Full-Scale PIA - Consultation and analysis phase

This is Phase 3 of the five-phase PIA process. It involves consultations with stakeholders, risk analysis, and identification of problems and the search for solutions.

The purpose of this phase is to ensure that problems are identified early, that effective solutions are found and that the design is adapted to include those solutions.

The suggested deliverables are changes to the project documents, an issues register, and a privacy design features paper.

The following tasks are suggested:

• Implement the Consultation Strategy that was established during the previous phase. This will usually include a PCG process, with workshops and face-to-face meetings, supplemented by electronic discussions and perhaps formal submissions.
• Include the comments provided.
• Identify the design issues and privacy problems.
• Re-consider the design options. This focuses on the various approaches that are available to solve problems. Key concepts at this stage are:
  • Privacy Impact Avoidance Measures
  • Privacy Impact Reduction Measures
  • Privacy Enhancing Technologies (PETs).
• Progressively document the problems and solutions in an 'Issues Register'. There is a risk with large projects that “corporate memory” will be lost if the PIA is carried out in stages. This problem can be overcome by carrying the Issues Register forward as an Appendix to each revision of the Project Background Paper that is made available to the PCG. The Issues Register also serves as means to note issues that cannot be addressed immediately and avoid the possibility of them being overlooked
• Reflect the conclusions reached, in the Issues Register and/or in an evolving 'Privacy Design Features Paper'. This documents:
  • issues identified
  • avoidance and reduction measures considered and either rejected or adopted
  • design changes to be undertaken as a result
  • outstanding issues
• Provide the Privacy Design Features Paper to
  • the PCG
  • the project team
• Pass the project team's feedback to the PCG
• Conduct further consultations with the PCG
• Incorporate the decisions on privacy design features into the design
• Where there are unresolved issues, continue consultation and analysis

This phase generally involves repeating the exercise a number of times. The most effective approach is to conduct the exercise first at the stage of project initiation, and arrange subsequent run-throughs to correspond with the later phases of the project (e.g., requirements analysis, logical design, physical design, construction, integration and deployment of the new system).

The Project Background Paper is likely to require progressive changes to reflect developments during the project.

As will be apparent from the descriptions provided, it is normal for a PIA to result in changes to the design in order to reduce or avoid privacy intrusion. Late changes can of course be expensive. This is an important reason why early commencement of a PIA is recommended.