Tuesday 10 September 2013

Hooray for the ICO’s new PIA

Life as an international data protection consultant can have its drawbacks. 3.30am starts, queues at the airports, and working out how to pay the charge as the hire car drives through yet another automatic toll barrier. 

But it also has its benefits. Hotel meals, meeting people for the first time, and (yes even) explaining to new colleagues that, at least in the UK, the ICO has given some thought to the issue at hand and has published some helpful guidance on its website which can lovingly be copied and used, as it (mostly) is in line with that country’s data protection rules, too.

As I go about my business, I sense that what people are still generally after is practical guidance on how to comply with the basic data protection rules. 

My international work has recently focussed on how to craft Privacy Impact Assessments.  To that end, I’m immensely grateful for some new stuff that’s on the ICO’s website. A draft Code of Practice is currently under consultation, and I’m pretty impressed with what I read.  

The previous guidance was, putting it politely, not an easy read.  Much was written by academics who, while no doubt absolutely brilliant in their own worlds, found it hard to craft a text which connected to people who lacked lofty educational achievements.

The new guidance is much easier to read. Perhaps the Plain English Campaign has already reviewed it.  I’m a great supporter of the Plain English Campaign.  I met the campaign’s founder, Chrissie Maher in the early 1990s, when working for the Association of British Insurers. I was involved in a project which offered guidance to insurance companies on what was required of them following the implementation of the Unfair Contract Terms Regulations 1989. (Linked with that project, I also remember speaking at a number of events where an official from the Office of Fair Trading was speaking, explaining to the audience what the OFT’s views were. That official was Richard Thomas. But that’s another story.)

Anyway, back to the plot.

The new draft Code from the ICO also commends a much easier way to complete a PIA – which can only be good news to those of us who do them.  Perhaps more thought has been given to the type of people who are currently Data Protection Officers. Not all are qualified solicitors, or even graduates. Many are people whose education was completed at  an earlier stage, and so it is all the more important that the ICO commends a process that can be understood – and followed – by someone who lacks professional data protection qualifications.

I’ve been trying it out in foreign parts. I’ve tweaked it slightly, but for me, it works. I’ll be explaining the ICO how I’ve tweaked it when I respond to their consultation – the deadline for comments is 5 November - but meanwhile I do encourage people to try it out and to see if it works for them.

The Trilateral  research and consulting group recently published some authoritative work on PIAs, including a 523 page book that can be bought (soft cover version £35.99) and a 267 page research report that  is available from the ICO’s website and can be downloaded for free. The really key finding is the lack of PIAs that have been carried out. 

Hopefully, the ICO’s simpler methodology to crafting one will be more eagerly adopted by us data protection professionals, and more PIAs will find themselves in the public domain.