Privacy impact assessments (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
A PIA must be seen as a separate process from compliance checking or data protection audit processes. Projects which are already up and running should not be submitted to a PIA, but to either a compliance check or a data protection audit as appropriate. PIAs are an integral part of taking a privacy by design approach.
Although not mandatory the best practice guidance from the Information Commissioner is to conduct a Privacy Impact Assessment.
1.1.1 Satsafe Limited (The Company) is a private limited company registered in England and Wales no.: 08415883, with information processing as a fundamental part of its business. For many organisations, privacy now poses risks which need to be professionally managed in a similar way to other categories of risk. It is therefore necessary for the Company to have a clear and relevant Privacy Impact Assessment Policy allowing it to comply with information legislation.
1.1.2 It is important to note that any collection, use or disclosure of personal information has the potential to have a risk to personal privacy. Sometimes those risks are not obvious and as a result it can be easy to overlook or not adequately address them.
1.2 This version supersedes any previous versions of this document.
2.0 Purpose of this Policy/Procedure
2.1 This policy and procedure is designed to illustrate the approach that the Company is taking regarding monitoring and assessing of any changes to, or implementation of any new information systems. The careful analysis at the planning stage of intended projects will be enhanced by the implementation of Privacy Impact Assessments (PIA) on all new projects.
3.1 The term project used in this policy and procedure is not strictly limited to just projects. It encompasses any activity that may alter, dispose of or initiate a new system that contains, or potentially contains personal data, whether in an electronic or paper format.
3.2 This policy and procedure will apply across the Company and contracted services where personal data is either managed or processed. All relevant projects must have a PIA Screening or Assessment completed at an early stage.
4.0 Definitions / Glossary
- PIA – Privacy Impact Assessment (process for assessing risk)
- IGC – Information Governance Committee (Board level oversight committee)
- SIRO – Senior Information Risk Officer (person responsible for risk)
- HIG – Head of Information Governance
5.0 Ownership and Responsibilities
5.1 The Chief Executive has overall responsibility for maintaining privacy and confidentiality within the Company.
5.2 The SIRO, HIG and Data Protection Officer are responsible for ensuring IGC analysis of all Company PIA’s.
5.3 Members of the IGC are responsible for assessing and contributing to the assessment of all Company PIA’s.
5.4 All Project Leads (either Business or Project managers) within the Company are responsible for ensuring that PIA’s are carried out, and presented to the relevant IGC on all new projects.
5.5 All managers are to be aware of the need for PIA’s for all new projects.
5.6 The IT Security Manager is responsible for assessing any IT security needs.
5.2 Role of the Managers
Line managers are responsible for:
- Ensuring any new process or system that contains, handles or uses personal identifiable data has a PIA conducted prior to implementation.
- Ensuring any new/changed processes, policies, procedures or office locations (including moves) are assessed using the PIA to ensure confidential information is secure.
5.3 Role of the IGC
The Information Governance Committee is responsible for:
- Receiving completed PIA’s and recommendations from the HIG
- Approving or seeking further clarification regarding any issues identified.
5.4 Role of Individual Staff
All staff members are responsible for:
- Ensuring they alert either their line manager or the HIG to changes to process where personal identifiable data is used.
- Raise awareness where they think personal identifiable data is at risk.
6.0 Standards and Practice
6.1 What is privacy?
Interpreted most broadly, privacy is about the integrity of the individual. However, for the purposes of completing a PIA, it is more useful to examine different aspects of privacy. A PIA could consider:
6.1.1 Privacy of personal information – referred to variously as ‘data privacy’ and ‘information privacy’. Individuals generally do not want data about themselves to be automatically available to other individuals and organisations. Even where data is possessed by another party, the individual should be able to exercise a substantial degree of control over that data and its use.
6.1.2 Privacy of the person, referred to as ‘bodily privacy’, concerned with the integrity of the individual’s body. At its broadest, it could be interpreted as extending the freedom from torture and right to medical treatment, but these are more commonly seen as separate human rights rather than as aspects of privacy. Issues that are more readily associated with privacy include body searches, compulsory immunisation, blood transfusion without consent, compulsory provision of samples of body fluids and body tissue, and requirements for submission to biometric measurement.
6.1.3 Privacy of personal behaviour relates to the observation of what individuals do, and includes such issues as optical surveillance and ‘media privacy’. It could relate to matters such as sexual preferences and habits, political or trade union activities and religious practices. But the notion of ‘private space’ is vital to all aspects of behaviour, is relevant in ‘private places’ such as the home and toilet cubicle, and is also relevant in ‘public places’, where casual observation by the few people in the vicinity is very different from systematic observation involving the recording or transmission of images and sounds.
6.1.4 Privacy of personal communications could include various means of analysing or recording communications such as mail ‘covers’, the use of directional microphones and ‘bugs’ with or without recording apparatus and telephonic interception and recording. In recent years, concerns have arisen about third party access to email messages. Individuals generally desire the freedom to communicate among themselves, using various media, without routine monitoring of their communications by other persons or organisations.
6.2 Privacy Risks
The enormous increases in the collection, storage, use and disclosure of personal data, and the imposition of many intrusive technologies, have caused increased concern about individual privacy. This is of particular relevance to the millions of devices deployed and being developed as Internet of Things (IoT) applications.
6.3 Categories of Risk
Privacy risks fall into two categories.
(i) Risks to the individual as a result of contravention of their rights in relation to privacy, or loss, damage, misuse or abuse of their personal information.
(ii) Risks to the organisation as a result of:
- perceived harm to privacy
- a failure to meet public expectations on the protection of personal information
- retrospective imposition of regulatory conditions
- the costs of redesigning or delaying a system
- the collapse of a project or completed system
- withdrawal of support from key supporting organisations due to perceived privacy harms
- failure to comply with the law, leading to enforcement action or compensation claims from individuals
7.0 Privacy Impact Assessment
7.1 The PIA Process:
7.1.1 A PIA is a systematic process for evaluating a proposal or project in terms of its impact upon privacy. A PIA can assist in:
- Identifying potential issues and concerns on individual or group privacy
- Examining how detrimental effects may be overcome
- Ensuring that new projects comply with privacy law and principals
- Avoiding loss of trust and reputation
- Avoiding unnecessary costs and inadequate solutions
**To start a Project PIA, CLICK HERE to download the Initial Equality Impact Assessment Form**
|1. Identifying the need for a PIA.
The need for a PIA can be identified as part of an organisation’s usual project management process or by using the screening questions in annex two of this Policy.
2. Describing the information flows.
Describe the information flows of the project. Explain what information is used, what it is used for, who it is obtained from and disclosed to, who will have access, and any other necessary information.
|3. Identifying the privacy and related risks.
Some will be risks to individuals – for example damage caused by inaccurate data or a security breach, or upset caused by an unnecessary intrusion on privacy. Some risks will be to the organisation – for example damage to reputation, or the financial costs or a data breach. Legal compliance risks include the DPA, PECR, and the Human Rights Act.
4. Identifying and evaluating privacy solutions.
Explain how you could address each risk. Some might be eliminated altogether. Other risks might be reduced. Most projects will require you to accept some level of risk, and will have some impact on privacy. Evaluate the likely costs and benefits of each approach. Think about the available resources, and the need to deliver a project which is still effective.
|5. Signing off and recording the PIA outcomes.
Make sure that the privacy risks have been signed-off at an appropriate level. This can be done as part of the wider project approval. A PIA report should summarise the process, and the steps taken to reduce the risks to privacy. It should also record the decisions taken to eliminate, mitigate, or accept the identified risks. Publishing a PIA report will improve transparency and accountability, and lets individuals learn more about how your project affects them.
6. Integrating the PIA outcomes back into the project plan.
The PIA findings and actions should be integrated with the project plan. It might be necessary to return to the PIA at various stages of the project’s development and implementation. Large projects are more likely to benefit from a more formal review process. A PIA might generate actions which will continue after the assessment has finished, so you should ensure that these are monitored.
Record what you can.
**CLICK HERE for the Satsafe PIA_Toolkit**
8.0 Training & Awareness
Information Governance training is mandatory and all staff are fully briefed by their line manager as part of the Company’s induction training. All staff are required to read this Privacy Impact Assessment Policy.
9.0 Distribution and Implementation Plan
This document will be made available to all Staff via the Satsafe Limited internet site. A global notice will be sent to all Staff notifying them of the release of this document.
Compliance with the policies and procedures laid down in this document will be monitored via the Information Governance Team, together with independent reviews by both Internal and External Audit on a periodic basis or as required.
The HIG is responsible for the monitoring, revision and updating of this document on a 3 yearly basis or sooner if the need arises.
11.0 Equality Impact Assessment
This document forms part of Satsafe’s commitment to create a positive culture of respect for all staff, clients and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.
As part of its development this document and its impact on equality has been analysed and no detriment identified.
12.0 Updating and Review
12.1 This policy should be reviewed every three years. The IGC will be the mechanism for this.
12.2 Revisions can be made ahead of the review date when the procedural document requires updating. Where the revisions are significant and the overall policy is changed, the author should ensure the revised document is taken through the standard consultation, approval and dissemination processes.
12.3 Where the revisions are minor, e.g. amended job titles or changes in the organisational structure, approval can be sought from the Executive Director responsible for signatory approval, and can be re-published accordingly without having gone through the full consultation and ratification process.
12.4 Any revision activity is to be recorded in the Version Control Table as part of the document control process.
13. Associated Documents
13.1 The following documents will provide additional information:
Further information and useful contacts:
Head of Information Governance (HIG) and Senior Information Risk Officer (SIRO) for Satsafe Limited is:
Lindsey Rhodes – Information Governance Officer – firstname.lastname@example.org
The Information Governance Team are:
Stuart Millward — CEO email@example.com
Philip Collins — Technical Director — firstname.lastname@example.org
Lindsey Rhodes – email@example.com