PIA process – an overview
Initial assessment
Examines the project at an early stage, identifies stakeholders, makes an initial assessment of privacy risk and decides which level of assessment is necessary.
Full-scale PIA
Conducts a more in-depth internal assessment of privacy risks and liabilities. Analyses privacy risks, consults widely with stakeholders on privacy concerns and brings forward solutions to accept, mitigate or avoid them.
Small-scale PIA
Similar to a full-scale PIA, but is less formalised. Requires less exhaustive information gathering and analysis. More likely to be used when focusing on specific aspects of a project
Privacy law compliance check
Focuses on compliance with various “privacy” laws such as HRA, RIPA and PECR as well as DPA. Examines compliance with statutory powers, duties and prohibitions in relation to use and disclosure of personal information.
Data protection compliance check
Checklist for compliance with DPA. Usually completed when the project is more fully formed.
Review and redo!
Sets out a timetable for reviewing actions taken as a result of a PIA and examines their effectiveness. Looks at new aspects of the project and assesses whether they should be subject to a PIA.