The state of the art in privacy impact assessment

Computer Law and Security Review

Volumn 28, Issue 1, 2012, Pages 54-61

  Wright, David ^a  

^a Trilateral Research and Consulting LLP: Trilateral Research Ltd   (United Kingdom)

Author keywords

New data protection framework; PIAF; Privacy impact assessment; Stakeholder consultation; Threshold analysis; Transparency; Trust

Indexed keywords

COMPUTER NETWORKS; TRANSPARENCY;

IMPACT ASSESSMENTS; NEW DATA PROTECTION FRAMEWORK; PIAF; STAKEHOLDER CONSULTATION; THRESHOLD ANALYSIS; TRUST;

SECURITY SYSTEMS;

EID: 84856456490     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2011.11.007     Document Type: Article

References (28)

1. European Commission, A comprehensive approach on personal data protection in the European Union, Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, COM(2010) 609 final, Brussels, 4.11.2010. http://ec.europa.eu/ justice/news/consulting-public/0006/com-2010-609-en.pdf.
2. http://www.piafproject.eu.
3. Health Information and Quality Authority, Guidance on Privacy Impact Assessment in Health and Social Care, Dublin, December 2010. http://www.hiqa.ie/resource-centre/professionals.
4. The PIAF project does not include a review of the RFID PIA Framework which was published several months after our consortium submitted its proposal to DG Justice. A copy of the revised RFID PIA Framework can be found here: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180-annex-en. pdf. The Art 29 Working Partys Opinion on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications can be found here: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/ 2011/wp180-en.pdf.
5. Health Information and Quality Authority, Guidance on Privacy Impact Assessment in Health and Social Care, Dublin, December 2010, p. 14.
6. For more on the development of the RFID PIA Framework, see Spiekermann, Sarah, "The RFID PIA e developed by industry, endorsed by regulators"
7. and Beslay, Laurent, and Ann-Christine Lacoste, "Double-take: getting to the RFID PIA Framework", both in David Wright and Paul De Hert (eds.), Privacy Impact Assessment, Springer, Dordrecht, 2012. See also footnote 5 above. Beslay and Lacoste point out that PIA can be "used in two different contexts: in the first case, it represents a possible alternative to the adoption of a specific and binding regulation on RFID, while in the second case, it is part of the regulatory process, as a pre-condition to assess whether legislation is needed."
8. Bräutigam, Tobias, Legal Counsel (Privacy), Nokia Corporation, "PIA: Cornerstone of privacy compliance in Nokia", in Wright and De Hert, op. cit.
9. Deadman, Stephen, and Amanda Chandler, "Vodafones approach to privacy impact assessments", in Wright and De Hert, op. cit. Deadman and Chandler are senior privacy officials at Vodafone Group.
10. Office of the Victorian Privacy Commissioner (OVPC), Privacy Impact Assessments: A guide for the Victorian Public Sector, Edition 2, April 2009, p. 5. http://www.privacy.vic.gov.au/privacy/web2.nsf/pages/publication-types? opendocument&Subcategory=Guidelines&s=.
11. Information Commissioners Office (ICO), Privacy Impact Assessment Handbook, Version 2.0, Wilmslow, Cheshire, June 2009. http://www.ico.gov.uk/for- organisations/data-protection/topic-guides/privacy-impact-assessment.aspx.
12. Canadas Privacy Commissioner, as an example, has referred to the possibility of generic PIAs: "In other cases, as with shared services or system initiatives where entities use the same or similar approaches to the collection, use and disclosure of personal information, generic assessments might be better employed." See Stoddart, Jennifer, "Auditing privacy impact assessments: the Canadian experience", in Wright and De Hert, op. cit.
13. Office of the Information and Privacy Commissioner (OIPC) of Alberta, Privacy Impact Assessment (PIA) Requirements For use with the Health Information Act, January 2009, p. 13. www.OIPC.ab.ca.
14. ICO Handbook, op. cit., 2009, p. 14.
15. Roger Clarke distinguished these different dimensions (or types) of privacy some years ago. See Clarke, Roger, "Whats privacy?", 2006. http://www.rogerclarke.com/DV/Privacy.html.
16. Office of the Privacy Commissioner of Canada (OPC), Assessing the Privacy Impacts of Programs, Plans, and Policies, Audit Report of the Privacy Commissioner of Canada, Ottawa, 2007, p. 9.
17. Section 64 of Albertas Health Information Act 2000 says "(1) Each custodian must prepare a privacy impact assessment that describes how proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individual who is the subject of the information. (2) The custodian must submit the privacy impact assessment to the Commissioner for review and comment before implementing any proposed new practice or system described in subsection (1) or any proposed change to existing practices and systems described in subsection (1)." http://www.canlii.org/en/ab/laws/ stat/rsa-2000-c-h-5/latest.
18. Section 32 of the NZ Immigration Act 2009 explicitly requires that a PIA be conducted if biometric information is processed. It requires PIAs regarding the collection and processing of biometric data to be published on the departments website. See Immigration Act 2009, Public Act 2009 No 51. http://www.legislation.govt.nz/act/public/2009/0051/latest/096be8ed806837b3.pdf.
19. For more on this issue, see Wright, David, "Should privacy impact assessments be mandatory?", Communications of the ACM, Vol. 54, No. 8, August 2011. http://cacm.acm.org/magazines/2011/8.
20. ICO, PIA Handbook, p. 56, p. 58.
21. Clarke Roger, "PIAs in Australia: A work-in-progress report", in Wright and De Hert, op. cit. Clarke cites his earlier article: "Privacy Impact Assessment Guidelines", Xamax Consultancy Pty Ltd, February 1998. http://www.xamax.com.au/DV/PIA.html.
22. "Where some of the information is subject to commercial or security sensitivity, that information can be separated into an appendix, which can be distributed less widely and/or subject to clear confidentiality constraints.. There may be resistance within the organisation to providing some of this information to stakeholders.. On the other hand stakeholder trust needs to be achieved." ICO, PIA Handbook, op. cit., pp. 33-34.
23. Department of Homeland Security, Privacy Impact Assessments: The Privacy Office Official Guidance, Washington, DC, June 2010, p. 7. http://www.dhs.gov/ files/publications/gc-1209396374339.shtm.
24. Waters, Nigel, "Privacy impact assessment e Great potential not often realised", in Wright and De Hert, op. cit.
25. Stewart, Blair, Privacy Impact Assessment Handbook, Office of the Privacy Commissioner, Auckland, June 2007, p. 14. http://privacy.org.nz/privacy-impact- assessment-handbook/.
26. Karol, Thomas J., A Guide To Cross-Border Privacy Impact Assessments, Deloitte & Touche, 2001. http://www.isaca.org/Knowledge-Center/Research/ ResearchDeliverables/Pages/AGuide-To-Cross-Border-Privacy-Impact-Assessments. aspx.
27. Di Iorio, C.T., F. Carinci, J. Azzopardi et al., "Privacy impact assessment in the design of transnational public health information systems: the BIRO project", Journal of Medical Ethics, Vol. 35, 2009, pp. 753-761. http://jme.bmj.com/content/35/12/753.abstract.
28. Stoddart, Jennifer, "Auditing Privacy Impact Assessments: The Canadian Experience" in Wright and De Hert, op. cit.