PIA Handbook - Introduction

The nature of Privacy Impact Assessment

Projects that involve personal information or intrusive technologies inevitably give rise to privacy concerns. The cumulative effect of many such initiatives during recent decades has resulted in harm to public trust and to the reputations of corporations and government agencies alike.

Where the success of a project depends on people accepting, adopting and using a new system, process or programme, privacy concerns can be a significant risk factor that threatens the return on the organisation's investment. In order to address this risk, it is advisable to use a risk management technique commonly referred to as a Privacy Impact Assessment (PIA).

The scale of effort that is appropriate to invest in a PIA depends on the circumstances. A project with large inherent risks warrants much more investment than one with a limited privacy impact. Other projects may merely need a check of their compliance with privacy laws, and in particular with the provisions of the Data Protection Act.

A PIA should be conducted at an early stage of a project. Compliance checks, on the other hand, are usually performed later, after business processes and rules have been specified sufficiently so that they can be assessed for their compliance with the law.

A PIA may be conducted as a separate process, in parallel with the project that gives rise to the privacy concerns. Alternatively, organisations are likely to find it more effective to integrate the PIA within the project plan as a whole, or within broader risk assessment and risk management activities.

The nature of this Handbook

Because organisations vary greatly in size, the extent to which their activities intrude on privacy, and their experience in dealing with privacy issue makes it is unfeasible to write a 'one size fits all' guide. The purpose of this Handbook is to be comprehensive. So for each project that it is applied to, some parts will not be relevant.

The Handbook may appear to repeat information already provided in another part. This was done is to make the sections more readily understandable by people who read them separately rather than reading the whole document in order.

While it is necessary to ensure compliance with privacy laws, there is no legal obligation to undertake a PIA,. The information is provided purely as guidance to organisations, to assist them in making their own judgements for each project that they undertake which has potential privacy impacts. Each organisation is encouraged to use the Handbook to devise and implement a PIA process that is appropriate to their circumstances.

The Handbook's structure, which is outlined below and provided in detail in the table of contents, is intended to enable a reader who is knowledgeable about privacy to quickly start working on the PIA . For other readers who would like some general information prior to starting the PIA process, background information on privacy and PIAs is provided.

The structure of this Handbook

To determine whether a PIA is required and, if so, its scope, a short, preliminary study is recommended. That study is referred to as a 'Screening Process'.

Part I of the Handbook provides straightforward guidance on how to prepare for and conduct the screening process. It involves assessing the project against four sets of criteria.

After the screening process is completed, it should be clear whether a Full-Scale PIA is required (addressed in Part II of the Handbook) or if it is not justified.

A PIA examines broad questions about privacy impacts and individuals’ perceptions. Organisations also have an obligation to comply with relevant laws. The screening process assists organisations to determine whether a general privacy law compliance check needs to be performed (Part IV) and/or a specific Data Protection Act compliance check (Part V).