Privacy Impact Assessments

In 2008 the government’s Data Handling Review mandated the requirement for Privacy Impact Assessments (PIAs) of systems that handle personal data, bringing government practice into line with best practice in industry.

The Information Commissioner’s Office (ICO) process for a PIA comprises five stages: preliminary, preparatory, consultation and analysis, documentation, review and audit. However, the process recognises that projects may need their own approach to address their needs, and in fact, the ICO does not prescribe a specific template for the PIA.

The ICO also recognises that a full PIA might not be appropriate for every project, and that there is value in performing a brief check to confirm whether the project even needs a PIA. This is achieved through a Screening Process - a series of questions intended to identify whether or not a PIA is required. If the Screening Process indicates the need for a PIA, then this can take the form of a Small-Scale PIA or a Full-Scale PIA. The Small-Scale PIA is less formalised, involves less investment, calls for less exhaustive analysis and information gathering, and is more likely to be focussed on specific aspects of the project rather than the project as a whole.

ECA’s team has built upon the ICO approach to create a best-of-breed PIA approach that rigorously analyses potential privacy-related threats from the perspective of the data subject, and ECA’s associates are accustomed to working with stakeholder groups to ensure that your PIA fully investigates their privacy needs: in other words, to ensure that your system is ‘fit for purpose’ from a privacy perspective.