Summary and implications
The U.K. Information Commissioner's Office (the ICO) has opened a consultation on a new draft Code of Practice for conducting privacy impact assessments (the Code). The consultation and Code can be found at and is open until 5 November 2013. The draft Code will replace the current ICO privacy impact assessment handbook.
The draft Code is essential reading for all data controllers (those who determine the purpose and manner of personal data processing). This is because privacy impact assessments are rapidly becoming a vital tool in any data controller's data protection compliance programme.
This importance will only increase when the new General Data Protection Regulation (the Regulation) comes into force. This is currently expected to be some time in 2016. Data protection impact assessments (as they are known in the current draft of the Regulation) will then become a mandatory legal requirement.
What are privacy impact assessments?
Privacy impact assessments (PIAs), as their name suggests, are a valuable risk management tool for identifying and managing privacy risks. Used properly, they can enable organisations to identify and manage privacy risks at an early stage of any project – reducing costs and managing any risks of reputational damage. It's no wonder then that they have been embraced so enthusiastically by both data controllers and data regulators.
The ICO states that it has chosen the expression "privacy" rather than "data protection" to reflect not only data protection but also wider privacy concerns. For public bodies, this will critically include their obligations under the Human Rights Act.
How do PIAs differ from audits?
In the Code, the ICO makes the important distinction between PIAs and data protection audits or reviews. Audits look at the effectiveness of current compliance procedures. The purpose of PIAs is to look at proposed new projects or operations and their likely impact on individuals' privacy.
Are PIAs legally required?
Conducting a PIA is not currently a legal requirement under the Data Protection Act 1998 (DPA). However, it is noticeable that the ICO is now proposing PIA guidance in the form of a statutory code of practice, rather than the current handbook. The Code is issued under section 51 of the DPA as part of the ICO's duty to promote good data protection practice.
It is clear from the Code that the ICO expects PIAs to be used by data controllers to ensure their general data protection compliance. The Code states in its first chapter, "The ICO promotes PIAs as a tool which will help organisations to comply with their DPA obligations" and this purpose is reiterated throughout. Data controllers should be aware that if they are investigated by the ICO, the ICO will likely consider whether the risk assessments set out in the Code or similar risk assessment methodologies have been undertaken.
When does the Code recommend that a PIA be conducted?
The Code recommends that a PIA should be undertaken for any project that will either involve the use of personal data or impact on the privacy of individuals.
The Code gives the following examples:
- a new IT system for storing and accessing personal data;
- a data sharing initiative where two or more organisations pool or link personal data;
- a new policy that will identify people in a particular group or demographic and initiate a course of action; or
- using existing data for a new and unexpected or more intrusive purpose.
How to conduct a PIA
The Code identifies the following steps that an organisation should take to conduct a PIA:
- identifying the need for a PIA;
- describing the information flows;
- identifying the privacy risks;
- identifying privacy solutions;
- signing off and recording of PIA outcomes;
- integrating the outcomes into the project plan; and
- consulting with internal and external stakeholders as needed throughout the process.
The Code is an improvement on the handbook in that it provides both practical guidance and PIA templates for organisations to use. Arguably, some of the most useful of these templates are the example PIA screening questions to scope the privacy risks. It should be stressed that these and the other templates should be customised for each organisation and each project – but they are a highly useful starting point. Many data controllers will already perform similar risk assessments as part of their project management methodologies.
Assessment and suggested areas for improvement
Overall, the draft Code is an improvement on the handbook and offers highly useful and practical guidance on privacy risk assessment and management. As such, it is to be warmly welcomed.
However, the most obvious point to make is that the Code is very long. This has been a concern with other recent codes of practice issued by the ICO. Similarly, the PIA templates could also usefully be shortened. It is to be hoped that the Code will be streamlined before it is finally released.
A further practical complication is that the Code refers to other codes of practice (such as the Codes of Practice on Anonymisation and Data Sharing). Data controllers should be aware that they will probably need to handhold their project managers with interpreting this Code and its relationship with other Codes of Practice and the DPA.
On the content side, we expect that some organisations may have reservations about the proposed stakeholder consultation step. Whilst relevant for some projects, this may not be relevant for others and we consider that data controllers themselves are best placed to assess whether and to what extent stakeholder consultation will be required. However, all in all, we see the Code as a valuable tool, both for business and for legal risk management.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.