Full-Scale PIA – Framework

The term 'framework' is used here to refer to the measures that need to be taken at senior executive level prior to the commencement of the PIA, in order to ensure that the process is properly structured.

Relationship to the project as a whole

A PIA is likely to be of greatest benefit to the organisation if it is started early, and conducted during the life-cycle of the project as a whole. Therefore, the PIA should be initiated at the time of project conception, and either sustained for the period of the project as a whole, or activated at the appropriate stage in each phase of the overall project life-cycle.

A PIA is part of the overall risk assessment and risk management process. Most organisations are therefore likely to find it beneficial to make clear the relationship between the PIA and such other routine risk assessment and mitigation activities they have in place.

Stakeholder involvement

A major project risk is that participants may not be fully committed, or may later withdraw from participation in the project. In order to ensure that this risk is managed, it is advisable that a stakeholder analysis be conducted at the outset, and that the governance arrangements and the process adopted ensure appropriate involvement of key stakeholders. Further discussion is provided in relation to these matters.

Governance

At the level of the project as a whole, and particularly if it is a large or complex project, the organisation should formalise the governance structure and processes including those for the PIA. It may be an advantage to include key stakeholders in this process. In cases with substantial privacy implications, it is advisable to encompass all stakeholders.

A common approach is to establish a Project Steering Committee (a group that has directive powers), or a Project Advisory Committee or Project Reference or Consultative Group (a representative group whose function is to discuss, advise and assist, but which has no formal powers to direct the process).

Similar consideration should be given to governance structure and processes in relation to the conduct of the PIA, within the overall project.

This might be achieved, for example, by establishing a Privacy Sub-Committee, or a PIA Advisory, Reference or Consultative Group. This Handbook uses the term PIA Consultative Group (PCG). The title of any such body, however, is the choice of the organisation concerned and should be consistent with terms used for similar groups.

Whether or not formal governance arrangements are adopted, it is generally advisable for terms of reference for the PIA to be prepared and agreed. Important elements of the terms of reference include:

the functions to be performed
the deliverables
the desired outcomes
the scope of the assessment
roles and responsibilities of various parties involved in the PIA

Further discussion is provided in relation to these matters.

PIA team formation

The conduct of the PIA requires strong understanding of the project itself, knowledge of privacy, and expertise in the performance of risk assessments generally and Privacy Impact Assessments in particular.

Some organisations have some or all of the necessary expertise available in-house. Others find it appropriate to use external resources for some of the tasks, particularly if they have limited prior or recent experience in conducting PIAs. Further discussion is provided in relation to these matters.

Resourcing

Appropriate resources need to be identified, and assigned to the process. Further discussion is provided in relation to these matters.

Role of the Information Commissioner

The Information Commissioner's Office provides information to support the performance of PIAs – in particular through publication of this Handbook. In addition, the ICO may be available for consultation on particular projects; but it does not participate directly in any PIA process, and is not responsible for the conduct of any PIA.