Appendix 1

PIA screening process

Step 1 – Criteria for full-scale PIA

This section provides guidance for evaluating whether a full-scale PIA should be conducted. The evaluation depends on sufficient information about the project having been collected during the previous step.
The evaluation process involves answering the following set of 11 questions about key characteristics of the project and the system that the project will deliver.
The answers to the questions need to be considered as a whole, in order to decide whether the overall impact, and the related risk, warrant investment in a full-scale PIA. The questions are shown below in bold. Guidance in relation to the interpretation of each question is provided in plain text.
Following the series of screening questions, further guidance is given on undertaking this analysis

The 11 questions about key project characteristics

Technology

(1) Does the project apply new or additional information technologies that have substantial potential for privacy intrusion?

Examples include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining, and logging of electronic traffic.

Identity

(2) Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes?

Examples of relevant project features include a digital signature initiative, a multi-purpose identifier, interviews and the presentation of identity documents as part of a registration scheme, and an intrusive identifier such as biometrics. All schemes of this nature have considerable potential for privacy impact and give rise to substantial public concern and hence project risk.

(3) Might the project have the effect of denying anonymity and pseudonymity, or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions?

Many agency functions cannot be effectively performed without access to the client's identity. On the other hand, many others do not require identity. An important aspect of privacy protection is sustaining the right to interact with organisations without declaring one's identity.

Multiple organisations

(4) Does the project involve multiple organisations, whether they are government agencies (eg in 'joined-up government' initiatives) or private sector organisations (eg as outsourced service providers or as 'business partners')?

Schemes of this nature often involve the breakdown of personal data silos and identity silos, and may raise questions about how to comply with data protection legislation. This breakdown may be desirable for fraud detection and prevention, and in some cases for business process efficiency. However, data silos and identity silos are of long standing, and have in many cases provided effective privacy protection. Particular care is therefore needed in relation to preparation of a business case that justifies the privacy invasions of projects involving multiple organisations. Compensatory protection measures should be considered.

Data

(5) Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals?

The Data Protection Act at s.2 identifies a number of categories of 'sensitive personal data' that require special care. These include racial and ethnic origin, political opinions, religious beliefs, trade union membership, health conditions, sexual life, offences and court proceedings.

There are other categories of personal data that may give rise to concerns, including financial data, particular data about vulnerable individuals, and data which can enable identity theft.

Further important examples apply in particular circumstances. The addresses and phone-numbers of a small proportion of the population need to be suppressed, at least at particular times in their lives, because such 'persons at risk' may suffer physical harm if they are found.

(6) Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database?

Examples include intensive data processing such as welfare administration, healthcare, consumer credit, and consumer marketing based on intensive profiles.

(7) Does the project involve new or significantly changed handling of personal data about a large number of individuals?

Any data processing of this nature is attractive to organisations and individuals seeking to locate people, or to build or enhance profiles of them.

(8) Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources?

This is an especially important factor. Issues arise in relation to data quality, the diverse meanings of superficially similar data-items, and the retention of data beyond the very short term.

Exemptions and exceptions

(9) Does the project relate to data processing which is in any way exempt from legislative privacy protections?

Examples include law enforcement and national security information systems and also other schemes where some or all of the privacy protections have been negated by legislative exemptions or exceptions.

(10) Does the project's justification include significant contributions to public security measures?

Measures to address concerns about critical infrastructure and the physical safety of the population usually have a substantial impact on privacy. Yet there have been tendencies in recent years not to give privacy its due weight. This has resulted in tensions with privacy interests, and creates the risk of public opposition and non-adoption of the programme or scheme.

(11) Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?

Disclosure may arise through various mechanisms such as sale, exchange, unprotected publication in hard-copy or electronically-accessible form, or outsourcing of aspects of the data-handling to sub-contractors.

Third parties may not be subject to comparable privacy regulation because they are not subject to the provisions of the Data Protection Act or other relevant statutory provisions, such as where they are in a foreign jurisdiction. Concern may also arise in the case of organisations within the UK which are subsidiaries of organisations headquartered outside the UK.

Facing facts early

The key characteristics addressed here represent significant risk factors for the project and their seriousness should not be downplayed. It should also be remembered that the later the problems are addressed, the higher the costs will be to overcome them.

Perspectives to consider

It is important to appreciate that the various stakeholder groups may have different perspectives on these factors. If the analysis is undertaken solely from the viewpoint of the organisation itself, it is likely that risks will be overlooked. It is therefore recommended that stakeholder perspectives are also considered as each question is answered.

In relation to the individuals affected by the project, the focus needs to be more precise than simply citizens or residents generally, or the population as a whole. In order to ensure a full understanding of the various segments of the population that have an interest in, or are affected by, the project, the stakeholder analysis that was undertaken as part of the preparation step may need to be refined. For example, there are often differential impacts and implications for people living in remote locations, for the educationally disadvantaged, for itinerants, for people whose first language is not English, and for ethnic and religious minorities.

Applying the criteria

Once each of the 11 questions has been answered individually, the set of answers needs to be considered as a whole, in order to reach a conclusion as to whether a full-scale PIA is warranted. If it is, a conclusion is also needed as to whether the scope of the PIA should be wide-ranging, or focused on particular aspects of the project. The full-scale PIA is described in detail in chapter IV. Before proceeding to that part, however, it is necessary to continue with steps three and four of the screening process, to determine whether compliance checking should also be included in the project schedule.

Step 2 – Criteria for small-scale PIA

This section provides guidance for evaluating whether a small-scale PIA should be conducted.

The evaluation depends on sufficient information about the project having been collected when preparing for the PIA screening process. If a prior PIA has been performed in relation to the existing system, this will also provide useful input to the process. The evaluation process involves answering a set of questions about characteristics of the project or the system that the project will deliver. These are factors that tend to give rise to concern among at least some parts of the general public, and accordingly may be judged to represent project risk factors. The questions are shown below in bold. Where guidance is provided in relation to the interpretation of a question, it is provided in plain text.

The 15 questions about project characteristics

Technology

(1) Does the project involve new or inherently privacy-invasive technologies?

Examples of such technologies include, but are not limited to, smart cards, radio frequency identification (RFID) tags, biometrics, locator technologies (including mobile phone location, applications of global positioning systems (GPS) and intelligent transportation systems), visual surveillance, digital image and video recording, profiling, data mining, and logging of electronic traffic. Technologies that are inherently intrusive, and technologies that are new and sound threatening, excite considerable public concern, and hence represent project risk.

In order to answer this question, considerations include:

• whether all of the information technologies that are to be applied in the project are already well-understood by the public;
• whether their privacy impacts are all well-understood by the organisation, and by the public;
• whether there are established measures that avoid negative privacy impacts, or at least reduce them to the satisfaction of those whose privacy is affected; and
• whether all of those measures are being applied in the design of the project.

Justification

(2) Is the justification for the new data-handling unclear or unpublished?

Individuals are generally much more accepting of measures, even measures that are somewhat privacy-intrusive, if they can see that the loss of privacy is balanced by some other benefits to themselves or society as a whole. On the other hand, vague assertions that the measures are needed 'for security reasons', or 'to prevent fraud', are much less likely to calm public disquiet.

Identity

(3) Does the project involve an additional use of an existing identifier?

(4) Does the project involve use of a new identifier for multiple purposes?

(5) Does the project involve new or substantially changed identity authentication requirements that may be intrusive or onerous?

The public understands that an identifier enables an organisation to collate data about an individual, and that identifiers that are used for multiple purposes enable data consolidation. They are also aware of the increasingly onerous registration processes and document production requirements imposed by organisations in recent years. From the perspective of the project manager, these are warning signs of potential privacy risks.

Data

(6) Will the project result in the handling of a significant amount of new data about each person, or significant change in existing data-holdings?

(7) Will the project result in the handling of new data about a significant number of people, or a significant change in the population coverage?

(8) Does the project involve new linkage of personal data with data in other collections, or significant change in data linkages?

The degree of concern about a project is higher where data is transferred out of its original context. The term 'linkage' encompasses many kinds of activities, such as the transfer of data, the consolidation of data-holdings, the storage of identifiers used in other systems in order to facilitate the future searches of the current content of records, the act of fetching data from another location (eg to support so-called 'front-end verification'), and the matching of personal data from multiple sources.

Data handling

(9) Does the project involve new or changed data collection policies or practices that may be unclear or intrusive?

(10) Does the project involve new or changed data quality assurance processes and standards that may be unclear or unsatisfactory?

(11) Does the project involve new or changed data security arrangements that may be unclear or unsatisfactory?

(12) Does the project involve new or changed data access or disclosure arrangements that may be unclear or permissive?

(13) Does the project involve new or changed data retention arrangements that may be unclear or extensive?

(14) Does the project involve changing the medium of disclosure for publicly available information in such a way that the data becomes more readily accessible than before?

Exemptions

(15) Will the project give rise to new or changed data-handling that is in any way exempt from legislative privacy protections?

Perspectives to consider

As with the criteria for full-scale PIA, risks may be overlooked unless these questions are considered from the various perspectives of each of the stakeholder groups, rather than just from the viewpoint of the organisation that is conducting the project.

Similarly, in relation to the individuals affected by the project, it may not be adequate to think in terms of citizens or residents generally, or the population as a whole. In order to ensure a full understanding of the various segments of the population that have an interest in, or are affected by, the project, the stakeholder analysis that was undertaken as part of the preparation step may need to be refined. There are often different impacts and implications for different sections of the population, especially disadvantaged groups.

Applying the criteria

Where the answers to questions are “Yes”, consideration should be given to the extent of the privacy impact and the resulting project risk. The greater the significance, the more likely that a small-scale PIA is warranted.

If only one or two aspects give rise to privacy concerns, a small-scale PIA may still be justified. In these circumstances the PIA process should be designed to focus on the areas of concern. If, on the other hand, multiple questions are answered “Yes”, a more comprehensive assessment is appropriate.

The small-scale PIA is described in chapter V. Before proceeding to that part, however, it is necessary to continue with steps three and four of the screening process, to determine whether compliance checking should also be included in the project schedule.

Step 3 – Criteria for privacy law compliance checks

Senior executives of government agencies and company directors must ensure that the operations for which they are responsible comply with all relevant laws. The purpose of this section of the handbook is to assist organisations in complying with privacy-related laws. The services of a legal professional with relevant expertise may be needed. If any of the following questions are answered "Yes", then a privacy law compliance check should be conducted:

1. Does the project involve any activities (including any data handling), that are subject to privacy or related provisions of any statute or other forms of regulation, other than the Data Protection Act?

In particular, the following laws and other forms of regulation should be considered, but the list may not be exhaustive.

• The Human Rights Act, in particular Schedule 1, Article 8 (right to respect for private and family life) and Article 14 (prohibition of discrimination).
• The Regulation of Investigatory Powers Act 2000 (RIPA) and Lawful Business Practice Regulations 2000.
• The Privacy and Electronic Communications Regulations 2003 (PECR).
• The Data Retention (EC Directive) Regulations 2007.
• In the case of government agencies, the statutes under which the agency or programme operates.
• Statutes that impose regulatory conditions on the manner in which the organisation operates.
• Sectoral legislation, eg Financial Services and Markets Act 2000.
• Statutory codes, eg the Information Commissioner’s CCTV code of practice.

Where projects are cross-jurisdictional the law of more than one country may be involved and other legal provisions may also need to be considered.

2. Does the project involve any activities (including any data handling) that are subject to common law constraints relevant to privacy?

In particular, the following should be considered:

• confidential data relating to a person, as that term would be understood under the common law of confidence;
• the tort of privacy as it develops through case law.

3. Does the project involve any activities (including any data handling) that are subject to less formal good practice requirements relevant to privacy?

In particular, the following should be considered:

• industry standards, eg the BS ISO / IEC 17799:2005 Information Security Standard;
• industry codes, eg the NHS Code of Practice on Confidentiality.

Privacy law compliance checking is described in chapter VI of this handbook. Before proceeding to that part, however, organisations must continue with step four of the screening process, to determine whether Data Protection Act compliance checking also needs to be included in the project schedule. Note that compliance checking activities are usually conducted reasonably late in the overall project schedule, once detailed information about business processes and business rules is available.

Step 4 – Criteria for Data Protection Act compliance checks

Senior executives of government agencies and company directors must ensure that the operations for which they are responsible comply with all relevant laws. The purpose of this section of the handbook is to assist organisations in that endeavour.

The services of a professional with relevant legal expertise may be needed.

If the following question is answered ”Yes”, then a Data Protection Act compliance check should be conducted:
Does the project involve the handling of any data that is personal data, as that term is used in the Data Protection Act?
‘Personal data’ means data which relate to a living individual who can be identified:
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual (Data Protection Act, s.1).

Data Protection Act compliance checking is described in chapter VII. Before proceeding to that part, however, it is advisable to return to the screening process and review the outcomes of the four steps.

Note that, where a PIA is needed, it should be commenced at an early stage of the overall project, whereas compliance checking activities are usually conducted only once a fairly mature stage of business process design has been reached.