Small-Scale PIA – Background information

This section provides information that lays the foundation for the Small-Scale PIA process.

The scope of the PIA should reflect the nature of the project as a whole. The following are examples of a range of significantly different kinds of projects for which a Small-Scale PIA is likely to be appropriate. However, any of these projects could have attributes which could make a Full-Scale PIA more appropriate (for instance, if the personal data were highly sensitive or the technology untested).

A Small-Scale PIA is likely to be appropriate for the following types of project:

• Replacement of an existing personal data system by new packaged software, with consequential changes to business processes and perhaps data storage.
• Design and development of a new personal data system that will only contain data about people who have given their consent.
• Enhancements to an existing system in order to collect, store and use several additional items of personal data.
• A proposal to collect items of personal data from a new source, e.g., to reduce the costs incurred by the organisation or the inconvenience to the individuals concerned, or to enable cross-checking against data provided by the data subject.
• Revisions to staff instructions relating to the disclosure of personal data.
• Adaptations to an existing system to reflect new legislation, codes or industry standards.
• The drafting of legislative amendments authorising the collection, use or disclosure of personal data (particularly where a specific project authorised by the amended legislation will be subject to a PIA).
• The application of a new technology to an existing purpose (e.g., replacement of bar-code or magnetic-stripe technology with a contact-based chip containing the same data).
• Drafting of new procedures for customer authentication, e.g., in order to reflect new knowledge about 'identity theft', or respond to media coverage of it.
• The re-design of web-forms for capture of personal data from customers, including the explanations provided, and the circumstances in which particular data-items are declared to be mandatory or optional.
• Plans to outsource business processes involving personal data, or the storage and processing of personal data.
• The application of existing personal data to a new purpose.
• Changes to retention policies relating to personal data.
• Policy statements concerning staff usage of employer-provided facilities such as telephones, mobile phones, desktops, portables, and broadband and wireless ISP subscriptions.
• Review of the means whereby patients express their requests, consents and denials regarding the disclosure of their medical data from the records of a health care professional or clinic.
• The design of a pseudonymous scheme for customer survey data.
• Amendments to the organisation's privacy policy statement.

Some key characteristics of an effective Small-Scale PIA are as follows:

• A PIA is a form of risk management.
• A PIA serves the needs of the organisation itself, by identifying privacy issues early, and enabling them to be addressed quickly and inexpensively, rather than becoming major problems later.
• In order to serve the needs of the organisation, a PIA needs to reflect the perspectives of all stakeholders in the project, including and especially the individuals who are affected by it.
• A PIA is primarily about process, and only secondarily about producing a report.
• A PIA is more than just a check of legal compliance.
• The effective conduct of a PIA depends on having appropriate expertise available. If it is not available within the organisation, it should be possible to acquire relatively inexpensive consultancy support.

The next section provides guidance in relation to the planning and performance of a Small-Scale PIA.