Copyright, 1997-2004 1 The Search for Balance: The Past, Present and Future of Privacy Impact Assessments Roger Clarke Xamax Consultancy Pty Ltd, Canberra.

Copyright,1997-2004

1

The Search for Balance:The Past, Present and Future

of Privacy Impact Assessments

Roger ClarkeXamax Consultancy Pty Ltd, Canberra

Visiting Professor, Unis. of Hong Kong and U.N.S.W. Visiting Fellow, Dept of Computer Science, ANU

http://www.anu.edu.au/people/Roger.Clarke/....../DV/PIAPPF {.html, .ppt}

Queens University, Kingston ON – 9 June 2004

Copyright,1997-2004

2

The Past, Present and Future of PIAs

Agenda

1. Where They Came From2. What They Are3. Why PIAs?4. Can They Counter the

PITs?

Copyright,1997-2004

3

Technology Assessment

• European movement• US OTA, 1972-1995

• Technologists and Technocrats are too close

• Social Scientists are too far away:‘Don’t regulate what you don’t

understand’• Cross-over Individuals• Multi-Disciplinary Teams

Copyright,1997-2004

4

Environmental Impact Statements (EIS)

• The ‘green movements’ of the 1960s• For major projects since the 1970s• Costly and slow• One-sided, manipulated, closed, unauditable

• Public cynicism• Public reactions, sometimes fatal to projects

• Limited by jurisdictional boundaries

Copyright,1997-2004

5

Environmental Impact Assessment (EIA)

“the identification of future consequences of a current or proposed

action”

• To address the cynicism• Public consultation, publication,

review• Process as well as product

• Limited by jurisdictional boundaries

Copyright,1997-2004

6

Social Impact Statements

Berkeley Gazette, 31 Oct 1974:

" ... the Council approved a proposed ordinance to require a ‘social impact statement’ prior to implementation of any new or expanded city automated personal data systems"

Motion by Cr Loni Hancockon the suggestion of Lance

Hoffman

Copyright,1997-2004

7

Social Impact Assessment (SIA?)

an outgrowth of EIA which“focuses on the impact of development

proposals on people, ... including

potential changes to population, lifestyle, cultural traditions, community dynamics,

and quality of life and well being”

e.g. U.N. Economics & Trade Program,focussed on developing countries

e.g. literature for the developed world ?

Copyright,1997-2004

8

Privacy Impact Statements – 1 of 2

HEW (1973) " Each time a new personal data system is proposed (or expansion of an existing system is contemplated) those responsible for the activity the system will serve, as well as those specifically charged with designing and implementing the system, should answer such questions as ... "

i.e. the concept, but not the term ...

Copyright,1997-2004

9

Privacy Impact Statements – 2 of 2

Flaherty (1989) "The data protection agency can ... [prepare] its own evaluations of the potential impact on personal privacy of proposed legislation and information systems. ... “It is important that small data protection agencies encourage the main government departments to prepare their own initial reviews of the impact of new technology, preferably in the form of 'privacy impact statements' ..."

Copyright,1997-2004

10

Privacy Policy Statements / Notices

• Privacy Notice mania on the Webcf. ‘safe harbor’, i.e. image not substance

• Remarkable absence of guidelines• Canadian PC’er says:

• Inform customers, clients and employees that you have policies and practices for the management of personal information

• Make these policies and practices understandable and easily available

Copyright,1997-2004

11

Privacy Impact Assessment‘Data Matching Program Protocol’ –

Australia, 1990

The following is to be filed with the Privacy Comm’er and (generally) made available for public inspection:

• identities of agencies• legal basis for the program• program objectives• alternative approaches and why rejected• details of any cost/benefit analysis undertaken• outline of technical controls for data quality, integrity and

security in the conduct of the program• use of identification numbers• the nature of actions resulting from the program

Copyright,1997-2004

12

Privacy Impact Assessment• The term was used in publications in 1993-94

by the Privacy Comm’ers of Ontario and BC (Ann Cavoukian and David Flaherty)

• Discussion session and publications in 1996 by NZ Dep. Privacy Comm’er (Blair Stewart)

• Exemplars of PIA Reports from 1995 onwards• Guidelines published from 1994 onwards

(one obscure guide even from 1991)• Many limitations inherent in many Guidelines

Copyright,1997-2004

13

Privacy Impact Assessment

A processthat surfaces and examines

potential impacts and implications

of privacy-invasive proposals

Copyright,1997-2004

14

Objectives of the PIA Process• Clearly define:

• business needs• stakeholder groups• privacy impacts

and implications• Enable understanding

and assessment of the proposal

• Enable mutual understanding of stakeholder perspectives

• Ensure reflection of stakeholder perspectives in the outcomes

• Enable:• maximisation of positive

impacts• avoidance or amelioration

of negative impacts• Maximise the likelihood of

stakeholder support• Avoid new requirements

emerging late• Earn public confidence• Raise awareness, educate • Anticipate and avoid

misinformation campaigns

Copyright,1997-2004

15

Alternative Assessment Perspectives

• The Sponsor• The Sponsors• Strategic Partners• Service and Technology Providers• Users – and Usees / Clients / Regulatees

• People• Business Enterprises and Associations• Govt agencies at varying levels of govt

• The Society / Economy / Polity

Copyright,1997-2004

16

Methods to Support AssessmentSponsor Perspective OnlyCapital Investment Project EvaluationDiscounted Cash Flows, Payback Period, NPVAssumes that all variables are measured in financial termsDeterministic, but can do Sensitivity AnalysisBusiness Case AnalysisSupports fin’l, quantitative, and qualitative measures

Multi-PerspectiveCost / Benefit Analysis (CBA)Fin’l, quant, qual measuresLess precise, partly qualitativeRecognises Opportunity CostsSensitivity AnalysisCost / Benefit / Risk Analysis (COBRA)CBA +Focuses on key uncertaintiesSearch for countermeasures

Copyright,1997-2004

17

Elements of the PIA Process• Surfacing and Examination of the privacy impacts and

implications of a proposal• Development of a clear understanding of the Business Need

that justifies the proposal and its negative impacts• Gauging of the Acceptability of the proposal and its features

by organisations and people that will be affected by it• Assessment of Compliance of the proposal with existing

privacy-related laws, codes, best practices and guidelines• Constructive Search for, and Evaluation of, better Alternatives• Constructive Search for ways to Avoid Negative Impacts,

and ways to Ameliorate Unavoidable Negative Impacts • Documentation and Publication of the Outcomes

Copyright,1997-2004

18

Who To Consult With?

• Citizens / Consumers / Users / UseesThe people actually affected by the proposal

• RepresentativesUnderstand and can express the concerns of people within a particular population segment

• Public Interest AdvocatesUnderstand the technology, processes and issues

Different approaches are necessary

Copyright,1997-2004

19

Consultations with People

• Most people can’t cope with abstractions, and need concrete experiences

• So prime discussions with mockups, protoypes• Use Focus Group technique:

• diverse group of 6-12 people, preferably without prior knowledge of one another

• typically for 1.5 to 2.5 hours• a Moderator ‘focuses’ discussion on a

topic, but allows it to range across many aspects

Copyright,1997-2004

20

Consultations with Reps and Advocates

• Stakeholder Analysis and Segmentation• Search for Representatives and Advocates• Invitation to Participate• Background Paper• Consultation Workshop• Assimilation of information provided into:

• the Scheme Design• a PIA report

• Feedback

Copyright,1997-2004

21

Contents of a P.I.A. Report

• Description of the Proposal and its Applications

• Analysis of Privacy Concerns• Summary of Laws, Codes, Best

Practices and Guidelines, and Application to the Proposal

• Evaluation, and Justification for the Privacy Impacts

• Analysis of Public Acceptability• Analysis of Measures to Avoid

& Ameliorate Privacy Impacts

• Appendices:• References to Laws,

Codes, Best Practices and Guidelines

• Summary of the Consultative Processes

• Organisations and Individuals Consulted

• The Background Information Provided

Copyright,1997-2004

22

Key Features of a PIA – 1 of 2• More Process Than Product• Not just an audit of compliance with existing laws• Requires active involvement of all relevant parties, and

incorporation of ideas into the emergent design(inclusive and participative, or at least consultative)

• Proxies need to be engaged, in order to:• gauge the acceptability of various features• constructively search for alternatives• constructively search for ways in which negative

impacts can be avoided, or at least ameliorated• gain commitment

Copyright,1997-2004

23

Key Features of a PIA – 2 of 2• Is performed by the proposal’s sponsor

• not by a privacy regulatory agency• not fully delegated to a consultant or contractor

• Commences early, to maximise involvement, avoid suspicion, and minimise re-work costs

• Involves multiple phases, such that shared understanding increases, and with it commitment

• Reduces the likelihood of later public opposition and misinformation campaigns, and, even if they are conducted, reduces their credibility

Copyright,1997-2004

24

Advocate Motivations

• Powerful parties • through ignorance, impose schemes

that unnecessarily compromise privacy• demand that privacy be compromised,

but that the interests of the powerful parties not be compromised

• Advocates want:• informed design which avoids

invasiveness where it’s practicable• compromise among all interests

Copyright,1997-2004

25

Sponsor Motivations• Social Responsibility

• For-Profits cf. Not-For-Profits cf. Govt Agencies

• Business Needs• Return on Investment• Task Transfer / Cost Transfer / Enhanced Svce• User Adoption / Acceptance• Other-Stakeholder Acceptance

• Business Not-Needs• User Opposition• Other-Stakeholder Opposition• Bad Press, Embarrassed Ministers

Copyright,1997-2004

26

Public Policy Factors

• Service Quality• Service Accessibility• Service Equity• Imposition of Effort and Cost• Imposition of Risks• Freedom of Information• Public Safety, OH&S• Privacy• ...

Copyright,1997-2004

27

Equity – Bases for Discrimination

• Physical Handicapssight, mobility, or capacity to use a keyboard or mouse

• Mental Handicapsinability to remember username/password pair, or carry a token

• Educational Handicapslack of understanding of prompts, or what to do with a token

• Lingual Handicapsinsufficient local language to understand instructions

• Locationin an institution, in a remote area, in a rural or regional area with outdated infrastructure or inadequate bandwidth, ex-country

• Lifestyle – traditional, seasonal worker, itinerant, ‘street kid’

Copyright,1997-2004

28

Why PIAs ?

• It may be a Legal Requirement• Public Policy may dictate that it be done• Stakeholder groups may have

sufficient power to force it• Project Risk may be reduced• Investment Risk may be reduced• Adoption may be enhanced• The proposal’s quality may be enhanced

Copyright,1997-2004

29

Limitations of PIAs

• ‘Pseudo-Imperatives’

• Technology• Marketing• Economic /

Cost-Reduction• Security• ...

• Imbalance of PowerBut Internet-Era Social Activism

• Jurisdictional Limitations in a time of Globalisation