Examples of projects for which a small-scale PIA may be appropriate
The following are examples of a range of different kinds of projects for which a small-scale PIA is more likely to be appropriate.
- Replacement of an existing personal data system by new packaged software, with consequential changes to business processes and perhaps data storage.
- Design and development of a new personal data system that will only contain data about people who have given their consent.
- Enhancements to an existing system in order to collect, store and use several additional items of personal data.
- A proposal to collect items of personal data from a new source, eg to reduce the costs incurred by the organisation or the inconvenience to the individuals concerned, or to enable cross-checking against data provided by the data subject.
- Revisions to staff instructions relating to the disclosure of personal data.
- Adaptations to an existing system to reflect new legislation, codes or industry standards.
- The drafting of legislative amendments authorising the collection, use or disclosure of personal data (particularly where a specific project authorised by the amended legislation will be subject to a PIA).
- The application of a new technology to an existing purpose (eg, replacement of bar-code or magnetic-stripe technology with a contact-based chip containing the same data).
- Drafting of new procedures for customer authentication, eg, in order to reflect new knowledge about ‘identity theft’, or respond to media coverage of it.
- The re-design of web-forms for capture of personal data from customers, including the explanations provided, and the circumstances in which particular data-items are declared to be mandatory or optional.
- Plans to outsource business processes involving personal data, or the storage and processing of personal data.
- The application of existing personal data to a new purpose.
- Changes to retention policies relating to personal data.
- Policy statements concerning staff usage of employer-provided facilities such as telephones, mobile phones, desktops, portables, and broadband and wireless ISP subscriptions.
- Review of the means whereby patients express their requests, consents and denials regarding the disclosure of their medical data from the records of a health care professional or clinic.
- The design of a pseudonymous scheme for customer survey data.
- Amendments to the organisation’s privacy policy statement.