Full-Scale PIA – Planning the process

Once the framework for the PIA has been established, the conduct of the activity needs to be planned. An experienced manager may be able to do this with a minimum of formality. There are benefits, however, in investing some effort at the outset, in order to ensure the smooth performance of the work.

This segment offers discussion about the following key aspects of a Full-Scale PIA:

• The responsibility for a PIA
• The objectives of a PIA
• The PIA project plan

The responsibility for a PIA

The organisation that is the primary driver of the project must take responsibility for the PIA. The organisation will gain the greatest benefit from the PIA, and it will suffer the most if a PIA is not performed, or is poorly performed.

A PIA has strategic significance, and therefore, direct responsibility for the PIA must be assumed by a senior executive. PIAs are conducted when the screening process identifies potential privacy threats or negative impact on individuals. These amount to risks to the project's success and return on investment, and to the proper use of corporate or public funds.

In delegating that responsibility to a suitable manager, the executive has two alternatives: an appointment within the overall project-team, or someone who is outside the project.

The delegation can be provided to a senior member of the project team as the privacy lead or project privacy manager. The privacy lead should be a person with high standing within the team. The person must have a clear mandate to actively participate in the project design decisions, to ensure that those decisions reflect the outcomes from the PIA process. The privacy lead should also provide ongoing advice and feedback to the responsible senior executive.

However, all members of the project-team need to have an appreciation of privacy and the design's impacts on it. This is most likely to be the case when privacy has senior executive support, and the organisation has a culture of privacy-sensitivity. Further guidance is provided on how organisations may achieve a privacy-friendly climate.

If the executive delegates responsibility for the PIA to someone outside the project team, that person is likely to be less involved in the PIA process. It may also be difficult for the privacy lead to ensure a balanced appreciation of the views of all stakeholders and to assimilate the information generated. There is a possibility that the project team might resist the conclusions and recommendations that result from the PIA process. The management of privacy-related project risks may therefore be less effective than would be the case if the project-team as a whole participates in developing the privacy solutions.

The objectives of a PIA

Through the adoption of a positive approach, a PIA becomes an opportunity for the organisation to ensure that its business processes are aligned with its mission and its overall strategy. This section considers the range of Objectives that may be relevant.

Organisations in both the public and private sectors should take into account the 'big picture' questions. These are about the relationships between people and the institutions that deliver services to them, and the varying degrees of control that organisations exercise over individuals. The enormous increases in the collection, storage, use and disclosure of personal data, and the imposition of many intrusive technologies, have eroded the public's trust of organisations. Organisations have a responsibility to recognise this problem.

Primarily the PIA is a form of risk management. It enables avoidance of project risks such as:

• loss of public credibility as a result of perceived harm to privacy or a failure to meet expectations with regard to the protection of personal information;
• retrospective imposition of regulatory conditions as a response to public concerns, with the inevitable cost that entails;
• low adoption rates (or poor participation in the implemented scheme) due to a perception of the scheme as a whole, or particular features of its design, as being inappropriate;
• the need for system re-design or feature retrofit, late in the development stage, and at considerable expense;
• collapse of the project, or even of the completed system, as a result of adverse publicity and/or withdrawal of support by the organisation or one or more key participating organisations, or
• compliance failure, through breach of the letter or the spirit of privacy law (with attendant legal consequences).

When planning a PIA, the responsible executive within the organisation should ensure that all of these possibilities have been considered, and that the organisation seeks an appropriate set of outcomes from the investment.

At an executive level, the following are suggested as appropriate objectives for a PIA:

• ensure effective management of the privacy impacts arising from the project
• ensure effective management of the project risks arising from the project's privacy impacts
• avoid expensive re-work and retro-fitting of features, by discovering issues early, devising solutions at an early stage in the project life-cycle, and ensuring that they are implemented.

In order to achieve those objectives, the following are suggested as operational aims for a PIA.

• Clearly define the organisation's business needs.
• Clearly define the design, including:
  • the technical elements
  • the relevant data flows
  • the relevant business processes
  • the criteria used in making decisions about people.
• Identify the features of the design that have potential privacy impacts and implications.
• Understand the rationale underlying those features.
• Consider the business case that justifies:
  • the design as a whole
  • the design features with potential privacy impacts and implications.
• Identify:
  • the project's first-order privacy impacts (i.e. those that are direct and immediate)
    the project's second-order privacy implications (i.e. those that are indirect, deferred, contingent or speculative). An example that is easily over-looked is 'function creep', which refers to the application of personal data to additional purposes that were not originally envisaged.
• Identify the stakeholder groups, including all segments of the population that may be affected by the project and what it delivers.
• Identify and involve representative and advocacy organisations for the relevant stakeholder groups.
• Enable the representative and advocacy organisations to:
  • achieve an understanding of the project
  • assess it from their own perspectives
  • have their perspectives understood by other stakeholders
  • understand the perspectives of other stakeholders
  • have their perspectives reflected in the project design.
• Assure all stakeholder groups that their perspectives have been taken into account.
• Enable the design to work towards maximisation of the positive impacts and implications of the project.
• Enable negative impacts and implications of the project to be avoided, or at least reduced.
• Avoid the emergence of new requirements at a late stage in the design process (or, worse still, during construction, deployment, or even operation), when modifications are much more expensive, slower and risk-prone.
• Be publicly credible, in order to support public confidence in the project, and minimise the risk of the project encountering difficulties with public acceptance.
• Achieve awareness-raising and education for:
  • executives, managers and operational staff of the organisation and other participating organisations
  • representatives and advocates of stakeholders
  • relevant segments of the public.
• Pre-empt any possible misinformation campaigns.
• Commit stakeholder representatives and advocates to support the project, in order to avoid the emergence of opposition at a late and expensive stage in the design process.

The PIA project plan

A Full-Scale PIA is sufficiently important and complex that it may itself warrant a formal project plan.

This section is intended to assist organisations devise and implement such a plan. More detailed guidance in relation to the phases, tasks and outcomes involved in a PIA is provided in the following parts. In addition, the ICO may be available to discuss issues and provide general advice on the project plan, although it retains independence from the PIA project itself.

An organisation may have all relevant expertise in-house, in which case it may have its own staff perform the PIA. Many organisations, however, can benefit from the use of specialist consultant support, in order to draw in expertise, and provide access to external perspectives. Where the project team comprises both internal and external resources, the organisation needs to retain responsibility and exercise control. Otherwise, key information will be filtered rather than being assimilated by the organisation and the project risks will not be adequately addressed.

In either case, however, the organisation must take direct responsibility for the PIA team's work, rather than delegating it.

Other involved organisations are likely to wish to participate in, and make contributions to, the development of the project plan. In many cases, the most appropriate approach to project governance will involve the formation of a Project Steering Committee.