- Introduction
- Framework
- Overview
- Planning the PIA Process
- Conducting the PIA process
Part I – How to Determine whether an Assessment is Needed
Step 1 - Criteria for Full-Scale PIA
This section provides guidance for evaluating whether a Full-Scale PIA should be conducted. The evaluation depends on sufficient information about the project having been collected during the previous step .
The evaluation process involves answering the following set of 11 questions about key characteristics of the project and the system that the project will deliver.
The answers to the questions need to be considered as a whole, in order to decide whether the overall impact, and the related risk, warrant investment in a Full-Scale PIA. The questions are shown below in bold. Guidance in relation to the interpretation of each question is provided in plain text.
Following the series of screening questions, further guidance is given on undertaking this analysis.
The 11 questions about key project characteristics
Technology
(1) Does the project apply new or additional information technologies that have substantial potential for privacy intrusion?
Examples include, but are not limited to, smart cards, RFID tags, biometrics, locator technologies (including mobile phone location, applications of GPS and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining, and logging of electronic traffic.
Identity
(2) Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes?
Examples of relevant project features include a digital signature initiative, a multi-purpose identifier, interviews and the presentation of identity documents as part of a registration scheme, and an intrusive identifier such as biometrics. All schemes of this nature have considerable potential for privacy impact and give rise to substantial public concern and hence project risk.
(3) Might the project have the effect of denying anonymity and pseudonymity, or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions?
Many agency functions cannot be effectively performed without access to the client's identity. On the other hand, many others do not require identity An important aspect of privacy protection is sustaining the right to interact with organisations without declaring one's identity.
Multiple organisations
(4) Does the project involve multiple organisations, whether they are government agencies (e.g. in 'joined-up government' initiatives) or private sector organisations (e.g. as outsourced service providers or as 'business partners')?
Schemes of this nature often involve the breakdown of personal data silos and identity silos, and may raise questions about how to comply with data protection legislation.
This breakdown may be desirable for fraud detection and prevention, and in some cases for business process efficiency. However, data silos and identity silos are of long standing, and have in many cases provided effective privacy protection.
Particular care is therefore needed in relation in preparation of a business case that justifies the privacy invasions of projects involving multiple organisations. Compensatory protection measures should be considered.
Data
(5) Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals?
The Data Protection Act at s.2 identifies a number of categories of 'sensitive personal data' that require special care. These include racial and ethnic origin, political opinions, religious beliefs, trade union membership, health conditions, sexual life, offences and court proceedings.
There are other categories of personal data that may give rise to concerns, including financial data, particular data about vulnerable individuals, and data which can enable identity theft.
Further important examples apply in particular circumstances. The addresses and phone-numbers of a small proportion of the population need to be suppressed, at least at particular times in their lives, because such 'persons at risk' may suffer physical harm if they are found.
(6) Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database?
Examples include intensive data processing such as welfare administration, health care, consumer credit, and consumer marketing based on intensive profiles.
(7) Does the project involve new or significantly changed handling of personal data about a large number of individuals?
Any data processing of this nature is attractive to organisations and individuals seeking to locate people, or to build or enhance profiles of them.
(8) Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources?
This is an especially important factor. Issues arise in relation to data quality, the diverse meanings of superficially similar data-items, and the retention of data beyond the very short term.
Exemptions and exceptions
(9) Does the project relate to data processing which is in any way exempt from legislative privacy protections?
Examples include law enforcement and national security information systems and also other schemes where some or all of the privacy protections have been negated by legislative exemptions or exceptions.
(10) Does the project's justification include significant contributions to public security measures?
Measures to address concerns about critical infrastructure and the physical safety of the population usually have a substantial impact on privacy. Yet there have been tendencies in recent years not to give privacy its due weight. This has resulted in tensions with privacy interests, and creates the risk of public opposition and non-adoption of the programme or scheme.
(11) Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?
Disclosure may arise through various mechanisms such as sale, exchange, unprotected publication in hard-copy or electronically-accessible form, or outsourcing of aspects of the data-handling to sub-contractors.
Third parties may not be subject to comparable privacy regulation because they are not subject to the provisions of the Data Protection Act or other relevant statutory provisions, such as where they are in a foreign jurisdiction. Concern may also arise in the case of organisations within the UK which are subsidiaries of organisations headquartered outside the UK.
Facing facts early
The key characteristics addressed here represent significant risk factors for the project and their seriousness should not be downplayed. It should also be remembered that the later the problems are addressed, the higher the costs will be to overcome them.
Perspectives to consider
It is important to appreciate that the various stakeholder groups may have different perspectives on these factors. If the analysis is undertaken solely from the viewpoint of the organisation itself, it is likely that risks will be overlooked. It is therefore recommended that stakeholder perspectives are also considered as each question is answered.
In relation to the individuals affected by the project, the focus needs to be more precise than simply citizens or residents generally, or the population as a whole. In order to ensure a full understanding of the various segments of the population that have an interest in, or are affected by, the project, the stakeholder analysis that was undertaken as part of the preparation step may need to be refined. For example, there are often differential impacts and implications for people living in remote locations, for the educationally disadvantaged, for itinerants, for people whose first language is not English, and for ethnic and religious minorities.
Applying the criteria
Once each of the 11 questions has been answered individually, the set of answers needs to be considered as a whole, in order to reach a conclusion as to whether a Full-Scale PIA is warranted. If it is, a conclusion is also needed as to whether the scope of the PIA should be wide-ranging, or focused on particular aspects of the project.
The Full-Scale PIA is described in detail in Part II. Before proceeding to that part, however, it is necessary to continue with steps 3 and 4 of the screening process, to determine whether compliance checking should also be included in the project schedule.