Full-Scale PIA – Framework details

This segment provides further discussion about aspects of the framework that senior executives create in order to ensure that a PIA is conducted effectively. It addresses the following topics:

• Stakeholder involvement
• Governance
• PIA team formation
• Resourcing

Stakeholder involvement

Organisations

The term 'stakeholder' is useful as a collective word for the various groups and individuals who have a significant interest in the project and its outcomes, because they are participating in it, or may be affected by it.

The first consideration is the organisation itself. In small organisations, the PIA team may be able to appreciate all aspects of the interests of the organisation. In large organisations, on the other hand, there are likely to be multiple internal stakeholders who would wish to be involved.

PIAs also need to actively involve representatives from relevant segments of other participating organisations. These may be partner organisations, or organisations that will provide or receive data. In some cases organisations that provide services to support the system (e.g. as outsourced service providers) may have a role that is so significant that they may be best treated as stakeholders rather than merely as sub-contractors. Where new technology is involved the same may be true for technology providers.

Individuals

Effective risk assessment can only be performed by gaining insight into the reactions of the individuals affected by the project. In some cases, this may be gained by means of public meetings, or through focus groups. However, it is often more effective, and more cost-effective, to gain those insights through consultations with non-government organisations (NGOs) or civil society organisations. These either represent the relevant public, or conduct advocacy on their behalf.

When devising consultation processes with these categories of stakeholder, it is seldom adequate to think in terms of the general public because the term is imprecise. People are affected in various ways, depending on the system's features, and their own circumstances. When conducting PIAs, organisations will generally find it to be of value to distinguish, and focus on, relevant customer segments.

A further category of stakeholder is organisations that perform some form of regulatory role. In additional to public bodies such as the Information Commissioner's Office and the Financial Services Authority, this may include industry associations.

Stakeholder analysis should be conducted at an early stage to ensure that the governance arrangements are appropriate.

Governance arrangements

Executives and senior managers should control and be committed to the PIA process.

Disgruntled stakeholders represent a risk to project success and return on project investment. Stakeholders should be provided sufficient information and the opportunity to convey their perspectives and their concerns. The organisation should attempt to reflect stakeholder views in the project design.

There are several alternative ways in which the project governance structure and processes can be extended to encompass all stakeholders.

For large projects, it is conventional to establish an oversight group. A Project Steering Committee normally has the power to give directions to the project, whereas an Advisory, Reference or Consultative Group does not.

If there are multiple stakeholders with an interest in the privacy aspects of the project, there may be benefits in creating a Privacy Sub-Committee, or PIA Advisory, Reference or Consultative Group. In this Handbook, the term PIA Consultative Group (PCG) is used. For some projects, it may be desirable to give the Committee or Group broader considerations, such as Public Policy or Regulatory Affairs. If such an arrangement is created, effective links should be established between the two levels of committee.

With smaller projects, such arrangements are not practical, but measures are needed that achieve clear communications among the three groups:

• senior management
• the project team
• representatives of, and advocates for, the various stakeholders

Conventionally, a Terms of Reference document would document the governance structure and processes, including the nature of the delegation of responsibility and authority provided to the person(s) or team (s) who are involved in the PIA.

It is generally not recommended that the terms of reference be too prescriptive regarding the process to be used. Because some flexibility is needed, processes are best determined by the responsible staff members. The terms of reference should, however, include:

• a clear definition of the functions to be performed;
• specification of the scope of the assessment to be undertaken;
• a statement of the desired outcomes; and
• a statement of the deliverables expected.

The scope of the assessment requires particular attention, from several perspectives.

The breadth of risks

A PIA is an important element within the organisation's risk management strategy. There may be benefits in defining at the outset the PIA’s relationship with other aspects of risk assessment.

The breadth of applicability

There are circumstances under which it may be sensible and economic to focus on something other than a single project. Examples include:

• Commercial software packages. A software development company might commission an independent PIA for a packaged application, taking into account one or more typical deployments or implementations
• Common functions in government. A group of government agencies might commission a generic PIA in an area such as identity authentication or identity management, in order to provide a platform and template on which individual agencies can build
• Common functions in business. An industry group might commission a PIA in relation to a common application across an industry sector or segment. Examples include financial applications such as credit reporting, and electronic health applications

The breadth of privacy and social impacts

A significant decision in relation to scope is the sense in which 'privacy' is to be understood. In many cases, the primary focus will fall on information privacy. The Principles embodied in the Data Protection Act provide guidance in this area. However, it will generally be advisable for the PIA to consider whether any broader aspects are relevant, such as:

• processes relating to identifiers and identity management that may be considered to be intrusive;
• denial of anonymity and pseudonymity, particularly where they were previously available;
• negative effects on individuals who exercise their privacy rights;
  use of personal information whose unauthorised disclosure could give rise to threats to the person's physical safety;
• use of personal information that some people may regard as being of particular concern, or
• long-term retention of personal information

In some cases, the best interests of the organisation will be served by defining the scope much more broadly than information privacy alone. Modern business processes and technologies are having impacts on other aspects of privacy. Examples include:

• Privacy of the physical person e.g. the processes involved in gathering biometrics or body fluid samples from staff or customers.
• Privacy of personal behaviour e.g. audio and visual monitoring, even if no records are created.
• Privacy of personal communications e.g. monitoring of staff emails and chat-traffic in the workplace, or using employer-provided infrastructure whether during working-time hours or not.

Some major projects give rise to even broader social and public policy issues, which the organisation may find convenient to consider within the same risk assessment process as privacy. Examples include:

• The allocation of effort, costs and risks.
• The availability, quality, accessibility and equity of services.
• The accessibility of information. This is a requirement on public authorities under the Freedom of Information Act, but also in the private sector, although in a much more limited form, under s.7 of the Data Protection Act where the information relates to the individual who has requested it
• The human rights of employees, contractors, consumers and citizens. At the most abstract level, there may be relevant constitutional provisions, and there are statutory provisions under the Human Rights Act. There may also be relevant provisions in occupational health and safety law, industrial law, and the common law more generally

PIA team formation

Because of the diversity of expertise and interests involved, it is unusual for a PIA to be performed by a single person. More commonly, a small PIA team is formed, who together have expertise in a number of areas. Team members’ involvement is likely to extend over a period of time, but need be intensive only for relatively brief periods.

Depending on the context, knowledge and expertise of the following kinds are generally needed:

• understanding of the business area that the project addresses
• knowledge of the overall project
• knowledge of the relevant stakeholders and customer segments
• knowledge about privacy
• expertise in project management
• expertise in records management, information management and data management
• expertise in relevant technologies
• expertise in information security processes and technologies
• knowledge about privacy law
• knowledge of framing, planning and conducting a PIA
• knowledge of appropriate representatives of and advocates for the stakeholder groups and consultation techniques

An organisation may have sufficient expertise to perform a PIA entirely in-house. In organisations with a strong internal privacy culture, the staff responsible for the project may have the capabilities already, particularly if they are supported by an experienced corporate Privacy Officer.

In other organisations, project teams may have very strong professional capabilities and confidence, and may tend to resist input, even if concerns are expressed by stakeholders about some of its features. If that risk exists, it may be necessary to assign a privacy specialist to work within the project on a periodic, part-time, or even full-time basis. The authority of this individual should be clearly defined and communicated.

In a number of circumstances, there are benefits in acquiring specialist support from outside the organisation. One reason is to provide access to experience with the performance of PIAs generally or PIAs in the particular context. This may be useful because of the kinds of data involved, the kinds of data subjects, or the technologies.

Another reason for including outsiders in the team is to provide an external perspective. People from outside the organisation are likely to deliver insights that are difficult for employees to achieve because of their day-to-day responsibilities or organisational loyalties.

Where an external consultant is selected to perform a considerable part of the work involved in the PIA, they should be fully independent (i.e. the consultant should not have an interest in particular solutions such as software applications). In addition the organisation must always maintain responsibility for the PIA. The organisation will benefit from having direct access to the insights that consultations and analysis lead to, rather than having them filtered by the consultant.

Resourcing

Appropriate resources need to be assigned to enable effective and efficient performance of the PIA.

One aspect of resource allocation relates to the members of the PIA team itself. The senior executive with overall responsibility for the project may need to temporarily reallocate responsibilities to devote sufficient time to conduct the PIA thoroughly.

In addition, the time of staff outside the PIA team needs to be considered and committed. The categories of employees who need to be involved may come from executive, managerial and operational levels, and include policy, technical, business process design and legal staff