The small-scale PIA process

The process for completing a small scale PIA for any particular project needs to reflect:

the nature of the project (eg new system, replacement system, enhancements to an existing system, new technology, outsourcing, changed business processes or staff instructions, replacement user interface, revised privacy policy statement, drafting of legislative changes);
the specific aspects of the project that the screening process has highlighted;
any relevant PIAs that have been previously conducted; and
the organisation’s level of experience in conducting PIAs.

Hence the following guidance is intended to assist organisations in developing their own small-scale PIA. Conventional project management techniques may be applied to the process of assessing privacy impact. This segment provides an outline description of a suggested set of phases for a small-scale PIA.

These phases mirror the detailed guidance for the relevant phase of a full-scale PIA. In a small-scale PIA it may be appropriate to compress phases together, consolidate tasks, or reduce the number of deliverables by merging several documents into one.

The following suggested phases are described below:

1. preliminary phase;
2. preparation phase;
3. consultation and analysis phase(s);
4. documentation phase; and
5. review and audit phase.

1. Preliminary phase

The purpose of the preliminary phase is to ensure that a firm basis is established for the PIA to be conducted effectively and efficiently. Depending on the scale of the project and the experience of the project manager in relation to PIAs, it may be appropriate to produce and maintain a project plan. It will generally be advisable to produce or get hold of a project background paper, although this is likely to be quite short.

Because the circumstances in which a small-scale PIA should be conducted vary so much, this handbook does not contain any specific guidance in relation to this phase. However, a useful checklist is available, which describes the tasks involved in the corresponding phase of full-scale PIAs in Chapter IV. Carrying out all the tasks recommended in the checklist would be excessive for a small project but the ideas can be of assistance, and may be applied in a less onerous manner such as in combination or selectively according to the circumstances.

At the very least, the preliminary phase should have as deliverables a project outline, a preliminary assessment of privacy concerns and some preliminary talks with key stakeholders. A clear and informative project outline will make the consultation and analysis phase much easier and more effective.

2. Preparation phase

The purpose of the preparation phase is to make the arrangements needed to enable the critical phase three to run smoothly. In this phase, organisations may undertake a stakeholder analysis, development of a consultation strategy and plan, and establishment of a PIA consultative group (PCG). Due to the nature of a small-scale PIA, these tasks do not need to be formalised.

It will be useful to consult the checklist which describes the tasks involved in the corresponding phase of full-scale PIAs in Chapter IV. It is likely that not every task will be appropriate to a small-scale PIA or that some of the tasks completed as part of a full-scale PIA will need to be scaled back in order to be appropriate to a small-scale PIA.

3. Consultation and analysis phase(s)

The consultation and analysis phase builds on the foundations established by the first two sections. It includes consultations with stakeholders, risk analysis, the articulation of problems, and the search for constructive solutions.

Consultation does not have to be a formal process and can be limited to the stakeholders who have a key interest in the project or those who may have the biggest concerns about the project. It may, depending on the size of the project, be limited to a meeting or workshop with the key stakeholders, a series of short telephone interviews or even involve simply writing to the key stakeholders.

Sometimes, projects and systems may develop during the PIA process, in particular where concerns have been raised by stakeholders. As such, it can sometimes be useful to carry out several consultations over time to update stakeholders on developments and ask for further feedback as to whether this has addressed their concerns. On the other hand, if a comprehensive and clear project background paper is produced, and the participants are experienced or issues relatively simple, it may be sufficient to carry out one consultation exercise.

The key deliverable is a document (such as a privacy design features paper or a meeting outcomes report) that details the privacy impacts identified and the solutions or actions which will be taken to deal with them. This document must be in a form which can be published and provided to the various parties involved in the consultation. The project team, and in particular the designers, should receive copies of this document, because they will need to make decisions based on the outcome of consultations, make changes to the relevant project documents and implement the decisions made.

Again, the corresponding guidance for the consultation and analysis phase as part of a full-scale PIA described in Chapter IV provides a list of tasks which can be scaled back as appropriate for a small-scale PIA.

4. Documentation phase

The documentation of a full-scale PIA will justify more extensive documentation than a small-scale PIA. The purpose of the documentation phase is to document the process and the outcomes. The deliverable is a PIA Report, which may draw heavily on the document produced during the consultation and analysis phase. Depending on the context, this might be a relatively brief ‘note to file’, with copies to relevant parties; but circumstances may justify a more carefully prepared document.

5. Review and audit phase

The purpose of this phase is to ensure that the design features arising from the PIA are implemented, and are effective. The deliverable is a review or update report. Once again, in some contexts a ‘note to file’, with copies distributed to relevant parties, might be sufficient to achieve this requirement. In other cases, a more detailed document may be required.

« Previous | Top of page | Next »

Contents

Using this handbook

Part 1 – Background information

Chapter I – Overview

Chapter II – Privacy, risks and solutions

Part 2 – The PIA process

Process Maps

Chapter III – Initial assessment

Chapter IV – Full-scale privacy impact assessment

Chapter V – Small-scale privacy impact assessment

Chapter VI – Privacy law and other legal compliance checking

Chapter VII – Data Protection Act compliance check (including PECR)

Chapter VIII – Other ICO guidance

Appendix 1 – The PIA screening questions

Appendix 2 – Data protection compliance checklist template

Appendix 3 – PECR compliance checklist template

Appendix 4 – Privacy strategies

Part II - The PIA process