Privacy Impact Assessment (PIA) is a systematic process that identifies and evaluates, from the perspectives of all stakeholders, the potential effects on privacy of a project, initiative or proposed system or scheme, and includes a search for ways to avoid or mitigate negative privacy impacts.
This Policy Statement comprises the following sections:
- an outline of distinctive differences between a PIA and other privacy-related business processes
- a list of the characteristics of a PIA
- comments on guidance documents published by Australian Privacy Commissioners
PIA compared with Other Business Processes
A PIA differs from other privacy-related business processes, in the following ways:
Activities Conducted Prior to a PIA
- Privacy Strategy Formulation. This process considers privacy from a corporate perspective; whereas a PIA considers it from the perspectives of all stakeholders, and focusses on a particular initiative, scheme, program or project. In this Policy Statement, the term ‘project’ is used to encompass all such categories of activity
- Privacy Issues Analysis. This process is a preliminary, internal assessment of the potential issues that may arise from a project, and is generally undertaken at a very early stage in the project life-cycle; whereas a PIA is performed at greater depth, and through the project life-cycle, and involves engagement with stakeholders
- PIA Screening Study, or ‘Threshold Assessment’. This process is an initial, ‘broad-brush’ survey, which is undertaken early in the project life-cycle in order to determine whether a PIA needs to be performed, and if so what scope the PIA should have; whereas a PIA is an in-depth assessment of privacy impacts
Activities with Narrower Scope than a PIA
- Data Privacy Impact Assessment. This process is a study of the impacts of a project on only the privacy of personal data; whereas a PIA considers all dimensions of privacy
- Internal Cost/Benefit Analysis. This process is an assessment of the costs and benefits of a project from the viewpoint of the organisation alone, and is often limited to financial costs and benefits; whereas a PIA adopts a multi-perspective approach, taking into account the interests of all stakeholders, and considers costs and benefits of all kinds, not just those that have measurable financial impact
- Internal Risk Assessment. This process is an assessment of the risks arising in relation to a project from the viewpoint of the organisation alone; whereas a PIA adopts a multi-perspective approach, taking into account the interests of all stakeholders
- Privacy Impact Statement. This process is a declaration by the organisation; whereas a PIA is a process
- Legal Compliance Assessment. This process is an assessment of the extent to which the project complies with relevant laws; whereas a PIA assesses a project against the needs, expectations and concerns of all stakeholders
Activities Conducted Subsequent to a PIA
- Privacy Management Planning and Control. This is a systematic process of ensuring that a Privacy Management Plan is articulated and implemented, and its performance monitored, in order to give effect to the privacy-relevant decisions made during the project; whereas a PIA is the process that identifies the problems, and identifies solutions to them
- Privacy Audit. This process is an assessment conducted after a project is implemented; whereas a PIA is conducted before and in parallel with a project, and ensures that harmful and expensive problems that an audit would later expose are avoided, and that unavoidable negative impacts on privacy are minimised and the harm mitigated
Characteristics of a PIA
In order to fulfill its purpose, a Privacy Impact Assessment process needs to have all of the following characteristics.
1. Purpose of the PIA
From the perspective of people whose privacy may be negatively affected by a project, the PIA’s purpose is to ensure that the project’s impacts and implications are understood prior to implementation, and that unnecessary negative impacts are avoided or that mitigating measures are in place.
From the perspective of the sponsoring organisation(s), the PIA’s purpose is to enable the organisation and its partners to appreciate privacy concerns, to avoid or mitigate negative privacy impacts and implications, and to do so at a sufficiently early stage in the project life-cycle that costly re-work and feature retro-fit are avoided.
2. Responsibility for the PIA
The responsibility for the conduct of a PIA rests with organisations that sponsor, propose or perform projects that have the potential to negatively impact privacy.
In many cases, external expertise will be acquired under contract, because few organisations would find it appropriate to invest in full-time employees who already had, and could sustain, up-to-date knowledge in such a specialised area. In addition, an appropriate consultant can provide access to external perspectives that may otherwise be difficult for the organisation to appreciate. However, merely delegating the conduct of the PIA to an external contractor does not satisfy the requirements. Similarly, an assessment undertaken by a regulatory or oversight agency is not a PIA, but rather a form of accountability and external control.
Within the sponsoring agency, governance arrangements are necessary, to ensure that:
- responsibility for the PIA rests with an appropriate senior executive
- relevant staff are involved, and commit sufficient time to the process
- the organisation has intellectual ownership of the process and the information arising from it
- the information arising from the process is assimilated and internalised rather than walking out the door when consultants leave
- the conclusions reached are articulated forward into the design rather than lying dormant in the PIA Report
3. Timing of the PIA
The PIA must be commenced sufficiently early that information arising from it is fed forward into the design process. If that is not the case, then there is a considerable risk that the design will have undue negative privacy impacts, and that re-work and feature retro-fitting will be necessary. This creates project risk, and gives rise to delays and to much higher costs than is the case where an in-depth understanding of privacy concerns is factored into the design process from the outset.
Where a project is large or long, the PIA process needs to be multi-phased, commencing at project initiation or at least during the requirements analysis phase, and running in parallel and inter-leaved with design, implementation and deployment.
4. Scope of the PIA
A PIA process has to have sufficient scope. Three aspects are particularly crucial to a successful undertaking.
• The Dimensions of Privacy
A PIA process must not be limited to data/information privacy, i.e. the protection of personal data. Other categories of importance are:
- privacy of the physical person
- privacy of personal behaviour
- privacy of personal communications.
The perspectives of all stakeholders must be reflected, not merely those of the sponsor(s) and its/their strategic partners. In particular, the scope of the stakeholder notion must include:
- the categories or segments of individuals whose privacy is or may be affected by the project
- representative associations and advocacy organisations for the interests of the categories or segments of individuals whose privacy is or may be affected by the project
Stakeholder Analysis needs to be undertaken in order to identify the categoriesof entities that are or may be affected by the project, and whose actions may affect the success of the project
A PIA process must of course take into account laws relevant to privacy. This may include one or more privacy or data protection statutes,but it also includes many other pieces of legislation that provide incidental protections or that establish privacy-relevant regulatory requirements, and, in common law jurisdictions, torts (such as confidentiality) and case law. In the case of government agencies and government business enterprises, their own enabling and/or governing legislation generally also contains privacy-relevant requirements.
However, the reference-points used in identifying negative privacy impacts need to be much broader than just the applicable laws. There are many public needs, expectations and concerns that are felt by individuals, categories of individuals and communities that may not be (or may not yet be) reflected in law. A PIA process that overlooks these aspects will result in a design that earns opprobrium from advocacy organisations and the affected public. Hence, despite being legally compliant, schemes will encounter resistance, and be the subject of complaints and negative media coverage.
5. Stakeholder Engagement
The PIA process must include meaningful engagement by the sponsoring organisation with all stakeholders. For meaningful engagement to be achieved, all of the following are necessary:
- early contact with all stakeholders and notification of the nature of the project
- information provision, to enable stakeholders to consider the proposal and formulate their views
- consultative processes,such that stakeholders can seek clarifications, and communicate their views
- sufficiently early conduct of consultation that the outcomes can be fed forward to and reflected in the design, rather than the PIA Report arriving after the key design decisions have been made and changes have become costly
- interactions among stakeholders, in order to overcome barriers to communication, avoid misunderstandings, develop shared appreciation of the aims and constraints, and enable participants to work together towards constructive outcomes
- communication to participants of a summary of the process and outcomes
- exposure to participants of the draft PIA Report
- publication of the final PIA Report, to ensure that the public is informed, and as a means of supporting accountability
Some organisations may be concerned about the exposure of information of commercial or competitive value or security-sensitivity, and others about the disclosure of information that is subject to constraints, e.g. because no Cabinet decision has yet been made. It is necessary to reconcile the need for meaningful engagement with the affected public against such security and confidentiality limitations.
The PIA process needs to have appropriate orientation.
• Process vs. Product
The PIA needs to be clearly and consistently depicted as being primarily about process. If, on the other hand, a PIA is projected or perceived as being merely a formal procedure that produces a PIA Report, then the project will fail to achieve the insights, understanding, behavioural change and business process features that an effective PIA process leads to.
• Solutions vs. Problems
PIA is a form of risk management. This means that it goes beyond ‘problems’, ‘issues’ and ‘concerns’, and extends to a search for ‘solutions’. More specifically, it involves active search for means of avoiding negative privacy impacts wherever that can be achieved, and for means of mitigating the negative impacts where avoidance is not feasible.
7. The PIA Process
A preliminary privacy issues analysis process enables projects to be screened, and threshold tests applied, in order to determine whether a PIA is necessary, and, if so, what the scope of the assessment should be.
The PIA process as a whole needs a degree of structure, such as a preliminary phase, followed by preparatory, performance, documentation and review phases.
Considerable benefits can be gained from integration of the PIA process into relevant corporate processes, such as project funding, project approval, risk management, project management and internal review mechanisms.
PIA guidance documents offer considerable value in planning and performing the process; but they need to be applied intelligently rather than being thought of as a recipe, and checklists need to be recognised as not necessarily being sufficiently comprehensive to support the assessment of any particular project.
8. Outcomes from the PIA Process
The documents that are produced by the PIA process importantly include the following:
- a PIA Report. This documents the process and its results
- a Privacy Management and Control Plan. This documents the problems, and how they are to be addressed, including the specific design features that achieve avoidance or mitigation of each specific negative privacy impact
The outcomes derive from the implementation of the Privacy Management and Control Plan. They importantly include the following:
- insights, understanding and behavioural change
- design features
- minimal negative privacy impacts on individuals
- achievement of the sponsoring organisation’s aims in an effective and efficient manner, without attracting negative media coverage, and with the support of (or at least without unreasonable opposition by) the relevant public, and representatives and advocates for their interests
Guidance Documents Published by Australian Privacy Commissioners
The Australian Privacy Commissioner
The Commonwealth Commissioner published a PIA Guide 2006. There has been one subsequent revision (OAPC 2010).
In general, much of that document provides valuable guidance; but unfortunately it suffers from several critical deficiencies, which the Privacy Commissioner has declined to address. These are:
- consultation is entirely omitted from the description of the PIA process
- there is no mention of the role of representatives and avocates for affected population segments
- the orientation is strongly towards impacts and issues, with far less attention paid to solutions
- although mention is made of the need to avoid harm to privacy, no mention at all is made of mitigating measures
The Victorian Privacy Commissioner
Since the revisions made to its original 2004 document, the guidance document published by the Victorian Privacy Commissioner (OVPC 2009a) is one of the best such documents published anywhere in the world.
Its one disadvantage in that it structures and describes the PIA process in terms of the preparation of the PIA Report – which risks readers thinking of a PIA as a mere product rather than primarily a process. On the other hand, the Template (OVPC 2009b) and the Accompanying Guide (OVPC 2009c) draw the assessor well beyond mere legal compliance, place considerable emphasis on consultation and solution-orientation, and provide instruction without permitting the assessor to abandon intellectual engagement with the work.