4. Documentation phase
This is phase four of the five-phase PIA process.
A privacy impact assessment is a process. The benefits to the organisation that conducts it arise mainly from that process, in the form of learning and adaptation, partly by the stakeholders, and partly by the organisation and the team responsible for the project.
There are, however, advantages in generating a final document towards the end of the PIA process. The purpose of this phase is to document the PIA process and the outcomes. The suggested deliverable is a PIA report.
The following tasks are suggested:
- Consolidate the decisions on avoidance and mitigation measures into a final version of the issues register and/ or privacy design features paper.
- Produce a PIA report.
- Make the PIA report available to the PCG.
- Publish the PIA report (withholding any security-sensitive information in confidential, or closed, appendices).
The reasons for preparation of a PIA report are:
- as an element of accountability, in order to demonstrate that the PIA process was performed appropriately;
- to provide a basis for post-implementation review;
- to provide a basis for audit;
- to provide corporate memory, ensuring that the experience gained during the project is available to those completeing new PIAs if original staff have left; and
- to enable the experience gained during the project to be shared with future PIA teams and others outside the organisation.
The following are key elements of a PIA report:
- A description of the project.
- An analysis of the privacy issues arising from it.
- The business case justifying privacy intrusion and its implications.
- Discussion of alternatives considered and the rationale for the decisions made.
- A description of the privacy design features adopted to reduce and avoid privacy intrusion and their implications of these design features.
- An analysis of the public acceptability of the scheme and its applications.
Possible sources for the content of the PIA report include:
- A summary of the consultative processes undertaken.
- Contact details of organisations and individuals with whom consultations were undertaken.
- The project background paper(s) provided to those consulted.
- The PIA project plan.
- The issues register and/ or privacy design features paper(s).
- References to relevant laws, codes and guidelines.
At a late stage, once the design has been checked for legal compliance, it may be appropriate to add the following as appendices to the PIA report:
- the Privacy law compliance study; and
- the Data Protection Act compliance study.
A PIA report should be written with the expectation that it will be published, or at least be widely distributed. If so, the report can fulfil the functions listed above: accountability, post-implementation review, audit, input into future iterations of the PIA, and background information for people conducting PIAs in the future.
Some of the information gathered during a PIA process may be subject to security or commercial sensitivities. In such cases, it may be appropriate for the detailed information to be in confidential, or closed, appendices. Such information suppression, however, needs to be limited to only that which is justified. Sufficient information needs to be included within the PIA report to ensure that the arguments and assessments are complete, informative and comprehensible.