Conducting the PIA process
It is sensible to apply conventional project management techniques to the process of assessing privacy impact. This includes the definition of phases, tasks within phases, and deliverables.
This section provides an outline description of a suggested set of phases. The terms used here (such as ‘preliminary phase’) are intended to be descriptive and are not in themselves of any great significance. Organisations that apply these guidelines are encouraged to use terms that are consistent with their own internal standards, policies and practices. The five phases of a PIA are as follows.
1. Preliminary phase
The purpose of this phase is to ensure that a firm basis is established for the PIA to be conducted effectively and efficiently.
2. Preparation phase
The purpose of this phase is to make the arrangements needed to enable the critical phase 3 to run smoothly. The suggested deliverables are a stakeholder analysis, a consultation strategy and plan, and establishment of a PIA consultative group (PCG).
Guidance is available to assist in specifying the tasks and deliverables involved in this phase.
3. Consultation and analysis phase(s)
With the framework in place, this phase focuses on consultations with stakeholders, risk analysis, the recognition of problems, and the search for solutions.
4. Documentation phase
The purpose of this phase is to document the process and the results. The suggested deliverable is a PIA Report.
5. Review and audit phase
The purpose of this phase is to ensure that the design features arising from the PIA are implemented, and are effective.
The PIA project plan
A full-scale PIA is sufficiently important and complex that it may itself warrant a formal project plan. More detailed guidance in relation to the phases, tasks and outcomes involved in a PIA is provided in the following parts. In addition, the ICO may be available to discuss issues and provide general advice on the project plan, although it retains independence from the PIA project itself.
PIAs across more than one project
There are circumstances under which it may be sensible and economic to conduct a PIA on something other than a single project. Examples include:
- Procuring commercial software packages. A software development company might commission an independent PIA for a packaged application, taking into account one or more typical deployments or implementations.
- Common functions in government. A group of government agencies might commission a generic PIA in an area such as identity authentication or identity management, in order to provide a platform and template on which individual agencies can build.
- Common functions in business. An industry group might commission a PIA in relation to a common application across an industry sector or segment. Examples include financial applications such as credit reporting, and electronic health applications.