Privacy Impact Assessment Workshop

Maureen H FalconerSr Guidance & Promotions Manager

ScotstatPublic Sector Analysts Network

30 September 2010

Recognising Privacy RiskRecognising Privacy Risk

PIA Decision TreePIA Decision Tree Initial Assessment

No further action

Full scale PIA?

Small scale PIA?

Privacy compliance

check?

DP compliance

check?

NO

NO

NO

NO

Complete full scale PIA &

privacy, DP & other

compliance checks

Complete small scale PIA &

privacy, DP & other

compliance checks

Complete privacy, DP &

other compliance

checks

Complete DP compliance

check

YES

YES

YES

YES

Initial Assessment MapInitial Assessment Map

Preparation

Stakeholder analysis

Go through PIA screening questions to highlight privacy

issues

Decide level of assessment

External information gathering

Project outline

Denying anonymity or making identifiable

previously anonymous transactions?

Multiple organisational use?

Increased volumes of data on

individuals?

Increased volumes of individuals?

Processing data exempt from legislation?

Disclosure to third parties not subject to

comparable data protection?

Will it involve…Will it involve…

New or increased technology with

substantial potential for privacy intrusion?

New or re-using identifiers, intrusive

identification/ authentication/

management processes?

New handling processes for

sensitive data?

New or increased data matching?

Increased public security measures?

……do a full scale do a full scale PIA.PIA.

If not, will it involve…If not, will it involve…

New/changed data quality assurance processes and standards which may be unclear/unsatisfactory?

New/changed data security arrangements which may be

unclear/unsatisfactory?

New/changed data access or disclosure arrangements

which may be unclear/permissive?

New/changed data retention arrangements which may be

unclear/extensive?

Changing medium of disclosure making data more readily accessible

than before?

……do a small scale do a small scale PIA.PIA.

PIA Process MapPIA Process Map

Preliminary work

Preparation

Documentation: conclusions &

recommendations

Review and audit

Internal analysisExternal consultation/ information gathering

Identifying privacy risk…Identifying privacy risk…

Personal Information Issues

Issues around use of Identifiers

Function Creep

Centralisation of Data

Vulnerability of Individuals

Upholding Individuals’ Rights

Identifying privacy solutions…Identifying privacy solutions…Acceptance

Mitigation

Avoidance

ComplianceCompliance

Privacy Law:HRA; PECR; Law of ConfidenceViresStatutory obligations/restrictions/prohibitions

Data Protection:Schedule ConditionsDP PrinciplesExemptions

Key PointsKey Points

The PIA is a process to consider privacy risk which provides:

All-round perspective;

Understanding of acceptability;

Understanding of negative privacy impact;

Justification for privacy intrusion

Opportunities to lessen negative impact;

Consideration of less privacy-invasive alternatives;

Evidence based decision-making.

Information Information Commissioner’s OfficeCommissioner’s Office

93-95 Hanover StreetEdinburghEH2 1DJ

0131 301 5071Scotland@ico.gsi.gov.ukwww.ico.gov.uk