In February, the UK Information Commission’s Office (ICO) issued an updated code of practice on conducting Privacy Impact Assessments (PIA), with a six-point process for organisations to follow (the Code).
A PIA is intended to focus the attention of an organisation on the way that data is held and used in any project, and reduce the risk that this creates. A PIA is not a legal requirement, but the Code states that carrying one out will help organisations to make sure that they are complying with the law. Carrying out a PIA can also provide reputational benefits as individuals gain a better understanding of why and how data about them is held.
The Code is aimed at “organisations of any size and in any sector”, and organisations are encouraged to carry out a PIA early on in the life of a project. The PIA process provided by the Code is designed for use by non-experts, making the process accessible to organisations of all sizes.
The Code recommends that organisations consultation at all stages of a PIA. Consultations should be carried out both with internal colleagues and external people who will be affected by a project. A high-level summary of the six-point process is as follows:
- Identifying the need for a PIA. The Code includes screening questions which are designed to be included in an organisation’s normal project management procedure. By doing this, the ICO intends that the need for a PIA to be carried out will be considered in each project.
- Describing information flows. Organisations should consider and document how and why information travels around an organisation in order to effectively map the risk.
- Identifying privacy and related risks. At this stage, an organisation can understand the risks posed by the data highlighted in steps 1 and 2. The Code encourages organisations to adopt their own preferred method of categorizing the risks that are identified.
- Identifying and evaluating privacy solutions. Having identified the risks, organisations should consider ways of mitigating them. The Code states that “Organisations should record whether each solution results in the privacy risks being eliminated, reduced or simply accepted.”
- Signing off and recording the PIA outcomes. The Code stresses the importance of keeping a record of the PIA process in order to facilitate the implementation of its findings.
- Integrating PIA outcomes back into the project plan. Having completed a PIA, organisations should implement the measures identified into the project management process.
The Code takes an expansive approach to the process of conducting a PIA, providing several annexes with tools to assist in the process. Organisations should be reassured that by following the provisions of the Code, they are becoming more compliant with the terms of the Act.