Small-Scale PIA - The process

It is neither feasible nor even desirable to specify a fixed process for a Small-Scale PIA, due to the diversity of circumstances. The process for any particular project needs to reflect:

the nature of the project (e.g., new system, replacement system, enhancements to an existing system, new technology, outsourcing, changed business processes or staff instructions, replacement user interface, revised privacy policy statement, drafting of legislative changes);
the specific aspects of the project that the screening process has highlighted;
any relevant PIAs that have been previously conducted, and
the organisation's level of experience in conducting PIAs.

Hence the following guidance is general in nature, and intended to assist organisations in developing their own project plan.

Conventional project management techniques may be applied to the process of assessing privacy impact. This segment provides an outline description of a suggested set of phases for a Small-Scale PIA.

In each case, the detailed guidance for the relevant phase of a Full-Scale PIA is referred to. That is because those sections provide deeper discussion of aspects that may be relevant to the circumstances. However, the scale of a Small-Scale PIA is such that it may be appropriate to compress phases together, consolidate tasks, or reduce the number of deliverables by merging several documents into one.

The terms used here (such as 'Preliminary phase') are intended to be descriptive and are not in themselves of any great significance. Organisations may use other terms that are consistent with their own internal standards, policies and practices.

The following suggested phases are described below:
1. Preliminary phase
2. Preparatory phase
3. Consultation and analysis phase(s)
4. Documentation phase
5. Review and audit phase

1. Preliminary phase

The purpose of the Preliminary phase is to ensure that a firm basis is established for the PIA to be conducted effectively and efficiently. Depending on the scale of the project and the experience of the project manager in relation to PIAs, it may be appropriate to produce and maintain a project plan. It will generally be advisable to produce a project background paper, although this is likely to be succinct.

Because the circumstances of Small-Scale PIAs vary so much, this Handbook does not contain any specific guidance in relation to this phase. However, a useful checklist is available, which describes the tasks involved in the corresponding phase of Full-Scale PIAs. Carrying out all the tasks recommended in the checklist would be excessive for a small project. However, the ideas are likely to be of assistance, and may be applied in a less onerous manner such as in combination or selectively according to the circumstances.

2. Preparatory phase

The purpose of the Preparatory Phase is to make the arrangements needed to enable the critical Phase 3 to run smoothly. In this phase, organisations may undertake a stakeholder analysis, development of a consultation strategy and plan, and establishment of a PIA Consultative Group (PCG). It will be useful to consult the checklist which describes the tasks involved in the corresponding phase of Full-Scale PIAs. It is likely that ideas extracted from that document will need to be scaled, however, in order to be applicable to the particular project.

3. Consultation and analysis phase(s)

The consultation and analysis phase builds on the foundations established by the first two sections. It includes consultations with stakeholders, risk analysis, the articulation of problems, and the search for constructive solutions.

Some activities may need to be performed more than once (e.g., by having several successive conversations with a key stakeholder). On the other hand, if a comprehensive and clear project background paper is produced, and the participants are experienced or issues relatively simple, it may be feasible to conduct the process quite briskly.

The key deliverable is some kind of document (such as a Privacy Design Features Paper or a Meeting Outcomes Report) that enables the results to be communicated to the various parties involved. The project team, and in particular the designers, should receive copies of this document, because they will need to make decisions based on the outcome of consultations, make changes to the relevant project documents and implement the decisions made.

However, a useful checklist is available, which describes the tasks involved in the corresponding phase of Full-Scale PIAs. It is likely that ideas extracted from that document will need to be scaled, in order to be applicable to the particular project.

4. Documentation phase

The purpose of the documentation phase is to document the process and the outcomes. The deliverable is a PIA Report. Depending on the context, this might be a relatively brief 'note to file', with copies to relevant parties; but circumstances may justify a more carefully-prepared document.

5. Review and audit phase

The purpose of this section is to ensure that the design features arising from the PIA are implemented, and are effective. The deliverable is a Review Report. Once again, in some contexts a 'note to file', with copies distributed to relevant parties, might be sufficient to achieve this requirement. In other cases, considerably greater investment may be warranted.