On February 25, 2014, the UK Information Commissioner’s Office (“ICO”) published an updated code of practice on conducting privacy impact assessments (“PIAs”) (the “Code”). The updated Code takes into account the ICO’s consultation and research project on the conduct of PIAs, and reflects the increased use of PIAs in practice.
Under the UK Data Protection Act 1998 (the “Act”), organizations are not subject to any statutory requirement to conduct PIAs. However, the ICO promotes PIAs as a useful good practice tool to help manage compliance with key obligations under the Act, including fair and lawful processing, purpose limitation, data quality and minimization, security safeguards, international data transfers, and individuals’ rights in relation to their personal data. In the ICO’s view, organizations that choose to conduct PIAs are better able to identify data protection compliance issues early on, thereby avoiding potential costs and associated reputational damage that might otherwise occur. The ICO also emphasizes that PIAs are an “integral” part of privacy by design. Even if a detailed PIA is not required by law, the ICO recommends that organizations nevertheless conduct a legal compliance check against the requirements of the Act.
The ICO considers its PIA methodology to be sufficiently flexible, so it can be used by all types of organizations and be integrated with existing compliance practices. The Code emphasizes that there is no one-size-fits-all approach for PIAs, and that each organization is “best placed to determine how it considers the issue of privacy risks,” emphasizing that “conducting a PIA does not have to be complex or time consuming but there must be a level of rigor in proportion to the privacy risks arising.” The Code stresses that consultation is an important part of a PIA. In particular, effective internal consultation is key; without the involvement of relevant stakeholders, privacy risks are likely to remain unmitigated.
The Code provides examples of the types of projects that may benefit from a PIA, including new IT systems, data sharing initiatives, profiling, surveillance systems and using existing personal data for new and unexpected (or potentially intrusive) purposes. Annex 1 to the Code provides example screening questions that organizations may use to determine whether a substantive PIA is required, including questions relating to new uses of existing data sets, and the use of technologies that may be perceived as being particularly invasive (for example, facial recognition technology). Annex 3 provides example PIA questions linked to the eight Data Protection Principles contained in the Act. For example, for Principle 3 (personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed), the Code suggests asking, “[w]hich personal data could you not use, without compromising the needs of the project?”
Finally, the ICO encourages organizations to publish their PIAs to improve transparency and to improve individuals’ understanding of the ways in which their personal data are used.