Doing it by the book

The Information Commissioner’s Office has today announced the latest version of the Privacy Impact Assessment Handbook.  As the title indicates, its purpose is to help organisations to identify and address the privacy risks of their activities.

Following the HMRC data breach in November 2007, the Cabinet Office introduced a requiring for all central Government departments and their agencies to conduct Privacy Impact Assessments (PIAs) when developing new systems. The ICO encourages all organisations to incorporate data protection safeguards into any new project involving personal information.

The handbook is in two parts: Part I (the first two chapters) gives an overview of the PIA process, with detailed information about privacy, common risks, and possible solutions; Part II  then gives a practical guide to conducing a PIA.  There are also four appendices, with examples of screening questions, checklist templates, and privacy strategies.

The handbook should help organisations to make reasoned judgments about the privacy implications of new projects or technological innovations. Some of the recommendations may overlap with privacy work already being done by organisations. A PIA does not have to be conducted as a totally separate exercise; indeed, it may be helpful to look at privacy issues in a broader policy context.

Many thanks to Andrew Smith, currently a pupil at 11KBW, for researching this post and preparing a first draft.