Organisations should run privacy impact assessments, says ICO

Organisations must consider the impact on individuals’ privacy before developing new IT systems or changing the way they handle personal information, the Information Commissioner’s Office (ICO) will urge today.

At a conference on the ‘surveillance society’ in Manchester the ICO will say that the data breach at HM Revenue and Customs was a watershed and will call for organisations to implement new safeguards to help protect individuals’ privacy.

The ICO is launching a privacy impact assessment handbook to help organisations address the risks to personal privacy before implementing new initiatives and technologies. By carrying out a privacy impact assessment, the ICO says organisations will also increase public confidence in data collection.

A privacy impact assessment (or PIA) is simply a process for evaluating a proposal to identify its potential effects upon individual privacy and data protection compliance; to examine how any detrimental effects might be overcome; and to ensure that new projects comply with the data protection principles

Deputy Commissioner David Smith said: “Very often the collection and use of personal information is essential and beneficial to modern life but many people do not realise that data collection is at the heart of surveillance. Each time someone gives away their personal information they leave electronic footprints which build up a picture of every aspect of their daily lives.”

“It is essential that before introducing new systems and technologies, which could accelerate the growth of a surveillance society, full consideration is given to the impact on individuals and that safeguards are in place to minimise intrusion,” he said. “Privacy impact assessments are a common sense approach to help organisations develop privacy friendly ways of working.”

Privacy impact assessments are not new but are most commonly undertaken in Canada, New Zealand, Australia, Hong Kong and the US, particularly in the public sector. In the US and the Province of Alberta in Canada, privacy impact assessments and their publication are mandatory for certain new developments.

In the UK, privacy impact assessments are not mandatory, but Dr Chris Pounder, a privacy law specialist with Pinsent Masons and editor of Data Protection Quarterly, said that the Data Protection Act deals with them indirectly.

“There is a principle in the Act that deals with security and calls for a risk assessment to be performed in relation to the safe processing of personal data by an organisation,” he said. “Also, under the principle that relates to the transfers of personal data to territories outside the European Economic Area, there is a need to do a risk assessment in the context of that territory.”

“All a Privacy Impact Assessment does, in one sense, is extend the risk assessments that need to be done under these two principles, to all the eight principles under the Act," said Pounder. "This means, in theory, that all Principles should be assessed prior to the commencement of any processing".