3

Country-Specific Guidelines for Conducting a Privacy Impact Assessment

Executive Summary

We came across some useful information from several sources and have combined it into the summary below on the topic of Country-specific guidelines for conducting a Privacy Impact Assessment. Please refer to the original sources below for more detailed information.

The Privacy Impact Assessment (PIA) is not a universally consistent measure between different countries, or even within countries.[1] As such, various countries' governmental healthcare offices offer policy guidelines on conducting PIAs, some of which can be found under the headings below:

 

 

Contact Organizations:

 

We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.



Australia

In Australian healthcare, the Guide to undertaking Privacy Impact Assessments (PIA Guide) has been prepared by the Office of the Australian Information Commissioner (OAIC) to describe a process for undertaking a privacy impact assessment (PIA). The PIA Guide is intended to provide guidance to all Australian Privacy Principle (APP) entities.[2]

Undertaking a PIA can assist entities to:

  • describe how personal information flows in a project
  • analyze the possible impacts on individuals’ privacy
  • identify and recommend options for avoiding, minimising or mitigating negative privacy impacts
  • build privacy considerations into the design of a project
  • achieve the project’s goals while minimising the negative and enhancing the positive privacy impacts.

 

APP 1 requires APP entities to take reasonable steps to implement practices, procedures, and systems that will ensure compliance with the APPs and enable them to deal with inquiries or complaints about privacy compliance. In this way, the APPs require ‘privacy by design’, an approach whereby privacy compliance is designed into projects dealing with personal information right from the start, rather than being bolted on afterward. Conducting PIAs helps entities to ensure privacy compliance and identify better practice.

The PIA Guide sets out a suggested ten step process for undertaking a PIA. It can be used alongside existing project management and risk management methodologies or as a process in its own right. When considering the PIA process both government agencies and private-sector organizations could consider whether the process set out in this Guide could be adapted to suit specific business needs or functions of the entity. While different entities might use different processes when they undertake PIAs, ideally these processes will address each of these steps in some way.[2]


Canada

With respect to Canadian healthcare legislation, the guidelines are intended to provide a comprehensive framework for the completion of a Privacy Impact Assessment (PIA). They convey practical advice on the application of the Government of Canada's Privacy Impact Assessment Policy.

A PIA is a process that helps departments and agencies determine whether new technologies, information systems, and initiatives or proposed programs and policies meet basic privacy requirements. It also assists government organizations to anticipate the public's reaction to any privacy implications of a proposal and, as a result, could prevent costly program, service, or process redesign.

A checklist to determine when to do a PIA:

  1. Are you:
    • Designing a new program or service
    • Making significant change to an existing program or service, or
    • Converting from a conventional service delivery mode to an electronic service delivery mode and you have outstanding privacy issues and no PIA?
  2. Does the program require you to:
    • Collect, use, or disclose any personal information, such as names, addresses, age, an identifying number, educational, medical or employment history, etc.?
  3. Will the program require that you: 
    • Collect, use or disclose more personal information or more sensitive personal information than in the past? Are you shifting from informed consent to indirect collection of personal information?
  4. Will it be necessary to:
    • Develop mechanisms to notify individuals about their privacy rights or to obtain the consent of individuals to collect, use and/or disclose their personal information?
  5. Will the program require you to:
    • Collect personal information from other programs within your institution, other institutions, other governments or the private sector?
  6. Will the personal information generated by the program be:
    • Used in decision-making processes that directly affect individuals, such as eligibility for programs or services or in enforcement activities?
  7. Will the personal information generated by the program be: 
    • Used for any other purposes, including research and statistical purposes?
  8. Will the personal information generated by the program be:
    • Shared with any other organizations for any purposes other than for which it was originally collected?
  9. Are you introducing:
    • New common client identifiers or are using the SIN without any legislative authority?
  10. Do you anticipate that:
    • The public will have any privacy concerns regarding the proposed program or service?
  11. Are you introducing:
    • Changes to the business systems or infrastructure architecture that affect the physical or logical separation of personal information or the security mechanisms used to manage and control access to personal information?

The Privacy Impact Assessment Guidelines are based upon the universal privacy principles identified in the Canadian Standards Association's Model Code for the Protection of Personal Information in addition to federal privacy legislation and policies.

The PIA process is similar to a continuous risk management approach and includes planning, analysis, and education activities and has four core components:

  • Project initiation
  • Data flow analysis
  • Privacy analysis
  • Privacy impact analysis report

 

Conducting a PIA is a cooperative process that brings together a variety of skill sets to identify and assess privacy implications. The PIA process is meant to be adapted to fit a particular departmental application.

A choice of two questionnaires is provided in the Privacy Analysis section, one to accommodate federal programs and services and a second designed for cross-jurisdictional initiatives.[3]

Step 1: Project Initiation
 
  • One of the first steps is to determine the scope of the PIA and to adapt the tools provided in the guidelines to the context.
  • If the initiative is at the early concept or design stage and detailed information is unknown, then departments and agencies should consider conducting a Preliminary Privacy Impact Assessment (Preliminary PIA). Once the initiative evolves and there are privacy risks, departments and agencies are required to conduct a full PIA.
  • Preliminary PIAs may also be conducted in unusual cases where upon reviewing the policy and guidelines and obtaining expert advice, the need for a PIA remains ambivalent.
  • A PIA is a dynamic process and as design changes occur in the business processes, the PIA should also be reviewed and updated.
 
Step 2: Data Flow Analysis
 
  • This activity involves a description and analysis of the business processes, architecture and detailed data flows contemplated for the proposal. The purpose of this step is to depict the personal information flows.
 
Step 3: Privacy Analysis
 
  • The privacy analysis examines the data flows in the context of applicable privacy policies and legislation. Questionnaires are used as a checklist that facilitates the identification of major privacy risks or vulnerabilities associated with the proposal.
  • There are two sets of questionnaires provided in the guidelines. Please refer in the Annexes to Questionnaire A for federal programs and services and to Questionnaire B for cross-jurisdictional initiatives.
 
Step 4: Privacy Impact Analysis Report
 
  • Building upon the outcomes from the previous steps, this is the final and most critical component of the privacy impact assessment process. This is a documented evaluation of the privacy risks and the associated implications of those risks along with a discussion of possible remedies or mitigation strategies.
  • The PIA report is designed as an effective communications tool used by a variety of stakeholders.

 

Common privacy risks associated with improved service delivery

  • Data profiling/data matching
    • Combining unrelated personal information obtained from a variety of sources to create new information about an individual or using information about an individual's preferences and habits to build a profile on the individual.
  • Transaction Monitoring
    • Observing or tracking the history of an individual's interaction with one or more programs or services. This usually results in the creation of new personal information describing an individual's overall experience with one or more programs.
  • Identification of Individuals
    • Electronic service delivery generally requires identification of an individual and authentication of their identity as a way of managing security risks. Surveillance risks exist where the use of common identifiers or identification systems facilitate data sharing, profiling or transaction monitoring.
  • Physical observation of individuals
    • Tracking the movement or location of an individual through the use of vehicle transponders, satellite locators, cameras or mechanisms for recording an individual's use of kiosks.
  • Publishing or re-distribution of public databases containing personal information
    • Electronic publishing frequently eliminates practical limits on the misuse of information, as it can be easily manipulated and used for purposes entirely unrelated or is intended use in manual form.
  • Lack or Doubtful Legal Authority
    • Failure to identify clear program authority to collect, use or disclose personal information raises concerns about whether an initiative should be undertaken on both the privacy front and with respect to the Charter of Rights and Freedoms Act.[3]

Ireland

The PIA process involves the evaluation of broad privacy implications of projects and relevant legislative compliance. Where potential privacy risks are identified, a search is undertaken, in consultation with stakeholders, for ways to avoid or mitigate these risks. There are four stages in the PIA process as follows:

  • Stage 1 requires the project team to answer a number of questions about the project to determine if it presents any potential privacy risks. The answers to the questions determine if it is necessary to proceed with the PIA process. This is called a Threshold Assessment
  • Stage 2 involves identifying the privacy risks through exploring the scope, information flows and security arrangements of the project.
  • Stage 3 deals with addressing the risks identified in Stage 2. This is achieved firstly through analyzing and assessing them and then looking at ways to avoid them or mitigate them through privacy enhancements.
  • Stage 4 - the output of the PIA process is a PIA report containing the details of each of the three above elements, where appropriate. The PIA report should be publicly available.[4]

Recommendations for completing a PIA include:

  1. A legally binding contract of confidentiality is put in place between the hospital and the external auditor that details in full the obligations of the auditor in terms of confidentiality and protecting the privacy of service users. This will place the same duty of confidentiality on the external auditor as those conferred on health professionals by professional codes of practice
  2. That the hospital’s statement of information practices is updated to include this change to the clinical audit process, thus keeping service users informed of the way in which the hospital uses their information
  3. Clear terms of reference are set for each clinical audit, indicating the information that will be necessary to complete it, with particular emphasis on the need to access patient healthcare records. These terms of reference will be adhered to by the hospital and the external auditor at all times[5]

The Health Information and Quality Authority is the independent Authority which was established under the Health Act 2007 to drive continuous improvement in Ireland’s health and social care services. The Authority was established as part of the Government’s overall Health Service Reform Programme.[6]


New Zealand

New Zealand organizations are employing privacy impact assessments for significant new initiatives involving the handling of personal information. Achieving and maintaining public trust in electronic service delivery is a key challenge for e-government and e-commerce. Failure to give informed consideration to privacy issues when embarking on new projects could be an expensive mistake. A privacy impact report will fill a gap in the knowledge of decision-makers and enable them fully to get to grips with the issues at the right time - before decisions are taken.

A number of skills are valuable in conducting a privacy impact assessment

  • Policy development skills - including business-specific policy experience, broad strategic policy, and planning skills and consultation skills.
  • Operational program and business design skills - to examine proposals for the operational flow of the business, and analyze the feasibility, practicality, and efficiency of relevant aspects of the project and the responses to the privacy risks.
  • Technology and systems expertise - in the design attributes and operation of, for instance, mainframe and legacy systems, networking products, new Internet tools, system security, customer interface systems, financial or transactional settlement systems, or biometric tools.
  • Risk and compliance analysis skills - such as those associated with comprehensive financial and due diligence audits, and the emerging specialties related to computer system vulnerabilities.
  • Procedural and legal skills - relating to project authority, use of personal information, legal and institutional oversight mechanisms, statutory, regulatory and contractual options and potential legislative conflicts where several laws or jurisdictions are involved.
  • Information privacy and data protection expertise - relating to the Act, national or sectoral privacy laws in other jurisdictions, privacy provisions in relevant applicable statutes, national and international privacy standards, privacy enhancing technologies and current privacy developments.

 

Competent privacy expertise can be accessed in New Zealand and Australia and may be brought in even when most of the work will be done by the project team. The assessor will work closely alongside the project team to fully understand the business, the project, the risks and the appropriate responses. Where the PIA is solely undertaken internally, thought should be given to incorporating some external or independent oversight. One possibility is to use a privacy or data protection consultant to carry out such a check.

PIA may be desirable to assess and address risks:

  • Arising from a new technology or the convergence of existing technologies (for instance, intelligent transportation systems, person-location or person-tracking using cellular or GPS technologies, combining face-recognition and CCTV)
  • Where a known privacy-intrusive technology is to be used in new circumstances (for instance, expanding data matching or drug testing, installing video surveillance in a workplace)
  • In a major endeavour or change in practice with significant privacy effects (for example, the merging of major public registries into a "super registry", the adoption of new forms of required ID, shared access to other organizations' electronic databases).[7]

United Kingdom

Conducting a PIA is not a legal requirement of the DPA. The ICO promotes PIAs as a tool which will help organizations to comply with their DPA obligations, as well as bringing further benefits. Carrying out an effective PIA should benefit the people affected by a project and also the organization carrying out the project. Whilst a PIA is not a legal requirement the ICO may often ask an organization whether they have carried out a PIA. It is often the most effective way to demonstrate to the ICO how personal data processing complies with the DPA.

PIA terminology often refers to a project as the subject of a PIA and this should be widely construed. A PIA is suitable for a variety of situations:

  • A new IT system for storing and accessing personal data.
  • A data sharing initiative where two or more organizations seek to pool or link sets of personal data.
  • A proposal to identify people in a particular group or demographic and initiate a course of action.
  • Using existing data for a new and unexpected or more intrusive purpose.
  • A new surveillance system (especially one which monitors members of the public) or the application of new technology to an existing system (for example adding Automatic number plate recognition capabilities to existing CCTV).
  • A new database which consolidates information held by separate parts of an organization.
  • Legislation, policy or strategies that will impact on privacy through the collection of use of information, or through surveillance or other monitoring.[8]