01 March 2014

Privacy Impact Assessments

The UK Information Commissioner (ICO) has released an updated version of its Privacy Impact Assessments (PIA) Code of Practice.

Coincidentally the Office of the Australian Information Commissioner (OAIC) has announced that a draft Guide to undertaking privacy impact assessments will soon be released for public consultation.

The UK Code is characterised as meant
to help organisations respect people’s privacy when changing the way they handle people’s information. The code explains the privacy issues that organisations should consider when planning projects that use personal information, including the need to consult with stakeholders, identify privacy risks and address these risks in the final project plan. 
The UK Commissioner states that
With a research study carried out by the ICO last year showing that only 40% of people believe that organisations handle their information in a fair and proper way, privacy impact assessments can be an important means of retaining consumer trust by showing that organisations are working to respect people’s privacy. 
ICO Head of Policy, Steve Wood, said: “The development of projects involving the processing of large amounts of personal information is no longer the preserve of the public sector and large businesses. Today even an app developer can be developing a product in their bedroom that involves using thousands of people’s information. 
“This is why we have published our updated privacy impact assessments code of practice to help organisations of all sizes ensure that the privacy risks associated with a project are identified and addressed at an early stage during a project’s development. 
“The updated code is designed to ensure that privacy impact assessments fit into the project development process, allowing organisations to follow a privacy by design approach to developing new ways of using people’s information. Successfully adopting this approach can only be good for consumers and for business and can enable organisations to demonstrate their compliance with the Data Protection Act.”
The revised UK Code  reflects consultation last year that "highlighted the need for the updated code to be flexible enough to be applicable to organisations of all sizes and for privacy impact assessments to fit into the existing project development process".

The ICO has released a 267 page research project report on Privacy impact assessment and risk management [PDF].

Recommendations in that report were -
Recommendations for the ICO 
1. that the ICO develop measures aimed at promoting a closer fit between PIA and risk- and project-management methodologies through direct contact with leading industry, trade, and other organisations in both the public and private sectors. 
2. that, in revising its PIA Handbook, the ICO make the third edition much shorter, more streamlined, and more tailored to different organisational needs. It should be principles-based and focused on the PIA process. The ICO should undertake a consultation on a draft of a revised guidance document. 
3. that the ICO’s guidance on PIA emphasise the benefits to business and public-sector organisations in terms of public trust and confidence, and in terms of the improvement of internal privacy risk-management procedures and organisational structures. 
4. that ICO guidance help organisations to understand and evaluate privacy risk, whether or not they can integrate PIA into their risk-management routines and methodologies. 
5. that the ICO develop a set of benchmarks that organisations could use to test how well they are following the ICO PIA guidance and/or how well they integrate PIA with their project- and risk-management practices, especially where there are “touch points”. 
6. that the ICO strongly urge PIA-performing organisations to report on how their PIAs have been implemented in subsequent practice, and to review the situation periodically. 
7.  that the ICO promote to organisations the benefits of establishing repositories or registries of PIAs. We recommend that the ICO compile a registry of publicly available PIA reports, or at least a bibliography of such reports. 
8. that the ICO take advantage of the current work within ISO to develop a PIA standard, and the BSI’s technical panel’s contribution to it. 
9. that the ICO audit the PIA process and PIA reports in at least a sample of government departments and agencies. 
10. We recommend that privacy risk be taken into explicit account in the Combined Code for companies listed on the London Stock Exchange. 
11. that privacy risk be inserted into government guidance such as the Treasury Orange Book and the Green Book on appraisal and evaluation in central government. 
12. that, at senior ministerial and official levels in government departments, and among special advisers, the ICO engage in dialogue to underline the importance of 16 privacy and PIA while developing new policy and regulations and in the communication plans accompanying new policies. 
13. that the ICO encourage the Treasury to adopt a rule that PIAs must accompany any budgetary submissions for new policies, programmes and projects. 
14. that the ICO encourage ENISA to support the ICO initiatives with regard to insert provisions relating to PIA in risk management standards as well as within ENISA’s own approach to risk assessment. 
15. that the ICO accelerate the development of privacy awareness through direct outreach to organisations responsible for the training and certification of project managers and risk managers. 
Recommendations for companies and other organisations 
16. that, to help embed PIA and to integrate it better with project and risk management practices, a requirement to conduct a PIA be included in business cases, at the inception of projects, and in procurement procedures. Organisations should require project managers to answer a simple PIA questionnaire at the beginning of a project or initiative to determine the specific kind of PIA that should be undertaken. 
17. that senior management take privacy impacts into consideration as part of all decisions involving the collection, use and/or sharing of personal data. 
18. that companies and other organisations review annually their PIA documents and processes, and should consider the revision or updating of their processes as a normal part of corporate performance management. 
19. that companies and other organisations embed privacy awareness and develop a privacy culture, and should provide training to staff in order to develop such a culture. High priority should be given to developing ways of incorporating an enhanced PIA/risk assessment approach into training materials where information-processing activities pose risks to privacy and other values. 
20. that companies and other organisations include contact details on their PIA cover sheets identifying those who prepared the PIA and how they can be contacted. The PIA should promote the provision of a contact person as “best practice”. Such practice needs to be made mandatory certainly within any government organisation and any organisation doing business with the government. Such practice should also be promoted within standards organisations. 
21. that public-sector organisations insert strong requirements in their procurement processes so that those seeking contracts to supply new information systems with potential risk to privacy demonstrate their use of an integrative approach to PIA, risk management and project management. 
22. that companies and other organisations include privacy in their governance framework and processes in order to define clear responsibilities and a reporting structure for privacy risks. 
23. that companies and other organisations include a PIA task, similar to a work-package or a sub-work-package, in their project plan structures in order to embed PIA better within project management practices, and that project managers monitor and implement this new privacy task, based on the identified privacy requirements, as is done in the case of other project tasks. 
24. that, to foster internal buy-in for any newly adopted processes and procedures, companies and other organisations undertake extensive internal consultation with all parts of the organisation involved in risk management and project management, when thinking of integrating PIA into existing organisational processes. 
25. that companies and other organisations include identified privacy risks in their corporate risk register, and that they update their register when new or specific types of privacy risk are identified by implementation teams. 
26. that companies and other organisations develop practical and easy guidance on the techniques for assessing privacy risks and actions to mitigate them.
The recommendations reflect concerns such as -
While there are commonalities between the project and risk management processes and the PIA process, most of the methodologies do not mention privacy risks or even risks to the individual. Nevertheless, to the extent that privacy risks pose risks to the organisation, the organisation should take account of such risks in their project and risk management processes, including listing such risks in the organisation’s risk register. It should not be too difficult to convince organisations of the importance of taking privacy risks into account and regarding privacy risk as another type of risk (just like environmental risks or currency risks or competitive risks). Especially in industries that deal directly with the general public – for example, banking, entertainment, and retail – privacy breaches, not confined to “data breaches”, can be a significant threat to the company’s reputation. Based on examples of privacy breaches, it should not be too difficult to convince organisations about the need to guard against reputational risk 
Many of the risk management methodologies include provisions for taking into account information security (as distinct from privacy risks), and specifically with regard to confidentiality, integrity and availability of the information. Few go beyond this with the notable exception of ISO 29100, which specifically addresses privacy principles, IT Grundschutz and the CNIL methodology on privacy risk management. One can note that the privacy part of IT Grundschutz was written by the German DPA, and that the CNIL is the French DPA. Helpfully, both the privacy part of IT Grundschutz and the guides published by the CNIL include catalogues of privacy threat descriptions supplemented by the corresponding privacy controls.
Some of the project and risk management methodologies call for consulting or engaging stakeholders, especially internally, but some (e.g., ISO 31000, ISO 27005) externally as well. PIA does the same. Some of the project and risk management methodologies (e.g., ISO 31000, ISO 27005) call for reviewing or understanding or taking into account the internal and external contexts. This is true of PIA too.
Some of the project and risk management methodologies emphasise the importance of senior management support and commitment, which is also important for successful PIAs. Some of the risk management methodologies call for embedding risk awareness throughout the organisation. Some call for training staff and raising their awareness, which is also essential to PIAs. 
Almost all of the methodologies are silent on the issue of publishing the project or risk management report, although some do attach importance to documenting the process. Similarly, most are silent on the issue of independent, third-party review or audit to the project or risk management reports. There is, however, a requirement for companies listed on the London Stock Exchange to include information in their annual reports about the risks facing the company and how the company is addressing those risks.
In Australia the new Guide will replace the OAIC’s existing Privacy Impact Assessment Guide [here], reflecting changes to the Privacy Act 1988 and "taking into account key features of privacy impact assessment guides from other jurisdictions and research on good practice in undertaking privacy impact assessments".