Privacy & Information Security Law Blog

On August 6, 2013, the UK Information Commissioner’s Office (“ICO”) opened a new consultation on a draft code of practice on conducting privacy impact assessments (the “Code”).

Under the UK Data Protection Act 1998 (the “DPA”), organizations are not subject to any statutory requirements to conduct privacy impact assessments (“PIAs”). However, PIAs are a useful practice tool to help organizations manage their compliance with key principles of the DPA, including fair and lawful processing, purpose limitation, data quality and minimization, security safeguards, international data transfers, and individuals’ rights in relation to their personal data. The ICO highlights a number of potential benefits to organizations that choose to conduct PIAs, including possible costs savings by identifying compliance problems at an early stage, raising awareness of data protection issues throughout the organization by updating PIAs, and building trust with customers by publicizing PIAs.

PIAs are becoming more widely used by organizations and increasingly are expected by the ICO and other data protection authorities to demonstrate an organization’s compliance efforts. Further, the European Commission’s proposed General Data Protection Regulation would introduce mandatory PIAs where a processing activity raises specific risks to the rights and freedoms of individuals (e.g., processing genetic or biometric data or large-scale video surveillance). Given the more widespread, current focus on PIAs, the Code also may be of interest to organizations and regulators outside of the UK.

The Code highlights the following key stages in conducting a PIA:

• identify the need for a PIA;
• describe the information flows;
• identify privacy and related risks;
• identify privacy solutions;
• sign off on and record the PIA outcomes;
• integrate the outcomes into the project plan; and
• consult with internal and external stakeholders as needed throughout the process.

The ICO intends its PIA methodology to be sufficiently flexible so that it may be integrated with an organization’s existing practices. The aim of the methodology is not just to flag compliance with the requirements of the DPA, but also to address privacy issues more generally, including the expectations of affected individuals and the level of interaction between individuals and the organizations that are processing their personal data.

The Code will replace the current PIA Handbook. To submit a response to the consultation, visit the ICO’s consultation webpage and complete the consultation response document. The Code is open to public consultation until November 5, 2013.