Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:

Slides:



Advertisements
Similar presentations
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Advertisements

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong.
Big Data and data protection
The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
TEMPUS ME-TEMPUS-JPHES
The Value in Conducting a Privacy Impact Assessment
National Smartcard Project Work Package 8 – Information Law Report.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Recruitment Process
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
Data Protection Overview
An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
The Nuffield Council on Bioethics Report : The collection, linking and use of data in biomedical research and health care: ethical issues. Martin Richards.
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
1 IQCS AGM November 2009 IQCS Data Protection Workshop Scenarios / Answers 12 th November 2009.
The Information Commissioner’s Office David Evans.
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
1 Freedom of Information (Scotland) Act 2002 A strategic view.
Data Protection Act obligations and pseudonymisation Dawn Monaghan Group Manager Information Commissioners Office.
Protecting information rights –­ advancing information policy The Australian Privacy Principles.
Privacy Impact Assessment Workshop Maureen H Falconer Sr Guidance & Promotions Manager Scotstat Public Sector Analysts Network 30 September 2010.
The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
European Data Protection reform: preparing for the future Richard Syers - Strategic Liaison, ICO 12 September 2014.
Professional Certificate in Electoral Processes Understanding and Demonstrating Assessment Criteria Facilitator: Tony Cash.
Data protection and compliance in context 19 November 2007 Stewart Room Partner.
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
Data Protection: Workplace, Health and Safety. Employers’ responsibilities Employer obliged to provide safe place of work. Health and Safety Act 2004.
Data Protection and research Rachael Maguire Records Manager.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Information Sharing & Corporate Governance Dave Parsons, Information Governance Manager, City of Cardiff Council.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
Multi-agency data sharing initiatives to support social policy interventions.
Business Challenges in the evolution of HOME AUTOMATION (IoT)
Commissioning Services: with the DPA in mind South Yorkshire Information and Data Sharing Group Sheffield 14 th August 2014 Lynne Shackley Lead Policy.
František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
Records management for the public sector 8 September 2016 Judith Jones - Group Manager Sue Markey - Senior Policy Officer Government and Society.
An agency of the European Union Guidance on the anonymisation of clinical reports for the purpose of publication in accordance with policy 0070 Industry.
GDPR 12 POINTS 679/2016 DATA LEX 2016.
Brussels Privacy Symposium on Identifiability
Director, Regulation and Strategy
Privacy Impact Assessments (PIAs)
GDPR Awareness and Training Workshop
General Data Protection Regulations: what you really need to know
General Data Protection Regulation
Museums + Heritage webinar, 30 November 2017
APP entities (organisations)
GDPR Security: How to do IT? IT reediness for competitive advantage
Ethical questions on the use of big data in official statistics
General Data Protection Regulation
Data Protection principles
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Identify the laws and guidelines that affect day-to-day use of IT.
General Data Protection Regulations 2018
The activity of Art. 29. Working Party György Halmos
General Data Protection regulation (GDPR)
The EDPS: competences and processing of personal data in EU funds
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Presentation transcript:

Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet: Zagreb, June 2013

Privacy Impact Assessments “A PIA is a process which helps assess privacy risks to individuals in the collection, use and disclosure of information. PIAs help identify privacy risks, foresee problems and bring forward solutions.” ICO PIA Overview, 2009

Some obvious PIA questions Why will you collect this information? Are there alternatives to using personal data – e.g. in planning How long will you keep it for? Who will need to have access to it? How will you check it is correct? How will you keep it secure? How will you get rid of it when you no longer need it? How will we tell the public what we’re doing? So, the PIA turns the principles of data protection into a business process.

Some internet PIA issues ‘signed-in’ or ‘anonymous’ access to services? Personal data for web metrics / analytics? When does pseudonymisation or anonymisation take place? How to deal with policing / national security requests Can people find and understand our privacy policy? Do we need consent – e.g. cookies? How do we get it? Do we disclose personal data to third parties – e.g. advertisers? What do we have to consider when launching a new service?

‘threshold’ criteria questions 1 (1) Does the project apply new or additional information technologies that have substantial potential for privacy intrusion? (2) Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes? (3) Might the project have the effect of denying anonymity and pseudonymity, or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions?

‘threshold’ criteria questions 2 (4) Does the project involve multiple organisations, whether they are government agencies (eg in 'joined-up government' initiatives) or private sector organisations (eg as outsourced service providers or as 'business partners')? (5) Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals? (6) Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database? (7) Does the project involve new or significantly changed handling of personal data about a large number of individuals?

‘threshold’ criteria questions 3 (8) Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources? (9) Does the project relate to data processing which is in any way exempt from legislative privacy protections? (10) Does the project's justification include significant contributions to public security measures? (11) Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?

From our compliance-check template 1.4 Obtaining consent Are you relying on the individual to provide consent to the processing as grounds for satisfying Schedule 2? Yes No If yes, when and how will that consent obtained? For the processing of sensitive personal data, are you relying on explicit consent as specified in Schedule 3, s1 of the Data Protection Act? Yes No If so, when and how will that consent obtained?

Context ICO PIA handbook 2007, second edition 2009 – a ‘how to do it’ guide Value of PIAs in guiding new organisational activities/decisions/projects that impact on privacy Starting to mature as a discipline as good practice and case studies emerge Usage rising but barriers exist to widespread usage Practitioners want flexibility, clearer business case for PIAs, clearer links with existing organisational business processes Further work needed on embedding PIAs Quality still variable – still used as a “check box” exercise or cover to justify project by some

Context – wider developments Proposed European Data Protection Regulation Article 33 – Data Protection Impact Assessments European PIAF Project: - ISO PIA standard

Where next? ICO announcement mid July. PIA “package” will be published: New draft Code of Practice for consultation – including annex on project and risk management Full research findings published Action plan for consultation – responding to research recommendations. Influencing stakeholders that “own” project and risk management methodologies

Where next? New ICO Code of Practice (replaces but builds on 2009 handbook). Will cover: –When to use a PIA –Building PIAs into how organisations manage projects and risks –Practical steps to identify and manage privacy risk –How to build consultation throughout the process – internal and external –Publication of PIA reports –Includes templates, but organisations and sectors are encouraged to develop their own approach

Proposed DP Regulation: Article 33 Data protection impact assessment 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Keep in touch Subscribe to our e-newsletter at or find us on…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.