A Privacy Impact Assessment (PIA) is a process which assists organizations in identifying and minimizing the privacy risks of new projects or policies.
Contents
Overview
A Privacy Impact Assessment is a type of impact assessment conducted by an organization (typically, a government agency or corporation with access to a large amount of sensitive, private data about individuals in or flowing through its system). The organization audits its own processes and sees how these processes affect or might compromise the privacy of the individuals whose data it holds, collects, or processes. PIAs have been conducted by various sub-agencies of the U.S. Department of Homeland Security (DHS), and by many others.
A PIA is designed to accomplish three goals:
A privacy impact report seeks to identify and record the essential components of any proposed system containing significant amounts of personal information and to establish how the privacy risks associated with that system can be managed. A PIA will sometimes go beyond an assessment of a "system" and consider critical "downstream" effects on people who are affected in some way by the proposal.
Purpose
Since PIAs are a measure of an organization's ability to keep private information safe a PIA should be conducted whenever said organization is in possession of the personal information of employees and/or clients, this can include but is not limited to, name, age, phone numbers, emails, etc. A PIA should also be conducted in any instance in which the business or organization in question is in possession of information that is otherwise sensitive, or in cases when the security systems for private or sensitive information of organizations are undergoing changes that could lead to risk of privacy leaks.
Benefits
According to a presentation at the International Association of Privacy Professionals Congress, PIAs have the following benefits:
Implementation
Privacy Impact Assessments can be summed up in a four step process:
- Project Initiation; This step is where you define the scope of the PIA process (which varies by organization), if the project they are running is in early stages and detailed information is unknown the organization may choose to do a Preliminary PIA, and then a full PIA once it gets off the ground.
- Data Flow Analysis; This step involves mapping out the proposed business process as it regards personal information, identifying clusters of personal information, and creating a diagram of how the personal information flows through the organization as a result of the business activities in question.
- Privacy Analysis; This step requires all personnel involved with the movement of private information to complete privacy analysis questionnaires, as well as secondary check-ins on the answers to the questionnaires which require more detail, and discussion of the privacy issues and implications brought up as a result of the questionnaires.
- Privacy Impact Assessment Report; This step requires the organization to create a documented evaluation of the privacy risks and potential implications of said risks brought up by the outcomes of the previous steps, as well as a discussion of possible efforts that could be made in order to mitigate or remedy the risks.
History
In the 1970s the Technology Assessment (TA) was created by the United States Office of Technology Assessment. A TA was used to determine the societal and social repercussions of new technologies. Similarly at around this time came the Environmental Impact Assessments (EIA), a reaction to the social push from the sixties Green movements. The methodology of both of these impact assessments acted as precursors to the creation of the PIA. The Privacy Impact Statement was a much less extensive version of the PIA that came about in the late eighties. During the 1990s there became a need to measure the effectiveness of a company or organization's data security, especially with most data now being stored on computers or other electronic platforms. More extensive PIAs started to be used more frequently by corporations and governments in the mid 1990s, and now are used by organizations all around the world, and by several governments including, New Zealand, Canada, Australia, and the United States Department of Homeland Security to assess privacy risk of their systems. In addition several other countries and corporations use assessment systems similar to PIAs for data risk analysis.
USA
The E-Government Act of 2002, Section 208, establishes the requirement for agencies to conduct privacy impact assessments (PIAs) for electronic information systems and collections. The assessment is a practical method of evaluating privacy in information systems and collections, and documented assurance that privacy issues have been identified and adequately addressed. The process is designed to guide SEC system owners and developers in assessing privacy during the early stages of development and throughout the systems development life cycle (SDLC), to determine how their project will affect the privacy of individuals and whether the project objectives can be met while also protecting privacy.
PIAF Project
PIAF (A Privacy Impact Assessment Framework for data protection and privacy rights) is a European Commission co-funded project that aims to encourage the EU and its Member States to adopt a progressive privacy impact assessment policy as a means of addressing needs and challenges related to privacy and to the processing of personal data.