Design issues and privacy problems

If the project design has reflected a strong understanding of privacy issues, it is possible that the participants in the consultation processes may agree to the design.

More commonly, however, because of project complexities and the diversity of interests among stakeholders, the consultation processes will create the need for parts of the project and its design to be re-considered. Complex projects that apply advanced technologies give rise to privacy issues in addition to those addressed by the Data Protection Principles.

Efforts to identify and describe such issues will pay dividends in the following stage, because the better a problem is understood, the easier it becomes to devise ways to deal with it.

Particular concerns that arise in PIAs include the following:

1. broad personal information issues, including:
   • Data sensitivity. (This term is used here in a broad sense, rather than the very specific term “sensitive personal data” defined in s.2 of the Data Protection Act). This relates to:

     particular data about all those involved in the processing (e.g. medical conditions and impairments, financial data, family structure)

     all data about a particular person (e.g. persons at risk)

     particular data about individual, possibly of a long-term nature (e.g. home address), but also possibly with a short period of validity (e.g., temporary address, travel plans).

   • Data quality –This encompasses many specific characteristics, particularly accuracy, adequacy and relevance to purpose. The further data strays from its original context, the greater the likelihood that it will be misinterpreted, and the greater the impact of even small limitations in quality. Also
   • Data meaning. This varies considerably, but often subtly, from one context of use to another. For example, 'spouse' and 'child' are highly ambiguous terms. Variations in the meaning of apparently similar information may give rise to misunderstandings and error, which can result in harm to individuals
   • Data deletion and destruction. There needs to be a positive approach to ensure data is retained for only as long as its original purposes. Data protection is achieved by having specific purposes rather than broad purposes which justify lengthy retention. Data destruction applies to both data in its original form and to personal data used for particular purposes (e.g. for evaluation of programmes, audit, or longitudinal analysis).
2. Identity, including:
   • the multiple use of identifiers
   • the denial of anonymity
   • identifiers that directly disclose personal data (e.g. embedded date-of-birth)
   • identifiers linked with authenticators (such as credit-card number plus additional details), because that creates the risk of identity fraud and in extreme cases even identity theft
   • biometrics, which give rise to very serious privacy concerns
3. Function creep, beyond the original context of use, in relation to:
   • the use of personal information
   • the use of identifiers
4. Registration and authentication processes, including the burden such processes impose, their intrusiveness, and the exercise of power by government over individuals
5. Surveillance, whether audio, visual, by means of data, whether electronically supported or not, and whether the observations are recorded or not
6. Location and tracking whether within geographical space or on networks, even where it is performed incidentally, and especially where it gives rise to records
7. Intrusions into the privacy of the person, especially compulsory or pseudo-voluntary (such as in employment relationships) yielding of tissue and body-fluid samples, and biometric measurement

It is highly advisable to document the issues which are identified. This Handbook uses the term 'Issues Register' to refer to such documentation. In large projects this can be a formal document, but in other cases it may take the form of an attachment to meeting minutes, or a web-page maintained by project staff.