommended andƒor agreed (if any)
  • A description of agreed treatment or mitigating actions together with timelines for implementation
  • References to relevant laws, codes and guidelines
  • When the most recent privacy review was undertaken

Adding in the assessment of ethical considerations

  • PIAs should not just be about compliance with the law (i.e. getting away with as much as the law will permit you to do)
  • Ethical analysis is a process which considers what you should or should not do, rather than just doing whatever the law permits you to do
  • Is this the right thing to do for our stakeholders, rather than just for ourselvesƒ our shareholders?

Social Licence

  • A concept developed in the mining industry
  • Metaphorical, not legal
  • ‘to go beyond compliance to mitigate social and environmental harm, or even to effect benefits’
  • Think of the broader privacy ecosystem − situate the project within that ecosystem and show how it will make the ecosystem healthier
  • What actions will minimise community stakeholder resistance to the project? What are their ‘pain points’?
  • Should not be a “political licence to operate”

APP questions to consider

  • Not every APP will be relevant for every project, but all 13 of them should be analysed to determine if they are relevant
  • OAIC Guide to Undertaking PIAs (2014) sets out basic questions to ask − adapt and extend them to suit your needs

Leave a Reply

Your email address will not be published. Required fields are marked *