Stewart, Blair --- "Privacy impact assessment towards a better informed process for evaluating privacy issues arising from new technologies" [1999] PrivLawPRpr 8; (1999) 5(8) Privacy Law & Policy Reporter 147

Privacy impact assessment towards a better informed process for evaluating privacy issues arising from new technologies

Blair Stewart

What is privacy impact assessment?

Privacy impact assessment (PIA) has been mentioned in the privacy literature from the 1980s and implemented in jurisdictions from the early 1990s. In the absence of any internationally recognised definition I have previously suggested two alternative definitions:

1. PIA is a process whereby a conscious and systematic effort is made to assess the privacy impacts of options that may be open in regard to a proposal.
2. PIA is an assessment of any actual or potential effects that the activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated.[1]

PIA may be desirable to assess risks:

• arising from a new technology or the convergence of existing technologies (for instance, electronic road pricing, caller ID, smart cards);
• where a known privacy intrusive technology is to be used in new circumstances (for instance, expanding data matching or drug testing, installation of video surveillance cameras in further public places);
• in a major endeavour or change in practice having significant privacy effects (for instance, a proposal to merge major public registries into a ‘super registry’, to adopt a national ID card, to relax controls on telephone tapping or to extend powers of search of premises or persons); and
• to develop strategies for minimising those risks.

Whether PIA concerns a major national initiative or a small endeavour of a single department or company, there are certain common elements that need to be addressed in deciding the PIA process to follow. The following should be considered:

1. PIA should be systematic: A plan should be established as to the steps to be followed, questions to be answered and options to be examined before work is too far advanced. Defining the problem will usually precede study or research, examination of the alternatives, and then rendering of conclusions and recommendations. Typically, PIA may lead to the production of a document called a privacy impact report.
2. PIA should use competent expertise: A variety of skills are required which one individual may not possess, and so a lead agency co-ordinator may draw on the skills of others. The co-ordinator may be a generalist. Experts hired for the process should not move into areas with which they are not familiar. It would, for example, generally make little sense to have an external lawyer opining on technical issues or a technologist explaining the law.
3. PIA should have independent and public aspects: Some degree of independence should be built into the process. The person undertaking the PIA should not be so closely identified with a particular proposal as to put into question their objectivity. For some initiatives, an outsider such as a privacy consultant could be utilised. In others, a staff member from another section of the organisation might co-ordinate the PIA. A public phase of PIA can be linked to the question of independence. At the very least, the privacy impact report should be released after its completion.[2] In some cases, public consultation should be incorporated.
4. PIA to be used in decision-making: PIA needs to be integrated into decision- making processes. For a government proposal, PIA might be integrated into departmental decision-making and appropriate cabinet processes. At a local government level the council itself may have the privacy impact report set before it. In the private sector an appropriate approach may need to be crafted on a case by case basis. The important thing is that PIA not be divorced from decision- making processes.

PIA may be distinguished from a privacy compliance audit. A compliance audit involves an attempt to find out where an agency currently stands in relation to compliance with the law and to identify steps to avoid non-compliance with the law in the future. While there are similarities between PIA and privacy compliance audits, since they use some of the same skills and seek to avoid privacy problems, compliance audits are primarily directed towards meeting the requirements of the law, whereas PIA should go much further to identify optimum privacy options and solutions.

What are the advantages of privacy impact assessment?

Systematic and appropriate PIA offers significant benefits for the protection of privacy. However, PIA will only bring the full benefits when the process is undertaken on a competent and credible basis. This involves a systematic process carried out by competent people, independent from those driving the proposal, whose ultimate report is used in decision-making and made public. The process can be worse than useless if undertaken by incompetent people. It may be irrelevant if it has no bearing on decision-making. It is open to manipulation if undertaken by the people driving the proposal unless there is a rigorous check upon its findings. If the resultant privacy impact reports are not made public the process will fail to achieve its full potential.

Disappointingly, I have seen PIA:

• being hurriedly undertaken for a major public initiative just weeks out from the critical decision being taken and while omitting a detailed study phase;
• driven by an agency committed to a particular option with the resultant report slanting coverage of the issues and including a number of unsub-stantiated assertions in favour of the proposal;
• focusing almost exclusively on legal issues without specialist analysis of important technical risks;
• attempted by a part-time committee without the time to bring its work to a conclusion while, in tandem, decisions on the project were being taken in reliance upon incomplete versions of the PIA documentation.

It is not surprising that PIA is sometimes poorly undertaken. In the absence of appropriate in-house or consultant privacy or data protection expertise, many agencies turn to professional advisers such as lawyers and accountants with mixed degrees of success. Others try a ‘do it yourself’ approach and place the task with a staff member or subcommittee. Often the results are creditable but they naturally suffer from lack of expertise and available time, and from a close identification with the agency’s proposal.

One of the principal objectives of PIA is to sheet responsibility for privacy impacts back to the agencies undertaking new projects. Many other means of tackling privacy issues, such as having an external body establish a set of rules, guidelines or prohibitions, may encourage agencies to simply comply with the letter of the law. With significant new applications of technologies it is desirable that agencies take a greater degree of responsibility. PIA, in this sense, fits neatly with initiatives to encourage adoption of Privacy Enhancing Technologies (PETs). While the law does not oblige agencies to adopt PETs, it is desirable that they consider doing so. PIA will help agencies to identify the use of PETs as an option and to consider the risks, costs and benefits of doing so compared with other technology.

Privacy and data protection commissioners have a central role in respect of the protection of privacy. However, they invariably have small budgets and few staff. It is absurd to expect that commissioners can assess all the various technological initiatives likely to impact upon citizens’ privacy in the coming years. The responsibility must be shared. PIA helps to do this, with commissioners critiquing or auditing the resultant privacy impact reports. They might use a privacy impact report if subsequently undertaking a compliance audit.

A significant benefit of PIA is the public availability of information on the projected effects of a proposal. Once the privacy impact report is made public it allows interested persons to seek to influence the proposal through contacting the relevant agency or through democratic processes. In many cases, a privacy impact report will allay public concern by giving them the information and reassurance that they need. The reports will also be of assistance in other endeavours which propose to use the same technology or a variant upon it. In later years, the public document may also be used to re-evaluate the proposal and ensure that it remains within the original guidelines intended to protect privacy.

PIA is not a substitute for the legal protection of privacy and the granting to individuals of enforceable entitlements. The process fits with whatever legal regime a jurisdiction has. If there is a data protection or privacy law in place PIA will help ensure that individual entitlements are not undermined, that agencies are assisted in complying with the law, and that regulatory agencies have information upon which to base decisions.

If concern for individual privacy is not sufficient to motivate agencies, many will still be concerned about their reputation and the reaction of consumers to privacy-invasive endeavours. There are examples of commercial applications of technologies, such as caller ID or electronic look-up services, meeting angry consumer resistance because of a lack of respect for privacy. In a number of such cases there were equally effective applications in the technology which appropriately respected privacy. One commentator has dubbed PIA as an ‘early warning system’ for corporations which value their reputation.[3]

What goes into a privacy impact assessment?

Checklists

A detailed and systematic checklist should be developed before undertaking a PIA. Examples of checklists or templates for PIA developed in several contexts can be found in:

• Privacy Act 1993 (NZ) s 98, in which a set of ‘information matching guidelines’ provide the basis for assessing data matching proposals;
• Information and Privacy Commissioner/ Ontario, Geographic Information Systems, Appendix A, slanted towards GIS applications;
• Information and Privacy Commissioner/ Ontario and ACT Canada, Smart, Optical and Other Advanced Cards: How to do a Privacy Assessment, containing an assessment checklist and detailed guidance notes;
• New York Public Service Commission Privacy Policy Statement concerning the introduction of new telecom-munications services;
• Ministry of Health and Ministry responsible for Seniors (British Columbia), ‘Information Systems Policy concerning new information Systems which store or manage personal information’.

Description of proposal

There are a number of common features to all PIAs. The starting point will be a description of how a proposal will use and process personal information. This should be tackled in a systematic way from the collection, generation or obtaining of personal information through its holding, storage, security, use and disclosure. Announcing a new proposal to affected people without adequate explanation may lead to a cautious or hostile reaction which may be unwarranted if the true position were known. Conversely, the public may remain unconcerned or complacent at a proposal because they do not recognise the risks or they presume that what is being proposed is similar to an existing practice with which they are familiar. Accurate description is a step towards identification of risks.

Alternatives to proposal to achieve objective

It is usually desirable for a PIA to include an assessment of an alternative to achieve the desired objective. Accordingly, identification of the objective is essential. This will usually be set by the agency concerned rather than the person co-ordinating the PIA. Obviously there is a risk that an agency may define the objective in such a way that no alternative is feasible. Nonetheless, there can be consideration of options at both the macro and micro levels. If no broad alternative is available to the proposal or technology selected there may still be a value in a PIA to better understand the impacts and also to make small adjustments within the preferred technology.

Assessment by reference to privacy standards

The description and analysis of the proposal is assisted by reference to applicable international and national privacy standards. In many jurisdictions there is a premier set of principles or standards in national privacy or data protection laws. Otherwise there are international standards, the main ones being:

• OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980);
• Council of Europe Convention No 108 (1981);
• UN Guidelines for the Regulation of Computerised Personal Data Files (1990);
• EU Directive on Data Protection (1995).

Depending upon the proposal being assessed there may be supplementary international or national guidelines. Occasionally these will be specified in national law, for example, the public register privacy principles in the Privacy Act 1993 (NZ). In others, reference may be made to guidelines issued by such bodies as the Council of Europe, EU, ILO, OECD, UN and ISO.

Researching issues

With respect to each information aspect of the proposal there will be a number of issues to be addressed. The issues will be readily apparent when the relevant literature is studied and the international or national privacy standards are compared to the proposal. For example, in relation to collection of personal information, an assessment might seek to ask and answer questions such as:

• Does this replicate an existing collection of information or is it a new collection?
• Is it necessary to collect each item of information?
• Is the manner of collection intrusive or unfair?
• Is the information to be collected of special sensitivity?

These questions are simply a starting point and a complete or appropriate list would be devised with reference to the relevant international and national standards and the features of the technology or proposal. Several of the checklists mentioned earlier pose relevant questions.

Many of the projects to be assessed will be novel. Nonetheless, the same technology may have been trialed in another jurisdiction. Accordingly, an international literature search will be part of the assessment process. Inquiries may be made of experts or officials in other jurisdictions who may be expected to have some knowledge of the subject matter. Research to identify and evaluate risks of a proposal will need to be undertaken. Consultation with people likely to be affected is usually desirable.

Use in decision-making

Finally, PIA is not complete unless it contributes to a decision-making process. Typically PIA will lead to findings as to the privacy risks of a proposal, the significance of those risks, and the availability of alternatives to achieve the agency’s objectives which carry fewer privacy costs. A clear privacy impact report will provide the information for decision makers to exercise their powers. Sometimes the PIA will seek to quantify the effect on privacy, which may be beneficial or detrimental, as a contribution to a broader cost benefit analysis being imposed on a project. In some cases the privacy impact report will offer recommendations.

Conclusion

PIA brings advantages to all the players involved in the introduction of a new technology. It can assist agencies in ensuring that they comply with applicable laws, do not unduly intrude on privacy and protect their reputations. It benefits privacy commissioners by sharing responsibility for the protection of privacy with agencies, since no commissioner is funded to act as a ‘privacy policeman’ in respect of every application of new technology. Finally, PIA can empower individuals to exercise their rights under privacy laws and as a consumer. Public availability of privacy impact reports will lead to greater understanding of the implications of new technology. In some cases, the process will reassure the public. In others, it will provide information that people, in an individual or collective capacity, need to influence the way that technology impacts on their private lives.

Blair Stewart, Assistant Commissioner, Office of the Privacy Commissioner, New Zealand.

This is an abridged and revised version of a paper presented to the Privacy Law & Business 9th Data Protection Authorities’ Workshop, ‘Biometric Identification: Challenging or enhancing privacy rights?’, Santiago de Compostela, 15 September 1998.