IP & Technology

The UK Information Commissioner (ICO) has published an updated version of its code of practice on privacy impact assessments. The Code is vital reading for all organisations (large and small) that deal with personal data.

What are Privacy Impact Assessments?

Privacy impact assessments (PIAs) are used to assist organisations that deal with personal data assess the privacy issues arising out of a proposed project – for example, the proposed use of personal information in a new way, or the adoption of a new process or procedure that might impact on the way in which personal information is collected or used.

A PIA can assist an organisation in its compliance with its obligations under the Data Protection Act 1998 (DPA), by helping the organisation to ensure that the processing is justified, that it is proportionate and not excessive, and that the data controller has put in place appropriate security measures to protect the personal data concerned.

The use of PIAs can also be helpful in enabling organisations to adopt a “privacy by design” approach, as advocated by the proposed new data protection regulation.

PIAs and enforcement action

In recent times, the ICO has emphasised the importance of the PIA process. In particular, when taking enforcement action against data controllers the ICO has frequently pointed to the lack of a PIA as a reason for taking a particular course of action (for example, enforce orders or issuing a fine).

The ICO’s enforcement notice in last year’s Royston “Ring of Steel” case in connection with the use of automatic number plate recognition (ANPR) cameras is a good example of this.

Put simply, if a data controller has failed to carry out a PIA, then it makes it much harder for the data controller to subsequently justify its course of action in the event that a question arises over the data controller’s compliance with the DPA.

In the Royston case, the data controller (Hertfordshire Police) the ICO concluded that the data controller could not show that its use of ANPR cameras was proportionate and justified solution to the problem it was seeking to address as no privacy impact assessment had been carried out prior to their introduction.

Conducting PIAs

The updated Code states that PIAs should be built into each data controller’s project management processes. The updated Code emphasises that PIAs are relevant to all organisations – from small app developers through to international businesses.

The Code helps organisations assess when a PIA is required and then work through the privacy issues.

The PIA process adopted by organisations should comprise a number of steps:

  • Identify the need for a PIA
  • Describe the information flows
  • Identify the privacy and related risks
  • Identify and evaluate privacy solutions
  • Sign off and record the PIA outcomes
  • Integrate the PIA outcomes back into the project plan

In addition to providing a framework and guidance, the Code also includes a template PIA.

Accessing the Code

You can access the code on the ICO’s website by following this link (PDF).

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me