The PIAF project has come to an end. Since January 2011, for 22 months, the consortium comprising Vrije Universiteit Brussel – Research Group on Law, Science, Technology & Society (VUB-LSTS), Trilateral Research & Consulting LLP and Privacy International has conducted research on privacy impact assessment for the European Commission’s Directorate-General Justice.
On the occasion of publication of the final deliverable on the recommendations for a PIA policy for the EU (December 2012), edited by Paul De Hert, Dariusz Kloza and David Wright, the consortium has issued the following press release:
PIAF consortium releases final report:
Privacy impact assessments should be mandatory and engage stakeholders
19 Dec 2012
Privacy impact assessments should be mandatory and must engage stakeholders in the process, says a consortium in its final report to the European Commission after a multi-country research project.
The 22-month PIAF project was co-funded by the European Union under its Fundamental Rights and Citizenship Programme and undertaken by a consortium comprising the Vrije Universiteit Brussel (VUB), Trilateral Research & Consulting and Privacy International. PIAF is the acronym for Privacy Impact Assessment Framework for data protection and privacy rights.
The consortium defines a privacy impact assessment (PIA) as “a process for assessing the impacts on privacy of a project, policy, programme, service, product or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise the negative impacts”.
Although privacy impact assessment has a history going back to the mid to early 1990s in countries such as Australia, Canada, New Zealand and the US, it is a relatively new concept in Europe. The UK Information Commissioner’s Office produced the first PIA Handbook in Europe in 2007. Most recently, the European Commission made a provision for PIA (or data protection impact assessment, as it calls it) in Article 33 of the proposed Data Protection Regulation which it released officially in January 2012.
The PIAF consortium addresses recommendations to policy-makers as well as those undertaking PIAs. Among its key recommendations are these:
- The obligation to carry out a PIA when there is a likelihood of risk to the protection of privacy and personal data should have a firm legal basis. However, the legal obligation should not preclude other incentives for carrying out a PIA being identified and communicated to organisations, in particular, the benefits of PIA.
- A PIA should be carried out for projects sponsored by more than one organisation as well as for projects with a trans-border dimension, at least if they have significant privacy implications.
- A PIA should be regarded and carried out as a process and not only as a single task aimed at completing a report. A PIA process starts early and continues throughout the life cycle of the project.
- A PIA policy should allow organisations to carry out a PIA appropriate to their own circumstances. The policy should allow scalability of the PIA process.
- A PIA should address all types of privacy and not only the protection of personal data.
- A PIA process should enjoy at least a minimum level of transparency. Both the assessor and stakeholders must have all relevant information to assess the privacy and data protection implications of a proposed project. Organisations should generally make PIAs publicly available, e.g., publish them on their websites. However, for PIAs genuinely involving national security or commercially sensitive information, the organisation could publish a summary or a redacted PIA.
- Organisations undertaking a PIA should identify and inform stakeholders, as representative as possible, including the public, if applicable, about the PIA process. Organisations should seek stakeholders’ views and take them into consideration. A PIA policy should provide explicit mechanisms for stakeholder consultation.
- Risk management and checking legal compliance are core elements of PIA. To that end, effective procedures for risk management should be identified and/or developed. Residual risks should be justified.
- An organisation should be able to demonstrate that a PIA has been carried out adequately. A PIA process should be subjected to external review and/or audit. Independent third party review and/or audits are critical to ensure that a PIA was properly carried out and its recommendations implemented. Audits and reviews are a function of the principle of accountability and lead to improvements in PIA practice.
“The final deliverable of the PIAF project constitutes an important contribution to the research on PIAs in Europe,” said Paul De Hert, project co-ordinator. The report builds upon the project’s two previous deliverables, the first of which was a review of PIA policies and practices in seven countries and the second, on the factors affecting the adoption of a PIA policy in the EU Member States.