I’ve
recently had one of my PIAs placed on the public record in Ireland, so I’m free to
speak more generally about it. The assessment was on a programme the Irish
Government hopes to implement – shortly, all postal addresses in Ireland are to
be given a unique postcode. This gave me
the opportunity to assess how the programme addressed the particular challenges
of Irish data protection legislation.
In
a nutshell, I recommended that the Irish law be changed to reflect the
obligations that would be imposed on organisations that processed Eircodes.
This recommendation was accepted, and legislation is currently making its way
through the Irish Parliament. It has completed its stages in the lower chamber
and is now before the upper chamber.
As
the Minister reported to Parliament:
“The
final significant element of the project is the enactment of this legislation.
It will ensure members of the public can have absolute confidence in regard to
data protection. The primary purpose of this legislation is to enshrine the
highest levels of data protection within the postcode system. It also provides
the clearest possible reassurance that all personal data will remain secure. My
Department has consistently taken a strong line on data protection in the design,
implementation and operation of the project. The contract we have with Capita
reflects this approach. As Minister, I have decided that this approach must be
confirmed in primary legislation to ensure the greatest level of protection for
citizens. My Department has had ongoing engagement with the Data Protection
Commissioner.
My
Department has also completed and published a comprehensive privacy impact
assessment even though it is not a statutory requirement. The purpose of the
privacy impact assessment is to ensure any potential privacy impact on
individuals as a result of the introduction of Eircode postcodes is recognised
and addressed. The assessment has concluded that the introduction of Eircode
postcodes is unlikely to have any significant adverse effect on the right to
privacy. All the recommendations contained in the assessment have been
incorporated into this Bill. The Bill represents a sensible and pragmatic
approach to data protection as it relates to postcodes. It sets out the high
level principles underpinning a protective framework and strikes a balance
between ensuring the commercial viability of postcodes while at the same time
underpinning data protection.”
As
the (36 page) executive summary of the PIA is now available, I thought it might
be useful to share some thoughts with fellow practitioners who are charged with
the requirement to write PIAs.
1.
Who is your audience?
a.
If the data controller is a public authority, the language used
in the report should not be too technical, as Freedom of Information provisions
mean that it may be made available to members of the public, and they would
expect to understand it.
i. Consider incorporating in
the report an annex that explains the project in non-technical language.
ii. Consider incorporating in
the report an annex that defines technical terms and acronyms in plain
language.
iii. Be careful when listing
in an annex, the names/ job titles of individuals who were consulted as the
assessment was being written – these individuals have privacy rights, too, and the
more junior employees may not expect to be publicly identified with the
project.
iv. Take care to ensure that the
language used in describing the potential privacy risks is written in ways that
make it difficult for other parties to use extracts from the PIA out of
context.
b.
If the data controller is not subject to Freedom of
Information provisions, the language used should still be sufficiently clear that senior managers can understand the process that was followed to reach the
conclusions and recommendations in the assessment. The author can be more frank
in their assessment of the project if it is clear that the document is for
internal purposes only.
2.
Who should be consulted?
a.
If the data controller is a public authority, there may be a
greater need to ensure, if citizens rather than employees are to be impacted by
the project that is under assessment, that the concerns of citizens are
properly taken into account. This is also to ensure that the project under
assessment not only meets the legal conditions that are set out in the data protection legislation, but also that from a more general fundamental rights
perspective, the project is likely to be socially acceptable in that it meets
the legitimate expectations of the community.
b.
If the data controller is a not a public authority, there is
less of an obligation to consult customers or potential customers.
3.
What role should project managers play in carrying out
effective assessments?
The role of project managers is to provide factual
information to the assessor. It should not be assumed that these managers have
a significant amount of privacy experience. Accordingly, the task of analyising
the facts from the perspective of compliance with privacy obligations and data protection legislation should be left to suitably qualified and experienced
privacy professionals.
4.
How frequently should the PIA be revised?
a.
PIAs can be viewed as snapshots that are taken at a
particular stage of the project. If the assessment is carried out at an early
stage in the project, it is possible that quite a wide range of issues which
need to be addressed will be highlighted. As the project matures, many of these
issues ought to be resolved, so a PIA review mid-way through the project is
useful to ensure that not only have existing risks been addressed, but that no
new issues have emerged. If new issues
do emerge, these should be captured in subsequent versions of the assessment.
5.
What summaries of the PIA should be prepared?
The Article
29 Working Party has recommended that Privacy Impact Assessments should include a section to demonstrate more
generally compliance with the privacy targets. Since the privacy targets are
mandatory and not negotiable, assessments should describe how each target is
being implemented, or explain why it has not been implemented.
Accordingly, it is useful
to consider incorporate a one or two page table summarizing the issue.
Sources:
http://www.eircode.ie
http://oireachtasdebates.oireachtas.ie/debates%20authoring/debateswebpack.nsf/takes/seanad2015062500002?opendocument#R00100http://www.dcenr.gov.ie/NR/rdonlyres/7F434454-9CCB-4D0C-A04C-5E265C0B5DE6/0/PIAExecutiveSummary.pdf
http://oireachtasdebates.oireachtas.ie/debates%20authoring/debateswebpack.nsf/takes/seanad2015062500002?opendocument#R00100
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp209_en.pdf
.
Posts
