Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:

Published byLeonard Justin Hamilton Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:"— Presentation transcript:

1 Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet: Zagreb, June 2013

2 Privacy Impact Assessments “A PIA is a process which helps assess privacy risks to individuals in the collection, use and disclosure of information. PIAs help identify privacy risks, foresee problems and bring forward solutions.” ICO PIA Overview, 2009

3 Some obvious PIA questions Why will you collect this information? Are there alternatives to using personal data – e.g. in planning How long will you keep it for? Who will need to have access to it? How will you check it is correct? How will you keep it secure? How will you get rid of it when you no longer need it? How will we tell the public what we’re doing? So, the PIA turns the principles of data protection into a business process.

4 Some internet PIA issues ‘signed-in’ or ‘anonymous’ access to services? Personal data for web metrics / analytics? When does pseudonymisation or anonymisation take place? How to deal with policing / national security requests Can people find and understand our privacy policy? Do we need consent – e.g. cookies? How do we get it? Do we disclose personal data to third parties – e.g. advertisers? What do we have to consider when launching a new service?

5 ‘threshold’ criteria questions 1 (1) Does the project apply new or additional information technologies that have substantial potential for privacy intrusion? (2) Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management processes? (3) Might the project have the effect of denying anonymity and pseudonymity, or converting transactions that could previously be conducted anonymously or pseudonymously into identified transactions?

6 ‘threshold’ criteria questions 2 (4) Does the project involve multiple organisations, whether they are government agencies (eg in 'joined-up government' initiatives) or private sector organisations (eg as outsourced service providers or as 'business partners')? (5) Does the project involve new or significantly changed handling of personal data that is of particular concern to individuals? (6) Does the project involve new or significantly changed handling of a considerable amount of personal data about each individual in the database? (7) Does the project involve new or significantly changed handling of personal data about a large number of individuals?

7 ‘threshold’ criteria questions 3 (8) Does the project involve new or significantly changed consolidation, inter-linking, cross-referencing or matching of personal data from multiple sources? (9) Does the project relate to data processing which is in any way exempt from legislative privacy protections? (10) Does the project's justification include significant contributions to public security measures? (11) Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?

8 From our compliance-check template 1.4 Obtaining consent 1.4.1 Are you relying on the individual to provide consent to the processing as grounds for satisfying Schedule 2? Yes No If yes, when and how will that consent obtained? 1.4.2 For the processing of sensitive personal data, are you relying on explicit consent as specified in Schedule 3, s1 of the Data Protection Act? Yes No If so, when and how will that consent obtained?

9 Context ICO PIA handbook 2007, second edition 2009 – a ‘how to do it’ guide Value of PIAs in guiding new organisational activities/decisions/projects that impact on privacy Starting to mature as a discipline as good practice and case studies emerge Usage rising but barriers exist to widespread usage Practitioners want flexibility, clearer business case for PIAs, clearer links with existing organisational business processes Further work needed on embedding PIAs Quality still variable – still used as a “check box” exercise or cover to justify project by some

10 Context – wider developments Proposed European Data Protection Regulation Article 33 – Data Protection Impact Assessments European PIAF Project: - http://www.piafproject.eu/http://www.piafproject.eu/ ISO PIA standard

11 Where next? ICO announcement mid July. PIA “package” will be published: New draft Code of Practice for consultation – including annex on project and risk management Full research findings published Action plan for consultation – responding to research recommendations. Influencing stakeholders that “own” project and risk management methodologies

12 Where next? New ICO Code of Practice (replaces but builds on 2009 handbook). Will cover: –When to use a PIA –Building PIAs into how organisations manage projects and risks –Practical steps to identify and manage privacy risk –How to build consultation throughout the process – internal and external –Publication of PIA reports –Includes templates, but organisations and sectors are encouraged to develop their own approach

13 Proposed DP Regulation: Article 33 Data protection impact assessment 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

14 www.twitter.com/iconews Keep in touch Subscribe to our e-newsletter at www.ico.gov.uk or find us on…

Download ppt "Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:"

Similar presentations

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong.

Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong.
Big Data and data protection

Big Data and data protection
The Australian Privacy Principles Protecting information rights –­ advancing information policy.

The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
TEMPUS ME-TEMPUS-JPHES

TEMPUS ME-TEMPUS-JPHES
The Value in Conducting a Privacy Impact Assessment

The Value in Conducting a Privacy Impact Assessment
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

National Smartcard Project Work Package 8 – Information Law Report.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Recruitment Process

Data Protection Recruitment Process
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
Data Protection Overview

Data Protection Overview
An overview of the Data Protection Act 1998. Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.

An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
The Nuffield Council on Bioethics Report : The collection, linking and use of data in biomedical research and health care: ethical issues. Martin Richards.

The Nuffield Council on Bioethics Report : The collection, linking and use of data in biomedical research and health care: ethical issues. Martin Richards.
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Similar presentations

Ads by Google