Full-Scale PIA – Overview

Privacy Impact Assessment (PIA) is usefully defined as a process whereby the potential privacy impacts and implications of a project are identified and examined from the perspectives of all stakeholders, and an attempt is made to find ways to minimise or avoid them.

Projects with substantial privacy impacts and implications require a comprehensive PIA process, to ensure that the issues are appreciated and addressed, and risks are managed. A Full-Scale PIA should be a disciplined process. It involves analysis of technologies and business processes and consultation with stakeholders. Its outcomes are likely to affect the project conception, process and design features.

The term 'project' is used in this Handbook to refer to whatever the activity or function is that the organisation is assessing. It may be, for example, a project to develop a 'system', a 'database', a 'program', an 'application', a 'service' or a 'scheme', or an enhancement to any of the above, or an 'initiative', a 'proposal' or a 'review', or even draft legislation.

Throughout this Handbook, the term 'the organisation' is used. This is intended to refer to the company or government agency that is primarily responsible for the project as a whole, and that may be seen as sponsoring the activity. Other organisations that are involved in some way are referred to as 'participating organisations'. In the case of very large projects in which several major organisations are heavily involved in partnership or joint venture, it may be appropriate to interpret 'the organisation' to refer to that one of them that performs the function of 'lead organisation'.

Experience has shown that the most effective approach to the timing of a PIA is to:

• commence it early in the life-cycle of the overall project;
• run it in conjunction with the life-cycle of the overall project, and
• perform it progressively and in an iterative fashion

This approach ensures that privacy issues are identified and addressed early, rather than becoming embedded and thereby turning into major risks to the project's objectives and budget.

To be effective, a PIA has a number of general features.

• It is primarily about process, and only secondarily about producing a report.
• The process is considerably broader than just an audit of compliance with existing privacy-related laws. The latter is the function of a complementary Privacy Law Compliance Study. Guidance in relation to that process is provided in another segment of this Handbook.
• The process is inclusive and participative, or at least consultative.

The outcomes of an effective PIA process are:

• the identification of the project's privacy impacts;
• appreciation of those impacts from the perspectives of all stakeholders;
• an understanding of the acceptability of the project and its features by the organisations and people that will be affected by it;
• identification and assessment of less privacy-invasive alternatives;
• identification of ways in which negative impacts on privacy can be avoided;
• identification of ways to lessen negative impacts on privacy;
• where negative impacts on privacy are unavoidable, clarity as to the business need that justifies them, and
• documentation and publication of the outcomes.

A PIA necessarily identifies and involves project stakeholders. An effective PIA does not arbitrarily limit the notion of 'stakeholder' to organisations participating in the project, but is fully inclusive. Stakeholder categories include:

• the organisation itself (generally including various sub-units with somewhat different requirements);
• other participating organisations (in some cases possibly also including sub-units with somewhat different requirements), and
• the organisations and individuals intended to benefit from the project and/or affected by it. These are usually from various 'market segments', which benefit or are affected in different ways. It may require creativity or the use of proxies such as existing public interest groups and privacy advocates to obtain the views of this type of stakeholder.