Managing a PIA

This section provides some further guidance on managing the PIA process, who should take responsibility, who carries out the PIA and the role of the organisation’s data protection/ privacy officer.

Who should take responsibility for a PIA?

Responsibility for conducting a PIA should be placed at senior executive level. A PIA has strategic significance, and therefore, direct responsibility for the PIA must be assumed by a senior executive. It might also be advisable to assign this responsibility to a senior executive with lead responsibility for risk management, audit or compliance.

At an executive level, the following are suggested as appropriate objectives for a PIA:

ensure effective management of the privacy impacts arising from the project;
ensure effective management of the project risks arising from the project’s privacy impacts; and
avoid expensive re-work and retro-fitting of features, by discovering issues early, devising solutions at an early stage in the project life-cycle, and ensuring that they are implemented.

Who should carry out a PIA?

In delegating responsibility for conducting a PIA, senior executives have three alternatives:

an appointment within the overall project-team;
someone who is outside the project; or
an external consultant.

Where responsibility is delegated to a senior member of the project team, this person must have a clear mandate to actively participate in the project design decisions to ensure that those decisions reflect the outcomes from the PIA process.

If the executive delegates responsibility for the PIA to someone outside the project team, it may be difficult for that person to ensure a balanced appreciation of the views of all stakeholders and to assimilate the information generated. There is a possibility that the project team might resist the conclusions and recommendations that result from the PIA process.

Some organisations have decided to employ external consultants to carry out a PIA, either because they feel that they do not have the necessary skills in-house, or they want the PIA to be as independent as possible from potential influences within the organisation. While there are sometimes good reasons for ensuring the independence of the PIA process, this handbook has been designed as a self-assessment tool. The advantages of employing an independent consultant need to be weighed against the disadvantages of resistance to the conclusions reached during the PIA, the potential lack of understanding or appreciation of the organisation’s needs and the business case for the project. As stated above, a PIA is distinct from an audit process and so there is not as great a need for independence throughout the process.

Regardless of who is asked to complete the PIA, the organisation must take direct responsibility for the PIA team’s work, rather than delegating it. Other involved organisations are likely to wish to participate in, and make contributions to, the development of the project plan. In many cases, the most appropriate approach to project governance will involve the formation of a project steering committee.

The PIA project steering committee

A common approach is to establish a project steering committee (a group that has directive powers), or a project advisory committee or project reference or consultative group (a representative group whose function is to discuss, advise and assist, but which has no formal powers to direct the process).

A project steering committee normally has the power to give directions to the project, whereas an advisory, reference or consultative group does not. The title of any such body, however, is the choice of the organisation concerned and should be consistent with terms used for similar groups.

With smaller projects, such arrangements are not practical, but measures are needed that achieve clear communications among the three groups:

senior management;
the project team; and
representatives of, and advocates for, the various stakeholders.

Whether or not formal governance arrangements are adopted, it is generally advisable for terms of reference for the PIA to be prepared and agreed. Important elements of the terms of reference include:

the functions to be performed;
the deliverables;
the desired outcomes;
the scope of the assessment; and
the roles and responsibilities of various parties involved in the PIA.

The terms of reference should document the governance structure and processes, including the nature of the delegation of responsibility and authority provided to the person(s) or team(s) who are involved in the PIA.

Role of the organisation’s data protection/ privacy officer or team

Often an organisation will delegate responsibility for conducting a PIA to their data protection or privacy officer. While the ICO recommends that this person is given a role in the steering committee or consultative group, responsibility should only be delegated to the data protection or privacy officer where they have sufficient authority to influence the design and development of a project and participate fully in the project design decisions.

Resourcing a PIA

Sufficient resources must be made available to enable effective and efficient performance of the PIA. There are two aspects to this.

The members of the PIA team itself need to be provided adequate time to carry out the PIA. The senior executive with overall responsibility for the project may need to temporarily reallocate responsibilities to devote sufficient time to conduct the PIA thoroughly.
In addition, the time of staff outside the PIA team needs to be considered and committed. The categories of employees who need to be involved may come from executive, managerial and operational levels, and include policy, technical, business process design and legal staff.

Role of the Information Commissioner’s Office

The Information Commissioner’s Office provides information and guidance to support the organisations that carry out PIAs, in particular through publication of this handbook. In addition, the ICO may be available for consultation on particular projects.

However, it needs to be emphasised that PIAs have been designed as a self-assessment tool for organisations and the ICO does not have a formal role in conducting them, approving or signing off any final report which is produced.

« Previous | Top of page | Next »

Contents

Using this handbook

Part 1 – Background information

Chapter I – Overview

Chapter II – Privacy, risks and solutions

Part 2 – The PIA process

Process Maps

Chapter III – Initial assessment

Chapter IV – Full-scale privacy impact assessment

Chapter V – Small-scale privacy impact assessment

Chapter VI – Privacy law and other legal compliance checking

Chapter VII – Data Protection Act compliance check (including PECR)

Chapter VIII – Other ICO guidance

Appendix 1 – The PIA screening questions

Appendix 2 – Data protection compliance checklist template

Appendix 3 – PECR compliance checklist template

Appendix 4 – Privacy strategies

Part I Background information