The Value in Conducting a Privacy Impact Assessment Rachael Gallagher Senior Policy Officer 2 December 2014.

The Value in Conducting a Privacy Impact Assessment Rachael GallagherSenior Policy Officer

2 December 2014

Introduction

• What is a PIA?

• What is Privacy?

• What are the benefits?

• What types of projects?

• Who should be responsible?

Code of Practice

Privacy by design

From Handbook to Code of Practice

The PIA process

Consultation

Internal stakeholders

• Project board• Engineers, developers• IT• Procurement• Suppliers / data processors• Comms team• Frontline staff• Corporate Governance• Senior management

External stakeholders

• End users• Data subjects• Representative groups• Interest groups• General public• Regulators

The PIA process

• Establish objectives, outcomes and outputs early• Screening questions• Management support

1•Identify need for a PIA

The PIA process

• Types of personal data• Use of those data• Information asset register• Data controller?

2•Describe information flows

The PIA process

• Risk management tools/methodology• ICO guidance • Other standards and guidance• Types of risk

– Individuals– Compliance– Corporate

3•Identify privacy risks

The PIA process

• Accept• Reduce• Eliminate

4•Identify privacy solutions

The PIA process

• Document status of each risk• Determine solutions• Record reasons• Sign-off• Publication

5•Record PIA outcomes, and sign-off

The PIA process

• Recommendations integrated into project plan• Review PIA at key stages• Final evaluations

6•Integrate PIA outcomes into project plan

Conclusions

• Way of complying with data protection obligations

• Method of Good Practice

• Can reduce costs

• Publish where appropriate

• Promotes trust

www.twitter.com/iconews

Keep in touchInformation Commissioner’s Office

3rd Floor,14 Cromac Place,

Gasworks, Belfast BT7 2JB.

Tel: 028 90278757 / 0303 123 1114 Email: [email protected]

Subscribe to our e-newsletter at www.ico.org.uk

or find us on…