Monday, 29 June 2015

Top tips for preparing PIAs

I’ve recently had one of my PIAs placed on the public record in Ireland, so I’m free to speak more generally about it. The assessment was on a programme the Irish Government hopes to implement – shortly, all postal addresses in Ireland are to be given a unique postcode.  This gave me the opportunity to assess how the programme addressed the particular challenges of Irish data protection legislation.

In a nutshell, I recommended that the Irish law be changed to reflect the obligations that would be imposed on organisations that processed Eircodes. This recommendation was accepted, and legislation is currently making its way through the Irish Parliament. It has completed its stages in the lower chamber and is now before the upper chamber.

As the Minister reported to Parliament:

“The final significant element of the project is the enactment of this legislation. It will ensure members of the public can have absolute confidence in regard to data protection. The primary purpose of this legislation is to enshrine the highest levels of data protection within the postcode system. It also provides the clearest possible reassurance that all personal data will remain secure. My Department has consistently taken a strong line on data protection in the design, implementation and operation of the project. The contract we have with Capita reflects this approach. As Minister, I have decided that this approach must be confirmed in primary legislation to ensure the greatest level of protection for citizens. My Department has had ongoing engagement with the Data Protection Commissioner.

My Department has also completed and published a comprehensive privacy impact assessment even though it is not a statutory requirement. The purpose of the privacy impact assessment is to ensure any potential privacy impact on individuals as a result of the introduction of Eircode postcodes is recognised and addressed. The assessment has concluded that the introduction of Eircode postcodes is unlikely to have any significant adverse effect on the right to privacy. All the recommendations contained in the assessment have been incorporated into this Bill. The Bill represents a sensible and pragmatic approach to data protection as it relates to postcodes. It sets out the high level principles underpinning a protective framework and strikes a balance between ensuring the commercial viability of postcodes while at the same time underpinning data protection.”

As the (36 page) executive summary of the PIA is now available, I thought it might be useful to share some thoughts with fellow practitioners who are charged with the requirement to write PIAs.

1.     Who is your audience?
a.     If the data controller is a public authority, the language used in the report should not be too technical, as Freedom of Information provisions mean that it may be made available to members of the public, and they would expect to understand it.
                                               i.     Consider incorporating in the report an annex that explains the project in non-technical language.
                                              ii.     Consider incorporating in the report an annex that defines technical terms and acronyms in plain language.
                                             iii.     Be careful when listing in an annex, the names/ job titles of individuals who were consulted as the assessment was being written – these individuals have privacy rights, too, and the more junior employees may not expect to be publicly identified with the project.
                                            iv.     Take care to ensure that the language used in describing the potential privacy risks is written in ways that make it difficult for other parties to use extracts from the PIA out of context.
b.     If the data controller is not subject to Freedom of Information provisions, the language used should still be sufficiently clear that senior managers can understand the process that was followed to reach the conclusions and recommendations in the assessment. The author can be more frank in their assessment of the project if it is clear that the document is for internal purposes only.

2.     Who should be consulted?
a.     If the data controller is a public authority, there may be a greater need to ensure, if citizens rather than employees are to be impacted by the project that is under assessment, that the concerns of citizens are properly taken into account. This is also to ensure that the project under assessment not only meets the legal conditions that are set out in the data protection legislation, but also that from a more general fundamental rights perspective, the project is likely to be socially acceptable in that it meets the legitimate expectations of the community.
b.     If the data controller is a not a public authority, there is less of an obligation to consult customers or potential customers.

3.     What role should project managers play in carrying out effective assessments?
The role of project managers is to provide factual information to the assessor. It should not be assumed that these managers have a significant amount of privacy experience. Accordingly, the task of analyising the facts from the perspective of compliance with privacy obligations and data protection legislation should be left to suitably qualified and experienced privacy professionals.

4.     How frequently should the PIA be revised?
a.     PIAs can be viewed as snapshots that are taken at a particular stage of the project. If the assessment is carried out at an early stage in the project, it is possible that quite a wide range of issues which need to be addressed will be highlighted. As the project matures, many of these issues ought to be resolved, so a PIA review mid-way through the project is useful to ensure that not only have existing risks been addressed, but that no new issues have emerged.  If new issues do emerge, these should be captured in subsequent versions of the assessment.

5.     What summaries of the PIA should be prepared?
The Article 29 Working Party has recommended that Privacy Impact Assessments should include a section to demonstrate more generally compliance with the privacy targets. Since the privacy targets are mandatory and not negotiable, assessments should describe how each target is being implemented, or explain why it has not been implemented.

Accordingly, it is useful to consider incorporate a one or two page table summarizing the issue.