Using this handbook

Part 1 – Background information

• • Chapter I – Overview

    • PIAs and other processes
      • Compliance checking and data protection audit
      • Information security procedures
      • Stakeholder management
      • Consultation
    • Why do a PIA?
      • Identifying and managing risks
      • Avoiding unnecessary costs
      • Inadequate solutions
      • Avoiding loss of trust and reputation
      • Informing the organisation’s communications strategy
      • Meeting and exceeding legal requirements
    • What are the end results of an effective PIA process?
    • When to do a PIA
    • Managing a PIA
      • Who should take responsibility for a PIA?
      • Who should carry out a PIA?
      • The PIA project steering committee
      • Role of the organisation’s data protection/ privacy officer or team
      • Resourcing a PIA
      • Role of the Information Commissioner’s Office
    • Conducting the PIA process
      • Preliminary phase
      • Preparation phase
      • Consultation and analysis phase(s)
      • Documentation phase
      • Review and audit phase
      • The PIA project plan
      • PIAs across more than one project

  • Chapter II – Privacy, risks and solutions

    • What is privacy?
      • Privacy of personal information
      • Privacy of the person
      • Privacy of personal behaviour
      • Privacy of personal communications
    • How is privacy protected?
    • Why is privacy important?
    • Privacy risks
      • What do we mean by privacy risks?
      • Recognising privacy risks
        • Broad personal information issues
        • Issues around identification of the individual
        • Function creep
        • Registration and authentication processes
        • Surveillance
        • Location and tracking
        • Intrusions into the privacy of the person
        • Persons at risk, and vulnerable populations
        • Issues around the exercise of rights by individuals
        • Future economic and social developments
        • Relevant legal considerations
    • Identifying privacy solutions
      • Accepting the risks
      • Privacy impact avoidance measures
      • Privacy impact mitigation measures
      • Privacy by design

Part 2 – The PIA process

• • Process Maps

    • PIA process – an overview
    • The PIA decision tree
    • Initial assessment process map
    • Full scale and small scale PIA process map

  • Chapter III – Initial assessment

    • How to determine if a PIA is needed
    • Preparing for the PIA screening process
      • Project outline
      • Stakeholder analysis
      • See what else is out there
    • The screening questions
    • Make an initial assessment of the privacy risks

  • Chapter IV – Full-scale privacy impact assessment

    • The five phases of a full-scale PIA
    • Preliminary phase
      • Developing the project outline
    • Preparation phase
      • Developing a consultation plan
    • Consultation and analysis phase(s)
    • Documentation phase
    • Review and audit phase

  • Chapter V – Small-scale privacy impact assessment

    • Overview
    • Why do a small-scale PIA?
    • Examples of projects for which a small-scale PIA might be appropriate
    • The small-scale PIA process
    • 1. Preliminary phase
    • 2. Preparation phase
    • 3. Consultation and analysis phase(s)
    • 4. Documentation phase
    • 5. Review and audit phase

  • Chapter VI – Privacy law and other legal compliance checking

    • The importance of compliance checking
    • Responsibilities
    • Potentially relevant areas of the law
    • Postponing or redesigning a project

  • Chapter VII – Data Protection Act compliance check (including PECR)

    • The role of compliance checking
    • Compliance checking
    • Postponing or redesigning a project

  • Chapter VIII – Other ICO guidance

    • ICO Publications

Appendix 1 – The PIA screening questions

• Step 1 - Criteria for a full-scale PIA
• Step 2 - Criteria for a small-scale PIA
• Step 3 - Criteria for a privacy law compliance check
• Step 4 - Criteria for a Data Protection Act compliance check

Appendix 2 – Data protection compliance checklist template

Appendix 3 – PECR compliance checklist template

Appendix 4 – Privacy strategies