By Shannon S. Ballard, CIPP, CIPP/G, and Lauren Saadat, CIPP, CIPP/G
Australia, Canada, New Zealand, the United Kingdom, and the United States recently concluded an information-sharing agreement under the auspices of the Five Country Conference (FCC) to support visa, immigration, and/or admissibility determinations between countries. The agreement commits all members to uphold high standards in the protection of privacy and personal data. The Privacy Impact Assessment (PIA) is a useful tool to meet this commitment. The Department of Homeland Security’s US-VISIT program will issue a PIA to fulfill its privacy obligations under the agreement. The PIA will be available on the DHS Privacy Office Web site (www.dhs.gov/privacy).
The PIA provides transparency to the traveling public about the intended use of their personal information and how it will be shared. This is consistent with establishing public trust in cross-border information-sharing programs. There is a broader movement within the international privacy community towards conducting PIAs on programs that contain personal information. For the U.S., under the E-Government Act of 2002, PIAs are required for all federal government agencies on all new or substantially changed technology that collects, maintains, or disseminates personally identifiable information. The DHS Privacy Office Web site includes published guidance on conducting effective PIAs.
To increase accountability and transparency, more governments are moving toward using PIAs. Australia, Canada, and New Zealand have policies encouraging the use of PIAs, however not all PIAs are publicly available. In June 2008, the UK Cabinet Office mandated the use of PIAs for government Information and Communications Technology (ICT) projects that impact individuals’ privacy. The PIAs must occur before the development of new or alteration of existing IT systems. A recent French Senate Information Report about privacy and data protection also noted this movement. The report (at www.senat.fr/rap/ r08-441/r08-441.html) complimented the extent of data protection in the United States and noted that the U.S. is, in some ways, more advanced than Europe in terms of data protection, particularly regarding transparency about potential security vulnerabilities, such as the loss, theft, or alteration of data.