Privacy Impact Assessments.

Privacy Impact Assessments provide a framework to help ensure that privacy is considered throughout the design or redesign of programs or services. The PIA assessment is a resource to clarify the risks and effects of collecting, maintaining and disseminating information, and to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. PIA’s are also designed to help embed responsible privacy practice and to promote fully informed policy, program and system design choices.

At its core, the PIA is principally a form of risk management. It enables mitigation of project risks such as:

  • Loss of public trust and credibility as a result of perceived harm to privacy or a failure to meet expectations with regard to the protection of personal information;
  • Retrospective imposition of regulatory conditions as a response to public concerns, with the inevitable cost that this entails;
  • Low adoption rates (or poor participation in the implemented scheme) due to a perception of the scheme as a whole, or particular features of its design, as being inappropriate;
  • The need for system re-design or feature retrofit, late in the development stage, and at considerable expense;
  • Collapse of the project, or even of the completed system, as a result of adverse publicity and/or withdrawal of support by the organisation or one or more key participating organisations, or
  • Compliance failure, through breach of the letter or the spirit of privacy or data protection law (with attendant legal consequences).

When planning a PIA, the responsible executive within the organisation should ensure that all of these possibilities have been considered, and that the organisation seeks an appropriate set of outcomes from the investment.

At an executive level, the objectives for a PIA are:

  • Ensure effective management of the privacy impacts arising from the project
  • Ensure effective management of the project risks arising from the project's privacy impacts
  • Avoid expensive rework and retro-fitting of features, by discovering issues early, devising solutions at an early stage in the project life-cycle, and ensuring that they are implemented.