New report identifies benefits for organisations of an “optimised” privacy impact assessment methodology

In anticipation of the new legislation, a research consortium funded by the EC’s Directorate General Justice released a 213-page report this month in which it identifies the benefits of PIAs and makes recommendations for an “optimised” PIA policy and methodology. The consortium developed its recommendations following an analysis of PIA methodologies in seven countries and of 10 PIA reports, two each from Australia, Canada, New Zealand, the United Kingdom and the United States.

The report defines a privacy impact assessment as a methodology for assessing the impacts on privacy of a project, technology, service or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimize the negative impacts.

The consortium says its report represents the most complete compendium and analysis of PIA policies and practices yet compiled and published. The PIAF consortium comprises Vrije Universiteit Brussel (VUB), Trilateral Research & Consulting and Privacy International. (PIAF is the acronym for Privacy Impact Assessment Framework.) It identifies benefits to organizations, their employees, contractors, customers, citizens and regulators of using PIA. The report says PIA provides a way to detect potential privacy problems; take precautions, and build tailored safeguards before, not after, a company or government agency makes heavy investments in developing a new technology or service. It helps an organisation to avoid costly or embarrassing privacy mistakes.

In the event of an unavoidable privacy risk or breach occurring, the report says a PIA can provide evidence that the organisation acted appropriately in attempting to prevent the occurrence. This can help to reduce or even eliminate any liability, negative publicity and loss of reputation. A PIA can help an organisation to gain the public’s trust and confidence that privacy has been built into the design of a project, technology or service.

According to the report, an organisation that undertakes a PIA demonstrates to its employees and contractors that it takes privacy seriously and expects them to do so, too. A PIA is a way of educating employees about privacy and making them alert to privacy problems that might damage the organization.

Among its recommendations for an “optimised” PIA policy, the consortium includes these elements:

Consultation will be most effective when the stakeholders consulted are representative of those interested in or affected by a project. If an organisation tries to “fix” a consultation by consulting only “safe” stakeholders—those that will go along with its point of view—it actually does itself a disservice, not just by making a sham of the process but also by not achieving the advantages and benefits of a consultation which is aimed at identifying risks, obtaining fresh information and finding solutions, in other words, of achieving a “win-win” result so that everyone benefits.

It is not sufficient for a PIA report to simply make a set of recommendations. An action plan is needed to ensure those recommendations are implemented or, if not, some explanation given as to why some recommendations are not implemented. If PIA is viewed as a process, then the process should continue after preparation of the PIA report to ensure recommendations are implemented.

A PIA report should normally be publicly available and posted on an organisation’s website so as to increase transparency and inspire public confidence. The PIA should specify who undertook the PIA and how they can be contacted for more information.

Third party audits, such as those performed by the Government Accountability Office (GAO) in the U.S. and the Office of the Privacy Commissioner of Canada, have shown the utility of audits, which lead to improvements in PIA practice.

In Canada and the U.S., PIAs are tied to budget submissions to the Treasury Board of Canada Secretariat and to the Office of Management and Budget, respectively. The consortium recommends that Europe follow a similar practice.

The report recommends a central registry of PIAs as a way to create a body of knowledge so that project managers and assessors can learn from the experience of others. It is also useful for greater transparency and for simplifying the search process.

The PIAF consortium presented the report to a meeting of European data protection authorities and officials from DG Justice in Brussels earlier this month. The report is the first deliverable of the Privacy Impact Assessment Framework (PIAF) project. The project began in January 2011 and concludes in August 2012. The report can be downloaded free of charge from the PIAF project website:

.