Privacy and PIA – Background information

Privacy

Privacy has become a much larger consideration for business and government in recent decades. New information technologies have increased public concerns about intrusion into their privacy.

Privacy has long been recognised as part of the bundle of human rights, although the concept remains somewhat vague or has different meanings. It may be usefully interpreted as "the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations".

Beyond the recognition of privacy as a human right, specific laws have been introduced to deal with particular areas of concern. Much of the legislative attention to date has been focused on information about people that is collected, stored, used and disclosed by organisations. The handling of personal data is regulated by the Data Protection Act, which the Information Commissioner's Office oversees.

There are, however, other aspects of privacy, and these are attracting an increasing amount of attention. Current high-profile issues include the surveillance of the activities of employees, consumers and citizens, the monitoring and recording of individual's electronic communications and their electronic access to information, and the acquisition of biometrics, body fluids and body tissue.

Privacy has to be balanced against many other, often competing, interests. The practical approach to privacy protection is therefore to find appropriate balances between privacy and those multiple competing interests.

The General Resources section of this Handbook includes further discussion about privacy, privacy protection and the importance of privacy.

Managing privacy concerns

Organisations may adopt various approaches to privacy concerns. As a minimum, they must ensure that they are compliant with the various laws that protect privacy, including the Data Protection Act.

Many consider it is appropriate to go further than that. Some establish a comprehensive privacy strategy, and actively encourage a privacy-sensitive culture. Others judge that significant investment in a privacy strategy would not be justified. Instead they put processes in place to ensure that privacy concerns are considered when business process design and re-design are being undertaken. This may be achieved, for example, by adapting the organisation's system development and project management procedures.

Privacy can be approached as a corporate responsibility, much as ethical and environmental issues are handled. Alternatively, it can be viewed as a risk that threatens the fulfilment of the organisation's objectives. This is a particularly relevant approach to adopt if the organisation is dependent on people adopting new technology, or complying with requests for information. If an organisation does not maintain good relationships with its customers and its employees, it is less likely to achieve service improvements and cost reductions. As a consequence this will affect whether it makes a return on its investment.

Privacy impact assessment

Privacy Impact Assessment (PIA) is a process which enables organisations to anticipate and address the likely impacts of new initiatives, foresee problems, and negotiate solutions. Risks can be managed through the gathering and sharing of information with stakeholders. Systems can be designed to avoid unnecessary privacy intrusion, and features can be built in from the outset that reduce privacy intrusion. A PIA usually results in a PIA Report, which may be published or distributed to participants and wider stakeholders.

PIAs have become mainstream activities in Canada, the USA and Australia, particularly in the public sector, and in some jurisdictions are legally required. Their use is also increasing in private sector projects that have significant potential for privacy impact and in personal-data-intensive business sectors.

This Handbook provides guidance for performing a PIA. It also incorporates information relating to compliance with privacy laws generally and the Data Protection Act in particular.