How do we identify and assess risks to privacy?

A privacy impact assessment (PIA) is a technique that may be used to identify the privacy risks and issues associated with any new initiative that involves the use of personal information.

PIAs are widely used around the world and allow stakeholders to identify and foresee potential privacy impacts so solutions can be designed into an initial project or programme.

Although there is no legal requirement to conduct a PIA when embarking on a new initiative in this country, the process is strongly promoted and advocated by the Information Commissioner’s Office. It is seen as a useful method for understanding the risks that activities may pose to individual privacy and the subsequent risks to the reputation, finances and operations of an organisation.

A review of Privacy Impact Assessment Reports details PIAs that have been conducted on large-scale national initiatives or legislation changes. However, they are equally applicable for projects that are initiated within public authority services, partnership activities, policy development and implementation proposals, system design or changes to data collection and management.

In short, any activity that may have an impact on individual privacy should have a PIA carried out before its implementation.

Things to think about

  • Do you need to do a PIA?
  • What scale of PIA do you need to do?
  • What preparation do you need to do?
  • How will you conduct the PIA and involve your stakeholders?
  • How will you ensure identified risks are managed appropriately?
  • How will you feedback your results?

Further reading

Privacy impact assessment – Information Commissioner’s Office

Privacy impact assessment code of practice – Information Commissioner’s Office

Privacy impact assessment overview – Information Commissioner’s Office (PDF)