PIAs and other processes
Compliance checking and data protection audit
A PIA must be seen as a separate process from compliance checking or data protection audit processes. Often organisations ask whether a PIA can be conducted on a project that is being implemented or has been up and running for some time. The nature of the PIA process means that it is best to complete it at a stage when it can genuinely affect the development of a project. Carrying out a PIA on a project that is up and running runs the risk of raising unrealistic expectations among stakeholders during consultation. For this reason, unless there is a genuine opportunity to alter the design and implementation of a project, the ICO recommends that projects which are already up and running are not submitted to a PIA process, but to either a compliance check or a data protection audit, whichever is more appropriate.
The PIA process is considerably broader than just an audit of compliance with existing privacy related laws. A complementary process is needed to ensure that the project is legally compliant. That process can begin early, but cannot be finalised until late in the project life-cycle, when the design is complete. Separate guidance is provided in Chapter VI and Chapter VII of this handbook relating to the conduct of compliance checking. The cost and delay involved in compliance checking need not be great, because the process draws heavily on work undertaken during the course of a PIA.
A PIA needs to be distinguished from a privacy or data protection audit. An audit is undertaken on a project that has already been implemented. An audit is valuable in that it either confirms that privacy undertakings and/ or privacy law are being complied with, or highlights problems that need to be addressed. To the extent that it uncovers problems, however, they are likely to be expensive to address and may disturb the conduct of the organisation’s business. A PIA aims to prevent problems arising, and hence avoid subsequent expense and disruption.
The ICO Data Protection Audit Manual is available at www.ico.gov.uk.
Information security procedures
Many organisations feel that if they complete an information security or information assurance process that they have completed a similar process to that of a privacy impact assessment. However, while many of the issues addressed by PIAs are addressed as part of information security or assurance procedures, these are limited in scope to the needs of the organisation and do not, as a general rule, seek to garner views from a range of stakeholders who may be affected by a project.
While information security and assurance procedures will enable compliance with the law, they do not look at the broader issues of whether or not a particular project should be implemented from a privacy perspective, how to ensure that external privacy concerns are identified and addressed or whether a particular programme is compliant with the broader rights to privacy and confidentiality provided by UK and European law.
Stakeholder management
Managing the expectations of anyone who has an interest in a project or who may be affected by its outcome is vital in the public and private sectors. The PIA process will cover a lot of the same ground as stakeholder management. Again, if your organisation already has a stakeholder management strategy in place, make sure it will also address and manage the expectations of stakeholders in relation to personal privacy.
Consultation
Consultation is mandatory for many public sector projects. It is advisable to ensure that any consultation process is informed by the PIA process. This embeds the PIA process into current processes and avoids having to repeat work as part of the PIA.