privacy impact assessment workshop maureen h falconer sr guidance & promotions manager scotstat...
TRANSCRIPT
Privacy Impact Assessment Workshop
Maureen H FalconerSr Guidance & Promotions Manager
ScotstatPublic Sector Analysts Network
30 September 2010
Recognising Privacy RiskRecognising Privacy Risk
PIA Decision TreePIA Decision Tree Initial Assessment
No further action
Full scale PIA?
Small scale PIA?
Privacy compliance
check?
DP compliance
check?
NO
NO
NO
NO
Complete full scale PIA &
privacy, DP & other
compliance checks
Complete small scale PIA &
privacy, DP & other
compliance checks
Complete privacy, DP &
other compliance
checks
Complete DP compliance
check
YES
YES
YES
YES
Initial Assessment MapInitial Assessment Map
Preparation
Stakeholder analysis
Go through PIA screening questions to highlight privacy
issues
Decide level of assessment
External information gathering
Project outline
Denying anonymity or making identifiable
previously anonymous transactions?
Multiple organisational use?
Increased volumes of data on
individuals?
Increased volumes of individuals?
Processing data exempt from legislation?
Disclosure to third parties not subject to
comparable data protection?
Will it involve…Will it involve…
New or increased technology with
substantial potential for privacy intrusion?
New or re-using identifiers, intrusive
identification/ authentication/
management processes?
New handling processes for
sensitive data?
New or increased data matching?
Increased public security measures?
……do a full scale do a full scale PIA.PIA.
If not, will it involve…If not, will it involve…
New/changed data quality assurance processes and standards which may be unclear/unsatisfactory?
New/changed data security arrangements which may be
unclear/unsatisfactory?
New/changed data access or disclosure arrangements
which may be unclear/permissive?
New/changed data retention arrangements which may be
unclear/extensive?
Changing medium of disclosure making data more readily accessible
than before?
……do a small scale do a small scale PIA.PIA.
PIA Process MapPIA Process Map
Preliminary work
Preparation
Documentation: conclusions &
recommendations
Review and audit
Internal analysisExternal consultation/ information gathering
Identifying privacy risk…Identifying privacy risk…
Personal Information Issues
Issues around use of Identifiers
Function Creep
Centralisation of Data
Vulnerability of Individuals
Upholding Individuals’ Rights
Identifying privacy solutions…Identifying privacy solutions…Acceptance
Mitigation
Avoidance
ComplianceCompliance
Privacy Law:HRA; PECR; Law of ConfidenceViresStatutory obligations/restrictions/prohibitions
Data Protection:Schedule ConditionsDP PrinciplesExemptions
Key PointsKey Points
The PIA is a process to consider privacy risk which provides:
All-round perspective;
Understanding of acceptability;
Understanding of negative privacy impact;
Justification for privacy intrusion
Opportunities to lessen negative impact;
Consideration of less privacy-invasive alternatives;
Evidence based decision-making.
Information Information Commissioner’s OfficeCommissioner’s Office
93-95 Hanover StreetEdinburghEH2 1DJ
0131 301 [email protected]