Privacy Law and Policy Reporter
Recent experience of carrying out privacy impact assessments (PIAs) has reinforced some lessons I had already learnt from previous work. I have always taken the view that there is nothing particularly new or radical about PIAs — it is just a new name for a technique of assessment which privacy regulators and consultants have been performing for years. It is essentially just a systematic appraisal of the privacy implications of a new proposal. Some appraisals are limited to assessing compliance with specific privacy rules or standards, but others range more widely over all privacy issues of concern to affected individuals, whether or not they are currently subject to privacy law. The concept of a PIA owes much to the well established tool of environmental impact assessments (EIAs).
PIAs differ from privacy audits in that audits are generally assessments after the event of how an organisation is complying with existing rules. PIAs are prospective — they assess how a proposal would comply with rules or, more commonly, what privacy issues a proposal will raise, including but not limited to compliance issues. PIAs can also identify an appropriate role for privacy enhancing technologies (PETs) which can give individuals a measure of control over their personal information.
The first critical factor is the level of commitment to the objective of the PIA. The proponent of the scheme in question will rarely if ever be enthusiastic about the exercise, which is after all designed to identify and explore potential drawbacks and disadvantages. (It is possible to conceive of a PIA for a privacy enhancing technology which would be all positives, but we have yet to see one.)
From the consultant’s perspective, there are obvious difficulties in relation to identifying the actual client. PIAs will often have been commissioned at the request, or insistence of, a third party such as a privacy regulator. A PIA is always going to be more in the interests of third parties — ultimately the affected public — than in the interests of the scheme proponent. It might be better if PIAs were always commissioned and paid for by a relevant third party, to avoid the pressure for ‘divided loyalties’ that inevitably arise when the client may be disadvantaged by a full and frank disclosure of all privacy implications.
On the other hand, having the scheme proponent as the client should, in theory, force them to take the exercise seriously. If it is a purely external exercise, there is a risk that the scheme proponent will only ever view the PIA as an unwelcome hurdle to be jumped. There will be no sense of ownership and little if any internalisation of the privacy considerations. However, in my experience these remain largely theoretical benefits — having the scheme proponent directly commission and manage the PIA consultancy does not guarantee commitment, particularly at senior management level. My conclusion is that in order to realise these potential benefits, it would be necessary to have an internal ‘champion’ for the PIA at a sufficiently high level and with sufficient enthusiasm for and understanding of the objectives.
Since this condition is unlikely to be met, on balance I favour the commissioning of PIAs by someone other than the scheme proponent, although a minimum level of co-operation must be assured.
Timing is, of course, another critical issue. If the PIA is left too late, decisions will have been taken and scheme parameters fixed such that some adverse privacy implications are unavoidable and some remedial options ruled out. On the other hand, if it is done too early, while scheme parameters are still wide open, there is an understandable fear that the PIA will throw up misleading and alarmist scenarios which are not really on the agenda, and may even lead to the project being derailed. This dilemma obviously rests on the reality (unpalatable to the scheme proponent) that it is indeed the purpose of a genuine and full blooded PIA to question the fundamental assumptions of the project; to ask why ‘X’ is needed and what alternatives have been considered that may be less intrusive to privacy.
These are questions that are best asked (in the government context) by a relatively disinterested central agency (or third party) rather than by an executive agency with a direct stake in the answer. Yet the machinery of government and its decision-making processes do not readily accommodate the asking, and answering, of fundamental questions at such an early stage. As is also evident from the experience of environmental impact statements, too often an enormous momentum has built up behind a scheme, with many people seeing it as critical to their career path, by the time the impact statement — or PIA — is commissioned. At that point, the best that can be realistically expected is that the PIA findings will have a marginal influence on the scheme design.
That is not to say that a PIA, even when carried out later in the evolution of a scheme, cannot make a valuable contribution. There may well be options for the detailed design and implementation of a scheme which are much less privacy intrusive than other options, and procedural safeguards which can compensate for those privacy negatives which must remain. Often at this level the scheme proponent will be genuinely ‘neutral’ and will be happy to incorporate options and features which retain privacy.
It will often be the case that some of the most significant privacy issues are outside the direct control of the scheme proponent. They will involve, for instance, the extent to which other organisations will see new or enhanced data sets or technical capabilities as an attractive resource for other purposes, leading to ‘function creep’. The scheme proponent will argue vigorously that since these effects are hypothetical and in any case subject to subsequent and separate decision-making processes, they should not be taken into account. But from the consultants’ perspective, they are fundamental to the privacy impact. To properly assess these the consultants require access to other organisations, but they will often be reluctant to co-operate, even if the client agrees to allow them to be approached.
Scheme proponents or clients will typically be surprised by the extent to which consultants need to go back and look at existing systems. They will ask why the PIA cannot be confined to looking at the proposed new or changed element. The consultants will need to explain why an important element of the privacy impact is the degree of change from the status quo, and that a good understanding of the historical and wider context, as well as of the way existing systems work, are essential. It is also the case that since PIAs are a new tool, it is unlikely that existing systems have been subject to relevant analysis. Consultants will typically find themselves asking very basic questions about why things are done the way they are, and finding it hard to obtain adequate answers.
For all these reasons, PIAs will usually require more time and effort than the client expects, and it is important not to allow the necessary retrospective analysis to be ‘squeezed out’ in pricing and contract negotiations.
Another important issue is the ‘audience’ for the PIA report, and level of consultation before, during and after the PIA. Ideally, a PIA for a government scheme should be part of a public process and the public should be involved in the design of the PIA itself — helping to identify what questions to ask and who should be involved. The requirements for program protocols under the Australian Federal Data-Matching Program (Assistance & Tax) Act 1990 are a good model for an open assessment process. But it is unrealistic to expect that agencies who are commissioning privacy invasive schemes to open them to public scrutiny voluntarily, before they have had a chance to consider the findings of an assessment internally and prepare their defences.
There will also be a tendency for scheme proponents to delay publication of the PIA report as long as possible in the hope that it will be too late to make major changes. Of course, this approach betrays a lack of commitment to the objectives of the PIA, already discussed above. It would be gratifying to see a recognition that privacy issues, particularly in high profile sensitive schemes, are going to come out sooner or later and that sound risk management principles favour early and open discussion and resolution.
As long as the contract has allowed the consultant to do a thorough job, the draft report of a PIA presented to a client should represent a fair and accurate assessment of the privacy implications. It may contain recommendations, if the client has requested them, or it may stop at findings. After the client has received the draft, negotiations can be difficult. The client will understandably want their scheme to be seen in the best possible light, with positives emphasised and negatives muted. A determined client, with its purse strings in one hand, can exert considerable pressure for changes. Of course factual corrections should be accepted, but in practice it is often difficult to distinguish a factual correction from wording with a different nuance or emphasis. Disputes can arise about the relevance or significance of material, although in my view the consultants’ judgment must ultimately prevail. The time used in these negotiations also needs to be factored in, especially when critical dates in the decision-making timetable are approaching. The consultant may have to judge whether compromising on wording is worthwhile to finalise a report so that it can have an influence on key decisions.
To conclude, it is clear that the relationship between PIA consultants and the proponent of the scheme under review is not a normal consultant-client one. It is probably closer to auditor and client, where the auditor is clearly carrying out an independent function on behalf of a wider constituency. Just as the auditor’s role is supported by legislative requirements, some external authority is required for a PIA if scheme proponents are to at least grudgingly accept the usually unwelcome attention and unpalatable findings. This is why many privacy advocates have called for a PIA requirement to be written in to privacy legislation, at least for significant schemes (but who decides what is significant in the absence of a PIA?).
Whoever pays for the PIA (and it will usually be the scheme proponent), the contract should give the consultants sufficient flexibility to go wherever their enquiries lead them, talk to all relevant stakeholders, and give a full, frank and unbiased assessment. How a client chooses to use a PIA report is, in the end, up to them. But the report itself must retain its integrity and not be edited to present only the more acceptable findings.
Nigel Waters, Associate Editor.