What is a privacy strategy?

For many organisations that depend upon personal data, privacy has become a strategic factor. This segment of the PIA Handbook discusses how the conduct of a PIA is much easier, quicker, less expensive and more effective, if the organisation's overall strategy encompasses privacy.

To deliver value to an organisation, a PIA is best approached not as a standalone activity, but rather integrated into the organisation through two levels.

• A PIA needs to be situated within an overall organisational privacy strategy.
• The organisation's privacy strategy needs to be positioned squarely within the organisation's overall strategic framework.

A comprehensive approach is often referred to as an Enterprise Privacy Strategy. As with any strategy, an Enterprise Privacy Strategy needs to be proactive, and to be expressly stated rather than merely implied. Therefore, it should be articulated into a plan. Execution of the plan should be resourced, and performance should be monitored against the plan.

The scope of an Enterprise Privacy Strategy (the Strategy) should reflect the organisation's nature and mission. The remainder of this section provides guidance for determining the appropriate scope of the Strategy, and identifies four alternative approaches, ranging from the very narrow to the very broad:

1. A minimalist information privacy strategy
   
2. A comprehensive information privacy strategy
   
3. A broad privacy strategy
   
4. A social impacts or public policy strategy

1. A minimalist information privacy strategy

The most basic approach to an Enterprise Privacy Strategy is to reflect the requirements of privacy law, including (but not limited to) the Data Protection Principles established by the Data Protection Act.

The minimum that an organisation that handles personal data can reasonably be expected to do is as follows:

• Develop an organisational understanding of privacy, and of the key privacy issues that arise in the organisation's relationships with individuals (generally its staff and customers).
• Conduct a review of the organisation's holdings of personal data and the business processes relating to that data.
• Build recognition of privacy matters into its project processes (e.g. as a component of project scoping documents, or budget approvals). This should include:
  • a requirement that PIAs be considered where appropriate
  • a requirement that a privacy law compliance check be performed
  • a requirement that a Data Protection Act compliance check be performed

2. A comprehensive information privacy strategy

The Data Protection Act focuses on data privacy concepts that originated in the 1970s. Public expectations have moved well beyond those ideas, and a range of claims have emerged for more extensive forms of privacy protection. Organisations that recognise privacy as being a strategic factor in trust relationships with their staff or customers, or that recognise privacy as a matter of corporate responsibility, often implement a much more comprehensive strategy.

A comprehensive information privacy strategy involves the following measures being driven from a senior executive level, separately from and prior to the conduct of specific PIAs:

• Establish and maintain a focal point that ensures executive attention to the matter, including commitment by senior executives to a privacy programme, appointment of a Chief Privacy Officer at a senior level within the organisation, and periodic inclusions of privacy matters in executive committee agendas.
• Conduct a strategy formation process that anticipates problems, and is based on an appreciation of the organisation's data-holdings, data practices, technologies and laws, and deals with public sensitivities in relation to the data, the practices and the technologies.
• Ensure that business process engineering and re-engineering activities have privacy-sensitivity embedded into them. This involves provisions within supplier contracts, and in the organisation's project management framework and methodology, especially during the project initiation stages, through the phases of conception, analysis, design and implementation, and on to post-implementation review and audit.
• Structure a programme that builds privacy respect into the organisation's philosophy, mind-set and business processes. This requires both formal and informal measures. Crucial among the formal measures is the integration of elements of the PIA process within the organisation's procedures. A key location for such a programme is in staff training schemes. Another is internal audit of personal data practices, including both periodic audit, and on-demand audits occasioned by specific incidents and/or general concerns.
• Establish and maintain an internal communications programme, utilising such vehicles as training courses and newsletters, that keeps privacy in the minds of operational staff, managers and executives alike.
• Establish and maintain an external communications programme, comprising at least the following elements:
  • integration of privacy-related messages into communications with affected individuals (including staff as well as clients);
  • identification of relevant representative and advocacy organisations, and collection of information about them;
  • creation and maintenance of channels to and from relevant representative and advocacy organisations, and
  • the capacity to receive and handle incoming communications, through procedures for handling incidents, enquiries, submissions and complaints.

A comprehensive information privacy strategy is likely to encompass additional aspects beyond the basic provisions addressed in legislation, such as the following:

• Protections for all categories of people, without restrictions such as 'citizen', 'resident' or 'customer', and with provisions related to the interests of deceased persons and their relatives.
• Recognition of the benefits as well as the inefficiencies involved in 'data silos'. Such patterns as the consolidation of data from multiple sources into a single virtual databank, the use of personal data for additional purposes, 'function creep' from one business function to another, data warehousing and data mining, all encroach on privacy. The scattering of personal data has been one of the most effective forms of protection, and consolidation directly threatens privacy.
• Recognition of the benefits as well as the inefficiencies involved in 'identity silos', by avoiding the use of the same identifier in multiple organisations, systems and programmes.
• Approval for and facilitation of anonymous and pseudonymous transaction services in all circumstances where that is realistic, e.g., by means of authenticating a person's attributes rather than their identity.
• Avoidance of prejudice to the person's access to services, or their ability to exercise other rights, because of the exercise of privacy rights.
• Card-holder control over identification and authentication tokens, such as chip-cards and digital signature keys.

Some of these expectations may engender concerns about the organisation’s administrative efficiency, the management of waste and fraud, and an integrated view of customers across business divisions and even across corporate boundaries to strategic partners. These tensions are at the heart of the need for PIAs.

3. A broad privacy strategy

The Data Protection Act is limited to information privacy. People are concerned about other dimensions of privacy as well, and organisations may judge it to be advantageous to define the scope of their Enterprise Privacy Strategy to reflect broader concerns.

A broad Enterprise Privacy Strategy would also encompass impacts on:

• Privacy of the person, which relates to personal safety, and interference with the human body. This intersects with information privacy in several ways, for example in relation to locator information for persons-at-risk (e.g. of violent attacks from former partners), the identity underlying authorised aliases, sample extraction for substance-abuse testing, and biometric measures
• Privacy of personal behaviour, which relates to surveillance of both physical and electronic activities. This also intersects with information privacy, particularly where data is recorded that may, or may become, associated with an individual
• Privacy of personal communications, which relates to conversation and message interception, traffic analysis and access to recorded and stored messages. Similarly, this has intersections with information privacy

4. A social impacts or public policy strategy

Some organisations may judge it to be advantageous to adopt a scope that is broader than privacy alone, but encompasses it. An Enterprise Social Impacts or Public Policy Strategy would also encompass impacts (both positive and negative) on such matters as:

• the availability and quality of services;
• the accessibility and equity of services;
• the allocation of effort, costs and risks, particularly where they are shifted in the direction of citizen;s
• choice in relation to the use of the project as a whole, including benefits foregone if it is not used, and penalties for non-use;
• consent in relation to participation in the project as a whole, and in particular features of it, rather than legal compulsion, or other forms of coercion;
• job-market and industry structure impacts;
• geographical equity impacts, e.g. differential service depending on location or access to facilities;
• social equity impacts, e.g. differential service depending on ethnic background, lingual skills, education or physical limitations;
• the human rights of clients, employees and contractors, and
• the accessibility of information.