(Published in (2001) 7 Privacy Law & Policy Reporter 176)
Recent experience of carrying out Privacy Impact Assessments has re-inforced some lessons I had already learnt from previous work. I have always taken the view that there is nothing particularly new or radical about PIAs - it is just a new name for a technique of assessment which privacy regulators and consultants have been performing for years. It is essentially just a systematic appraisal of the privacy implications of a new proposal. Some appraisals are limited to assessing compliance with specific privacy rules or standards, but others range more widely over all privacy issues of concern to affected individuals, whether or not they are currently subject to privacy law. The concept of a PIA owes much to the well-established tool of Environmental Impact Assessments (EIAs).
PIAs differ from privacy audits in that audits are generally after-the-event assessments of how an organisation is complying with existing rules. PIAs are prospective - they assess how a proposal would comply with rules, or, more commonly, what privacy issues a proposal will raise, including but not limited to compliance issues. PIAs can also identify an appropriate role for privacy enhancing technologies (PETs) which can give individuals a measure of control over their personal information.
From the consultant's perspective, there are obvious difficulties in relation to who the actual client is. PIAs will often have been commissioned at the request, or insistence of, a third party, such as a privacy regulator. A PIA is always going to be more in the interests of third parties - ultimately the affected public - than in the interests of the scheme proponent. It might be better if PIAs were always commissioned and paid for by a relevant third party, to avoid the pressure for `divided loyalties' that inevitably arise when the client may be disadvantaged by a full and frank disclosure of all privacy implications.
On the other hand, having the scheme proponent as the client should in theory force them to take the exercise seriously. If it is a purely external exercise, there is a risk that the scheme proponent will only ever view the PIA as an unwelcome hurdle to be jumped. There will be no sense of ownership and little if any internalization of the privacy considerations. However, in my experience these remain largely theoretical benefits - having the scheme proponent directly commission and manage the PIA consultancy does not guarantee commitment, particularly at senior management level. My conclusion is that in order to realise these potential benefits, it would be necessary to have an internal `champion' for the PIA at a sufficiently high level and with sufficient enthusiasm for and understanding of the objectives.
Since this condition is unlikely to be met, on balance I favour the commissioning of PIAs by someone other than the scheme proponent, although a minimum level of co-operation must be assured.
These are questions that are best asked (in the government context) by a relatively disinterested central agency (or third party) rather than by an executive agency with a direct stake in the answer to such questions. And yet the machinery of government and its decision making processes do not readily accommodate the asking, and answering, of fundamental questions at such an early stage. Too often, as is also evident from the experience of environmental impact statements, an enormous momentum has built up behind a scheme, with many people seeing it critical to their future career path, by the time the EIS - or PIA - is commissioned. At that point, the best that can realistically be expected is that the PIA findings will have a marginal influence on the scheme design.
That is not to say that a PIA, even when carried out later in the evolution of a scheme, cannot make a valuable contribution. There may well be options for the detailed design and implementation of a scheme which are much less privacy intrusive than others, and procedural safeguards which can compensate for those privacy negatives which must remain. Often at this level the scheme proponent will be genuinely `neutral' and will be happy to incorporate the privacy-preferable options and features.
It will often be the case that some of the most significant privacy issues are outside the direct control of the scheme proponent. They will involve, for instance, the extent to which other organizations will see new or enhanced data sets or technical capabilities as an attractive resource for other purposes, leading to `function creep'. The scheme proponent will argue vigorously that since these effects are hypothetical and in any case subject to subsequent separate decision-making processes, they should not be taken into account. But from the consultants' perspective, they are fundamental to the privacy impact. To properly assess them the consultants require access to other organizations, but they will often be reluctant to co-operate, even if the client agrees to allow them to be approached.
For all these reasons, PIAs will usually require more time and effort than the client expects, and it is important not to allow the necessary retrospective analysis to be `squeezed out' in pricing and contract negotiations.
There will also be a tendency for scheme proponents to delay publication of the PIA report as long as possible in the hope that it will be too late to make major changes. This approach of course betrays a lack of commitment to the objectives of the PIA, already discussed above. It would be gratifying to see a recognition that privacy issues, particularly in high profile sensitive schemes, are going to come out sooner or later and that sound risk management principles favour early and open discussion and resolution.
Whoever pays for the PIA (and it will usually be the scheme proponent), the contract should give the consultants sufficient flexibility to go wherever their enquiries lead them, talk to all relevant stakeholders, and give a full, frank and unbiased assessment. How a client chooses to use a PIA report is, in the end, up to them, but the report itself must retain its integrity and not be edited to present only the more acceptable findings.