Could mandatory Privacy

Impact Assessment be a

solution to enhance

Personal Privacy and

Data Protection?

Chester Soong

What is PIA and why should we do it?According to the PIA Guide by the Office of the Australian Information Commissioner, PIA is an assessment tool tells the story of a project from privacy perspective:

Describes how personal information flows in a projectAnalyses the possible privacy impacts on individuals’ privacy.Identifies and recommends options for managing, minimising or eradicating these impacts.Analyses the project’s effect on individual privacy.Helps find potential solutions and manage privacy impact through this analysis.Can make a significant difference to the project’s privacy impact and still achieve or enhance the project’s goals.Encourages good privacy practice and underpins good public policy in the project or, in the private sector, underpins good risk management.

In addition to the ICO of the UK, the PIA process should be much broader than an audit of compliance

The General Situation in the Adoption of PIA

There are basically only the US and Canada are mandating the conduct of PIA on public agenciesSome other jurisdictions such as Hong Kong, Australia, and the UK encourage the use of PIA Others such as Taiwan and Finland choose not to mention at all in their laws and official stance

The Counter Forces of Allowing PIA to be Mandatory

Cost and resources issuesCultural issues in organizationsLack of privacy advocate groups

Cost and resources issues

The available of PIA and privacy consultants are generally lacking in many jurisdictionsNew legislations would have to be drafted especially when both government and industry are applied. Legislative process is expensiveResources is needed to follow up and monitor the progress of addressing the results of the a PIAIn the public sector, the budget allocated for conducting PIA is often in direct proportion with the target project. So small projects cannot afford to conduct full PIA

Cultural Issues in Organizations

While the senior management “may” fund PIA useful in helping them to identify privacy risks, It is the common culture for the project managers and working level staff to feel pressured and reject the use of PIA.Audit is often perceived as a fault finding exercise.

The OAIC changed its OPC audit program to “Privacy Performance Assessment trying to dilute the “audit” perception felt by the government agencies

Roger Clerk talks about how the private sector in the US doesn’t like the idea of conducting PIA on private sector initiatives in his article “PIA: Its origins and development”This could be the hardest hurdle of mandating PIA and it could well become a checklist review if it is forced down by the oversight body

Lack of Advocate GroupMost general public would know Greenpeace but very few people know about Privacy InternationalThe Chu Yi Wah v Director of Environmental Protection of HKSAR Government [2011] 5 HKLRD 469, [2011] HKEC 1275We are lacking privacy advocate groups such as the PI in Asia, and especially Hong Kong to act as policy watchdog for challenging both governments and private organizationsAdvocate groups can also attract and concentrate like-minds of privacy advocates and experts to build a strong moving force in promoting PIA and enhance personal privacy protection

The “Preferred” Approach of Adopting PIA

PIA v Compliance Audit The protection principles checklists are not there to confuse between PIA and compliance auditIt is useful as a continuous assessment tool for a system that is already in use, and especially helpful for organizations and agencies without in-house privacy expertiseICO commended that PIA takes on a much wider scope and perspective on privacy protection than compliance audit. It is an independent process that helps the project owner to assess whether there could be privacy risks and how big the privacy impact could be, and corresponding organizations can make changes to the design and business process of the new project before they are set in stone

The “Preferred” Approach of Adopting PIA

A Risk-Sector Specific ApproachNot all men are created equal. So is personal information!The sense of importance for each industry may vary due to several factors including the culture of the people in the jurisdiction, relevant privacy laws and regulations, and available of resourcesGovernment agencies are the natural choice since they are always public facing and whatever they do and how they handle personal information will be under the public eyes

The Critical Success Factors of Having Mandatory PIA

Awareness and Education on PIAMass communication for awarenessPromotion through professional bodiesLead by example from the public and private organizations

The Critical Success Factors of Having Mandatory PIA

The making available of PIA expertsRelying on tertiary education to produce legal professionals with expertise in privacy laws is one solution, but it takes a long time to produce a rather small quantity.The other solution is to allow professional associations from the industry to develop PIA or privacy consultants by certifications. Complementing certifications to PIA consultants could be infosec related one such as CISSP and CISAThe expertise should be available at not only the central government level, but also at territorial level and specific industry with the requirements of domain knowledge.

ConclusionPIA can benefit the protection of personal data and privacyIt is more a question of how it can be done at what cost:

The answer to “how” involves who should be required firstThe culture of the people may be a crucial determining factor on “how much” resources should be allocated for this as the concern of personal privacy is sometimes subjective and cultural