AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1996 >> [1996] PrivLawPRpr 65

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Stewart, Blair --- "PIAs -- an early warning system" [1996] PrivLawPRpr 65; (1996) 3(7) Privacy Law & Policy Reporter 134

PIAs -- an early warning system

Blair Stewart

This is an edited transcript of a panel session held at the Privacy Issues Forum, Christchurch, NZ, 13 June 1996. The session was chaired by Blair Stewart (Manager of Codes and Legislation, NZ Privacy Commissioner's Office) and panel participants included Elizabeth Longworth (Longworth Associates), David Flaherty (British Columbia Privacy Commissioner) and Nigel Waters (Head of Privacy Branch, Australian Privacy Commissioner's Office). Blair Stewart's article on PIAs at 3 PLPR 61 provides an introduction to this topic. (General Editor)

Blair Stewart (panel chair):

In this session we consider not just the `here and now' of privacy but we speculate on whether a technique which we call PIA may enable us to steer towards a future in a more privacy-friendly direction. It seems to me that even if the future requires a trade-off in privacy in favour of some other material benefit a PIA allows us to make such choices rationally and with our eyes open as to their privacy `downside'.

Before going further I should mention the terminology that I and Elizabeth Longworth used in our papers distributed in advance of this session. We've referred to the process as the privacy impact assessment or PIA's to use a three letter acronym (TLA). Others use the term privacy impact statement but, as Kevin O'Connor pointed out, its TLA may lead that term to fall into disfavour.

Following my own brief comments will be Elizabeth Longworth, an Auckland lawyer with a special expertise in technology, telecommunications and related privacy issues. Also on panel are David Flaherty from British Columbia and Nigel Waters. Nigel is the `second in command' in the Australian Privacy Commissioner's office while David is the Information and Privacy Commissioner of British Columbia.

To briefly recap on the first half of my paper I suggested that a light-handed privacy law, which I believe the Privacy Act 1993 is, will be enhanced by the use of PIAs in relation to major privacy invasive initiatives. PIAs can provide a degree of accountability to the public. A PIA makes a systematic effort to assess privacy impacts of options and identify ways to ameliorate their privacy impact or mitigate adverse affects. In my paper I suggest that PIAs may be desirable in a variety of circumstances for instance on the introduction of new information technology. In my view the PIA process should be systematic, competent and integrated into decision making processes. I take the view that PIAs should not normally be prepared by the Privacy Commissioner but should be the responsibility of the agency making the running with the new endeavour. We should expect people to take a degree of responsibility for the effects that they are going to have on privacy rather than saying an external oversight agency can just take that problem on board and provide solutions. However, I think that to provide a public and independent element I would see at some stage the Privacy Commissioner having a very suitable function of review or critique of PIAs.

I won't say any more about my paper, or the second half of the paper particularly, but I would like to draw out an analogy with environmental impact assessments, something that was only briefly touched on in my paper. It seems to me that our notions of a desirable environment or desirable level of privacy are manifestations of human emotions and aspirations, they are not simply utilitarian notions or economic notions -- although we can ,and should in appropriate cases, sometimes try to reduce environmental and privacy notions to quantifiable and economic things like stock carrying capacity of land, the capacity of a river to absorb pollution or the cost benefit of a data matching exercise. But for the most part I actually think our concerns for the environment, like our concerns for privacy, is not so much an economic matter but has a lot to do with human personal emotions.

Environmental impact assessment, which I hope some of you might be familiar with because they have been going for 15 or 20 years now, seeks to judge harm to the environment in the future if a proposal goes ahead. The objective of a PIA is similar, we try to judge what can happen in the future if a proposed option is taken. In both cases I think we often find the effects are gradual and cumulative. One more sewerage outfall in the Waikato River or a single video camera installed in The Square in Christchurch may seem minor in itself but later generations may well wake up with a very polluted river or perceive they are now living in a surveillance society. Although you don't always know when the line is crossed at the time, PIAs may help to put us on notice as to gradual degradation.

The comparison with environmental impact assessment could usefully be taken further. For now it may suffice to say that there are similarities and environmental impact assessment has turned out to be a highly effective tool in relation to identifying environmental issues and helping to inform decision makers in resource management terms. There are no absolutes in environmental terms, we are certainly willing to trade off some degradation in our natural environment for economic well-being. Privacy too involves trade offs and an assessment technique based upon one effectively used in the environmental field has a promising role to play in the privacy arena.

Elizabeth Longworth:

In my paper I described PIAs as `an early warning system'. I also talk about how the very fact we are talking about the need for PIA, or PIAs, or some kind of impact study, is really a third generation privacy response. It shows that we really are evolving in terms of our privacy awareness. We are starting to anticipate the downside of trying to implement a change or launch a new product. The downside if you haven't thought through what the proposal will mean may be apparent when it hits the front page. You know the good old front page test? How is this new product or service going to go down with the public and with the users and consumers of that new activity or service?

For some years now I've been carrying out a form of PIA in the context of my practice. One of the reasons why I have been doing that work is because there is nothing else people have been able to fall back on. It might be interesting for you to know the range of areas in which I have been hired to look at a change in activity or a new product or service and to give a view on how it sits in terms of privacy compliance and privacy issues. The list includes health services, changes in health activities, the delivery of new education programs, certain telecommunications products, banking activities, credit risk assessment activities, new marketing techniques and the use of various types of registers. That is quite a range.

Some of the questions that I ask are listed in my paper. They are very generic questions that start off at that higher level and then you bring it down to the more specific. In an area of consumer protection laws it is absolutely foolhardy if an agency fails to address what impact the product or the change in activity will have on personal privacy. Agencies need to try to pin down exactly who will be affected and the nature of the personal information involved, how does the product or activity sit in terms of the privacy principles. What distinguishes it from a privacy compliance program is that kind of program looks at the `here and now', whereas we are trying to look into the future. Very importantly, we are trying to second guess what will be the consumer or public perceptions. The point at which I get involved is prior to the new activity going public. So there is a bit of second guessing and there is a lot of use of research analysis, and the last two questions are `are there any broader privacy implications other than just compatibility with the Privacy Act?' or rephrasing that `does the product or the service or the change in activity push the current privacy boundaries whether or not those boundaries are defined by statute?' Two points I think are extremely important because they are the drivers why people are looking at PIAs and the need for them because they realise that in some of the things they are wanting to do may be pushing the boundaries in terms of what our expectations are of privacy protection.

Why do clients come and ask for this type of work? There is no formal structure out there at the moment for PIAs, if they get this kind of assessment at an early stage they can keep it confidential. That's important because it allows the planners to change the design or the method of implementation before it has to satisfy the `front page test', and that is incredibly important because it allows the agency to change directions. But of course that is a very interesting motivation because one of the factors that Blair is talking about is the need for some kind of public scrutiny in the process.

It is also cost efficient to have a PIA because it is a hell of a lot cheaper, believe me it's a lot cheaper, to react pro-actively in terms of privacy compliance than retro-actively. It is a lot cheaper to try and second guess where you are going to have to anticipate compliance than have to turn around and re-do your forms for collecting personal information, or the way in which you are delivering a service, because the costs have already been sunk. It is a great risk management tool, the actual process that goes on in terms of building it into the critical path of the development, it pulls out all sorts of issues along the way and I believe there are many advantages to anticipating difficult privacy issues.

There are a lot of adverse consequences of getting it wrong which is why I kicked off the paper with a make-believe scenario. By the way, I apologise to any poor company that has the name Technology Incorporated because its not meant to relate to any real company. But I threw in a scenario there so that you could see what happens if the planners of a new project fail to address the wider privacy implications. In that particular case the new product, the very sexy new product, was dead in the ground for failing to have a PIA.

David Flaherty:

May I say that there is at least one American company that is building products where they try to manipulate the children who respond on the television to give information about the family, so Elizabeth Longworth's example is not as fictitious as she thinks. Mark Rotenberg of the Electronic Privacy Information Center in Washington DC has been hot on the tracks of children's privacy rights recently because of that kind of development.

I can't imagine that anybody wouldn't be enthusiastic about the concept of PIA, although I am beginning to be worried that our two previous speakers are more worried about developing a suitable acronym, I didn't realise New Zealanders were so preoccupied with that particular activity.

It is inconceivable that a PIA is anything other than in the best interest of your organisation. I've looked through the list of participants and I think it is fairly common for all our organisations today, whether in the public or private sector, to be designing new information systems or new products of one sort or another. A fairly regular experience for me is to be told, as I was in the Ministry of Education of British Columbia a couple of weeks ago over lunch, `oh by the way we are designing a new central information system on primary and secondary school children in the province'. I can usually anticipate that nobody in the planning group with another new scheme will have thought about personal privacy in the equation. As a result of a casual lunch I simply invited these people in and started talking about the privacy implications.

Whether an organisation is a private company or a health agency or something in the public sector, it is so easy for your executive committee or senior executives or the product managers being pressured to generate new business or to work more effectively not to think about personal privacy. One of my ongoing efforts is to try to get public servants or employees of corporations to remember that they are also human beings and that they ought to reflect in the course of their work on what impact their activities are going to have on the lives of other individuals.

I think that what you do with a PIA is customise the information privacy principles, such as you call them in NZ, to the particular activity that you've got in mind. Take the next workshop on electronic surveillance, concerning closed circuit television in Christchurch and other parts of NZ, that again is a question of customising and applying the fair information practices that were developed in the early 1970s and on which we now have 35 years of experience. And most privacy issues are simply addressed quite satisfactorily by taking these kind of fair information practices or information privacy principles into effect.

I would urge you to take back to your organisations the kind of consideration on PIAs based on the environmental model, that these two excellent papers have been addressing today. I am astonished that Elizabeth Longworth who is a private consultant has been giving away so much free information here, you can simply take it and go to work with it.

Blair Stewart:

David has made a very pertinent point that these things have tremendous advantages and he cannot see why any agency here wouldn't see the advantages and want to do them. I would like to explore that issue with our panellists because PIAs have been talked about for some time and yet there are many privacy invasive endeavours, by government or the private sector, which haven't had the sort of scrutiny that we have been talking about. There are a range of reasons for that. Perhaps the organisations just haven't recognised a privacy issue when it has arisen at the planning stage. Or perhaps haven't thought of the PIA technique as being useful. What I would like Nigel to comment on is whether there are particular reasons in the public sector why PIAs haven't been used in the past -- the public sector being a more formalised set-up than the private sector. Then I would like Elizabeth, in relation to her private sector clients, to explain the constraints -- why don't some clients choose to have assessments?

Nigel Waters:

I'm a late draft to this panel, so these are fairly spontaneous reactions to what we have heard. Blair raised the question about why people have been talking about PIAs for a long time, why aren't they doing it? Of course we all do it all the time in the privacy business. I mean most of our work in the Australian Privacy Commissioner's office is in effect helping government agencies work through the privacy impacts of a new proposal or a new development.

I think the issue here is how much more formal should we make it, how systematic can you be in setting down some guidelines and some processes to go through? I think one of the reasons why governments find it difficult to adopt a more formalised and open privacy impact process is that it doesn't fit easily into the decision-making processes of government. There is in the absence of a statutory requirement such as you get in the environmental area. The whole process of government decision-making policy formulation leading through to a Cabinet submission and Cabinet approval doesn't really lend itself to an open public document assessing the pros and cons from any perspective, let alone just the privacy ones, to be exposed before the decision is made by government by which time it is usually too late to revisit some of the fundamental assumptions. I think if we are serious about the more formalised and public privacy impact process then there may have to be some adjustment to the underlying decision-making processes of government to accommodate it, otherwise you are only going to get at best a rather messy partial assessment of the implications.

The other point I will make is that in relation to who should do the assessment. I think essentially it has got to be a collaborative process. While the organisation that's developing the initiative is the only one that really knows what they've got in mind and therefore it is difficult for somebody like the Privacy Commissioner's office to come in from outside to try to do the assessment without understanding where they are coming from. However, equally if you just leave it to the organisation, they don't usually understand all of the privacy angles. We've asked a number of agencies to do what we call compliance statements with the information privacy principles and bring that to us and you usually find that they've covered some of the principles quite well but they have just totally missed some very important privacy angles. So I think with whatever degree of formality we are talking about the organisations concerned are going to need some help whether it be from the Privacy Commissioner's office or from an outside consultant who understands the privacy principles well in order to make sure that they cover all the angles.

Elizabeth Longworth:

Levels of awareness. I think if we put the starter gun as at 1993 with the NZ Act really the levels of privacy awareness are still in their infancy stage. That's why I called PIAs as a third generation response in terms of privacy awareness. Also it is a bit of nebulous concept. This is the first attempt in NZ that I'm aware of where the commentators have tried to put some flesh on the bones and that is why it is easy to read Blair's paper because he lists out a number of criteria. I've had a crack at some of the questions but he has actually tried to sketch a skeleton of some of the options.

I also think that agencies are only just coming to grips with the need for privacy compliance programs. They have had to get to come up to speed with the various consumer protection compliance programs and now there is another one, privacy, and oh no we don't just have to do a privacy compliance program we've got to start looking to the future? So it's just slow upwards haul. I believe that the smart agencies -- there are a number of them around -- are taking PIAs as far as they can within the existing structures. I find that their responses depend a lot on the awareness levels of the key executives who call for the PIAs are sufficiently smart and aware and alert to see the need for it, because they can see the downside for their organisation if they ignore this issue. And it also relies on a level of privacy awareness among the public and the media and I like to think that is an informed awareness rather than a knee-jerk awareness. That is because of the front page test again, because if you have a very aware public then of course the front page test has a bit of bite to it and that becomes one of the drivers to do something about anticipating difficult privacy issues in the planning stages.

Comment from the floor:

My agency, a Crown Health Enterprise, recently considered a new proposal which might have benefited from something like a PIA. We wanted to obtain names and addresses of thousands of parents from dozens of schools on an on-going basis in relation to the delivery of a new public health initiative to children in our district. One of the issues we struck was the difficulty in assessing the privacy implications. We dealt with the Commissioner's office but of course you are not going to get a ruling there and there is not enough caselaw to give you any real true insight. We got a legal opinion which was helpful but it really wasn't a good PIA in the way that you have been talking about. I am not sure if the resources are there to deliver and we can't all call on Liz all the time, so that is one thing that concerns me at the moment. Those things aren't there to actually do this properly, if you are suggesting this has to be done with someone else outside the organisation the Commissioner's office is limited in what they can do for you both in resource and legal perspectives and I still haven't found a good group of legal expertise yet.

Elizabeth Longworth:

That is a really good point because we don't have the existing structure and I'm always a bit wary about saying `oh gee we must have something in regulation'. I really don't like that as a first resort until it has really been thought through. But if you ask whether it should be the Commissioner's office that carries out an assessment, I think there are a number of problems with that because that means the Commissioner's office will be wearing two hats won't it? Aren't they meant to be impartial? So there is a difficulty there and then where else do you go, I mean if you maintain a panel you get into all sorts of issues like accreditation problems in standards and you have people killing each other to get on the panel. So I don't like that idea either.

Blair Stewart:

I think in the example he has given, 150,000 children's records were at risk of being used in an unexpected way. The questioner in his institution has tried to look at what he is going to do. He doesn't necessarily have the answer himself and he wants to draw on some other expertise. So where does he go? He phones the Commissioner's office. The question to the office was probably phrased in terms of `this is approximately what we are going to do, does that comply with the Privacy Act?' One of the things which I am trying to suggest in this exercise is we really need to go beyond compliance. Compliance is one issue -- a very important issue in a jurisdiction like ours with a comprehensive privacy law covering both public and private sector -- but that is only one of the things to look at. I mean quite often there are things you can do which are quite legal, but that doesn't necessarily answer whether the proposal strikes the proper balance for privacy or that you have considered the other options open to you.

The second thing that the questioner said he did was to get a lawyer's opinion. Again the lawyer is going to give an opinion primarily going back to this idea of compliance. What I'm suggesting is that while lawyers have a role, so also others have a role, such as privacy officers and those who work with the Privacy Act. Sometimes you might go to someone for help or you might have the expertise in-house to prepare a PIA. The lawyer may have to do at least the compliance exercise but there is going to be other things: what are the technical options? What value do we put on school children's records? Is this something that the parents and children are going to be expecting is going to happen? Is there another way of achieving the same objective?

David Flaherty:

I'm a little discouraged by the recent turn of the conversation. Doing a PIA is not rocket science, not like weather forecasting at Antarctica or something like that. This is relatively common sense stuff, you have in your materials two excellent papers, plus models from Alberta and British Columbia, that has a bunch of questions that managers are asked to answer before they start bringing forward a new product. I first saw in the US about five or six years ago, information systems where they actually evaluated in a questionnaire the detailed design of any product to see what its privacy impact was going to be. If you didn't make a certain score, forget it, they wouldn't even think about the product because it was so awful for personal privacy.

I'm also discouraged by the notion that you need legal advice. Common sense is at the heart of privacy protection and if you are doing what makes common sense to you and what is ethical and moral the likelihood is you are in compliance with every Act in the western world on privacy. So I think that going to lawyers is an invitation, with all due respect to lawyers in the world, to big legal bills, more than anything else and most of them don't know anything more than you do about it. You have to generate your own in-house expertise rather than paying several hundred dollars an hour for some lawyer consultant (including me in my previous incarnation) to learn about your system when they knew nothing about it when they started.

I am well aware that in NZ you did not have prior to 1990 substantial privacy expertise. Liz Longworth and Tim McBride were two of the few people that I knew here who had some knowledge on information privacy. There is only 3.5 million people here, you don't have 25 experts. There aren't 25 privacy experts in the entire US -- with negative consequences for that society. You are left with a dozen or so in Canada except for the people who work for privacy commissions. You can do an awful lot of this work yourself using common sense and then when you've got your own assessment done, it doesn't have to be any fancier than a couple of pages of notes or descriptive information, then you talk to the Privacy Commissioner's office, then you can talk to your local consultants and you'll be well ahead of the game in my view.

Blair Stewart:

I will also take up on that point. I think there is a lot of expertise in this room -- mainly people like privacy officers. Few privacy officers are lawyers but they've had the experience with addressing these day to day issues under the Privacy Act and only part of that exercise is legal compliance. There is a certain amount of bush-lawyerism involved in it, but a lot of it is also, as David said, common sense. We probably have time for another question, I think possibly the comments about lawyers' fees might have instilled an interest among the audience.

Comment from the floor:

There is one thing I would add on PIA. It is not a `report' in my experience, it is rather an `activity'. When you completed your assessment in-house, you've shared it with other groups and I think the Privacy Commissioner's office is simply one other group, you might then have the courage if it all comes up plus to put it into a live environment in a restricted sense. It is the best form of finding out how the public actually do react to the thing. You can then also make adjustments and when you do, if you do choose to go nationwide with it, have the assurance that you really have tested it.

Blair Stewart:

I think that is a perceptive comment. It is a process. The fact of going through this process and examining the options will bring forth a host of alternatives which may not otherwise have been considered. In some of the other sessions you may hear about the notion of `privacy enhancing technology'. Although technology is often the problem in privacy terms, by a little bit of effort by the same people that have the ingenuity to develop the technology at concern, there are in fact a range of technologies which allow anonymous transactions, providing very modern services and yet respecting privacy. I don't think that these privacy enhancing technologies would have arisen just by waiting for technology to drive in that direction but it has happened because people have been looking at the options, and trying to address the human concerns.

The discussion concluded with thanks to the panellists and those who commented from the floor.

Edited by Blair Stewart.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback