Privacy strategies

What is a privacy strategy?

For many organisations that depend upon personal data, privacy has become a strategic factor. Completing a PIA can be much easier, quicker, less expensive and more effective, if the organisation’s overall strategy encompasses privacy.

To deliver value to an organisation, a PIA is best approached not as a standalone activity, but rather integrated into the organisation through two levels. The role of PIAs must be defined within the organisation’s privacy strategy and the privacy strategy must be part of the organisation’s broader strategic planning.

However, a privacy strategy must be broader than PIAs and help to address potential media controversies which might occur and the need to respond to enquiries from individuals, their representatives, or elected officials.

A privacy strategy works best when it is expressly stated and is proactive and articulated into a plan, with adequate resources and effective monitoring of performance against the plan.

Why have a privacy strategy?

Organisations will find starting and completing a PIA much easier when a privacy strategy is in place. This is because staff will be more aware of the kinds of issues, implications, public concerns and risks. Organisations whose operations have considerable impacts on the privacy of their customers, their staff, or indeed any other categories of people, may find that they need to undertake PIAs more frequently. A privacy strategy helps to manage multiple PIAs being conducted within an organisation and ensure consistency in relation to the type of projects which are subject to a PIA.

Different types of privacy strategy

The scope of a privacy strategy should reflect the nature of the organisation and its mission. This section should help determine the appropriate scope of the strategy depending on the organisation’s needs. It identifies four broad approaches, ranging from the very narrow to the very broad.

• A minimalist information privacy strategy.
• A comprehensive information privacy strategy.
• A broad privacy strategy.
• A social impacts or public policy strategy.

A minimalist privacy strategy

The most basic approach is to develop a privacy strategy which helps the organisation to meet legal requirements and obligations in relation to information privacy. A minimalist information privacy strategy will have the following basic aims.

• To develop an organisational understanding of privacy and data protection, and of the key privacy issues that arise in the organisation’s relationships with individuals (generally its staff and customers)
• To conduct a review of the organisation’s holdings of personal data and the processes relating to that data.
• To build recognition of privacy matters into its project processes (eg as a component of project scoping documents, or budget approvals). This should include:
  • a requirement that PIAs be considered where appropriate;
  • a requirement that legal compliance checks are completed; and
  • a requirement that data protection compliance checks are completed.

A comprehensive information privacy strategy

Organisations that recognise privacy as being a strategic factor in trust relationships with their staff or customers, or that recognise privacy as a matter of corporate responsibility, often implement a much more comprehensive strategy.

A comprehensive information privacy strategy is likely to encompass the following aims in additions to those in a minimalist information privacy strategy.

• Protections for all categories of people, without restrictions such as ‘citizen’, ‘resident’ or ‘customer’, and with provisions related to the interests of deceased persons and their relatives.
• Recognition of the benefits as well as the inefficiencies involved in ‘identity silos’, by avoiding the use of the same identifier in multiple organisations, systems and programmes.
• An active commitment to avoid the consolidation of data from multiple sources into a single virtual databank, the use of personal data for additional purposes, ‘function creep’ from one business function to another, data warehousing and data mining.
• A commitment to use of authentication rather than identification in determining an individual’s entitlement to services, benefits or access.
• Approval for and facilitation of anonymous and pseudonymous transaction services in all circumstances where appropriate.
• Avoidance of prejudice to the person’s access to services, or their ability to exercise other rights, because of the exercise of privacy rights.
• Individual control over identification and authentication mechanisms, such as chip-cards and digital signature keys.

A broad privacy strategy

People are concerned about other dimensions of privacy other than just information privacy, and organisations may judge it to be advantageous to define the scope of their privacy strategy to reflect broader concerns.

A broad enterprise privacy strategy would also encompass impacts on other types of privacy, such as privacy of the person, personal behaviour and personal communications.

A social impacts/ public policy strategy

Some organisations may judge it to be advantageous to adopt a scope that is broader than privacy alone, but encompasses it. A social impacts or public policy strategy would also encompass impacts (both positive and negative) on such matters as:

• the availability and quality of services;
• the accessibility and equity of services;
• the allocation of effort, costs and risks, particularly where they are shifted in the direction of citizens;
• choice in relation to the use of the project as a whole, including benefits foregone if it is not used, and penalties for non-use;
• consent in relation to participation in the project as a whole, and in particular features of it, rather than legal compulsion, or other forms of coercion;
• job-market and industry structure impacts;
• geographical equity impacts, e.g. differential service depending on location or access to facilities;
• social equity impacts, e.g. differential service depending on ethnic background, lingual skills, education or physical limitations;
• the human rights of clients, employees and contractors; and
• the accessibility of information.

One of the advantages of a social impacts/public policy strategy which includes privacy is that the privacy elements of your strategy are part of the fabric of policy-making.

Meeting the requirements of a privacy strategy

A successful privacy strategy needs direction and leadership from a senior executive level. The following measures are advised in order to ensure that any privacy strategy is met and exceeded.

• Establish and maintain a focal point that ensures executive attention to the matter, including commitment by senior executives to a privacy programme.
• Appoint a Chief Privacy Officer at a senior level within the organisation.
• Regular inclusion of privacy matters in executive committee agendas.
• Ensure that business process engineering and re-engineering activities have privacy sensitivity embedded into them. This could involve changing:
  • provisions within supplier contracts;
  • the organisation’s project management framework and methodology; and
  • the organisation’s audit processes.
• Structure a programme that builds privacy respect into the organisation’s philosophy, mindset and business processes. This programme could include:
  • staff training schemes;
  • internal audit of personal data practices.
• Establish and maintain an internal communications programme.
• Establish and maintain an external communications programme, which may include targeting your organisation’s privacy messages at:
  • affected individuals (including staff as well as clients);
  • relevant representative and advocacy organisations.
• Create channels to and from relevant representative and advocacy organisations; and
• Ensure your organisation has the capacity to receive and handle incoming communications, through procedures for handling incidents, enquiries, submissions and complaints.