Monday 7 October 2013

Shhhhh – I’m doing a PIA

I’ve been quiet recently.  I haven’t been ill. I’ve just working on a project for a regulator in an overseas country.  Nothing to do with communications data. But plenty to do with another initiative which, by the way, is also being rolled out in the UK – and in many other countries around the world.

My current client is really keen to understand and address the data protection implications of this project, and so I’m on hand to help with what we in the know call a Privacy Impact Assessment.

How many pages should a decent Privacy Impact Assessment run to?

Here’s a clue. The PIA for the Facial Recognition Project at the Canadian Passport Office is 8 pages long. The PIA for the US Department of Homeland Security’s Advanced Passenger Information System (voluntary rail and bus submissions) was some 20 pages long.

That’s evidently what happens outside Fortress EU.

But what about PIAs inside the EU?

The ICO’s recent consultation document on a PIA Code of Practice is 55 pages long – although the model PIA template is just 5 pages long, if you include the page which asks some initial screening questions.

And then there’s a model PIA which is being developed by a group of experts within the European Commission for the project I’m currently working on. Their latest version, which I’ve offered to assess, is much more comprehensive. The first 35 pages simply set out what it is that the PIA is supposed to deliver. Then there’s a useful pre assessment questionnaire (just 2 pages long), while the rest of the document contains the actual template, and asks a series of questions about how the project managers will address issues that may emerge from a series of generic threats, and what safeguards will be implemented to reduce the harms, or the likelihood of harms, that could be caused by these threats.   

By the time you reach the end of that document (which is 75 pages long) and have completed all of the diagrams and illustrations that have been requested, you can be sure that the project will have been given a pretty thorough review. Realistically, you will probably spend a month on the PIA. You may also have lost the will to live by the time you finish it, but that’s not what this blog is about.

Once I’ve complete this task for my current client, I will know quite a bit about how to do PIAs for this particular type of programme. And, since similar programmes are being rolled out around the world, perhaps there will be some bods in a land far away who need help with filling in their own assessments. I could be their man. And I’ve got a brilliant back-up guy who will do all the relevant fixing for the project, too.
My rates are very reasonable.

So roll up, roll up, and get your privacy impact assessor here!

PS – I hear through the grapevine that if our chums in the European Commission have their way, the PIA methodology I’m currently looking at could be strongly encouraged for all PIAs, everywhere. In that case I have great news – we data protection professionals will have jobs for life. Our friends at work will have deserted us – but common guys, if we can’t have 75 page data protection impact assessment templates in our toolbags, then what’s the point of working in the wonderful world of data protection?

I’ll be speaking on this theme at the next Amberhawk update session on October 28th. I’m reliably informed that it’s going to be one of the best update sessions that Dr Chris Pounder has compiled. There’s even going to be a drinks reception at the end to mark a rather special announcement that will be made. So, if you fancy being present on that historic occasion, you know what you ought to do.

Image credit: