The state of the art in privacy impact assessment

doi:10.1016/j.clsr.2011.11.007

Computer Law & Security Review

Volume 28, Issue 1, February 2012, Pages 54-61

https://doi.org/10.1016/j.clsr.2011.11.007 Get rights and content

Abstract

There is growing interest in Europe in privacy impact assessment (PIA). The UK introduced the first PIA methodology in Europe in 2007, and Ireland followed in 2010. PIAs provide a way to detect potential privacy problems, take precautions and build tailored safeguards before, not after, the organisation makes heavy investments in the development of a new technology, service or product. This paper presents some findings from the Privacy Impact Assessment Framework (PIAF) project and, in particular, the project's first deliverable, which analyses the similarities and differences between PIA methodologies in Australia, Canada, Hong Kong, Ireland, New Zealand, the United Kingdom and the United States, with a view to picking out the best elements which could be used in constructing an optimised PIA methodology for Europe. The project, which began in January 2011, is being undertaken for the European Commission's Directorate General Justice. The first deliverable was completed in September. The paper provides some background on privacy impact assessment, identifies some of its benefits and discusses elements that can be used in construction of a state-of-the-art PIA methodology.

Introduction

The European Commission is expected to issue its proposed revisions to the data protection framework in early 2012. A draft of the proposed Data Protection Regulation was leaked in December 2011. It contains an article which makes a data protection impact assessment mandatory “where those processing operations are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes”. The article sets out examples of such risks, which include “an evaluation of personal aspects relating to a natural person… information on sex life, health, race and ethnic origin… video surveillance… genetic data or biometric data… or other processing operations for which the consultation of the supervisory authority is required”. The Commission had already announced its intention to make data protection impact assessments mandatory in its Communication of 4 November 2010.¹

In January 2011, a year before the release of the draft Regulation, work began on the Privacy Impact Assessment Framework (PIAF) project, which is being undertaken for the Commission's Directorate General Justice by a consortium comprising Vrije Universiteit Brussel (VUB), Trilateral Research and Consulting, and Privacy International. The objective of the project is to provide a review and analysis of privacy impact assessment methodologies in Australia, Canada, Hong Kong, New Zealand, the UK and US and to make recommendations for an optimised privacy impact assessment framework for Europe, i.e., we aim to take the best elements of existing PIA policies and practices, and commend those to European policy-makers.

We have completed work on our first deliverable which can be found on the consortium's website.² The first deliverable reviews PIA policies and practices in the six above-mentioned countries plus Ireland as well as 10 case studies of PIA reports. The report also has a set of conclusions which identifies the benefits to organisations of undertaking privacy impact assessments and some of the best elements we have found in our review of existing policies and practices.

The PIAF report represents the state of the art in privacy impact assessment. To our knowledge, it is the most complete compendium and analysis of PIA methodologies, policies and practices yet compiled.

Section snippets

Definition

There are various definitions of PIA, but we define a privacy impact assessment as a methodology for assessing the impacts on privacy of a project, policy, programme, service, product or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise negative impacts. A PIA is more than a tool: it is a process which should begin at the earliest possible stages, when there are still opportunities to influence the outcome of a

Benefits

A PIA has often been described as an early warning system. It provides a way to detect potential privacy problems, take precautions and build tailored safeguards before, not after, the organisation makes heavy investments. The costs of fixing a project (using the term in its widest sense) at the planning stage will be a fraction of those incurred later on. If the privacy impacts are unacceptable, the project may even have to be cancelled altogether. Thus, a PIA helps reduce costs in management

Elements in good policy and practice

The extent to which an organisation can achieve these and other benefits depends on the elements that go into the construction of a PIA policy and practice. From our review of PIA in the seven aforementioned countries, we have identified various elements that should be included in a PIA framework for Europe. Among them are the following:

Conclusion

Our review of PIA methodologies and reports show that there are similarities as well as differences in privacy impact assessment policies among the seven countries – Australia, Canada, Hong Kong, Ireland, New Zealand, the UK and the US. Europe can benefit from their experience by drawing upon their best elements to create its own state-of-the-art PIA policy and practice. This paper has presented some of the elements that can be used to construct an optimised PIA. As the European Commission has

Acknowledgement

This paper is based on research partly supported by a project funded by the European Commission's Directorate General Justice under its Fundamental Rights & Citizenship Programme (Grant Agreement No. JUST/2010/FRAC/AG/1137 – 30-CE-0377117/00-70). The views expressed are those of the author alone and are not intended to reflect those of the Commission nor those of the PIAF consortium. The author presented an early version of this paper at the International Data Protection Conference, held in

David Wright ([email protected]) is Managing Partner of Trilateral Research & Consulting, London. He is co-editor, with Paul De Hert, of Privacy Impact Assessment, Springer, Dordrecht, 2012.

References (0)

Cited by (74)

Identifying and quantifying trade-offs in multi-stakeholder risk evaluation with applications to the data protection impact assessment of the GDPR
2023, Computers and Security
Cybersecurity risk management consists of several steps including the selection of appropriate controls to minimize risks. This is a difficult task that requires to search through all possible subsets of a set of available controls and identify those that minimize the risks of all stakeholders. Since stakeholders may have different perceptions of the risks (especially when considering the impact of threats), conflicting goals may arise that require to find the best possible trade-offs among the various needs. In this work, we propose a quantitative and (semi-)automated approach to solve this problem based on the well-known notion of Pareto optimality. For validation, we show how a prototype tool based on our approach can assist in the Data Protection Impact Assessment mandated by the General Data Protection Regulation on a simplified—but realistic—use case scenario. We also evaluate the scalability of the approach by conducting an experimental evaluation with the prototype with encouraging results.
Towards a privacy impact assessment methodology to support the requirements of the general data protection regulation in a big data analytics context: A systematic literature review
2022, Computer Law and Security Review
Citation Excerpt :
However, a PIA may be revised multiple times during the life cycle of the project or data processing operation under consideration. Although PIAs may be perceived as integral to project planning and risk management, they differ from other risk management and compliance techniques – such as privacy audits, privacy law compliance checks and privacy issue analysis – in their broader scope and aim as well as in that they are not applicable only to existing systems (Clarke, 2009; OPC_NZ, 2007; Wright, 2011c). Broadly speaking, the scale of a PIA largely depends on the amount and sensitivity of personal information being processed (which often reflects the number of people that may be impacted), the availability of the required resources, the potential for privacy invasion entailed by the involvement of new or additional technologies, and obligatory status (i.e. whether the PIA is mandated by law).
Big Data Analytics enables today's businesses and organisations to process and utilise the raw data that is generated on a daily basis. While Big Data Analytics has improved efficiency and created many opportunities, it has also increased the risk of personal data being compromised or breached. The General Data Protection Regulation (GDPR) mandates Data Protection Impact Assessment (DPIA) as a means of identifying appropriate controls to mitigate risks associated with the protection of personal data. However, little is currently known about how to conduct such a DPIA in a Big Data Analytics context. To this end, we conducted a systematic literature review with the aim of identifying privacy and data protection risks specific to the Big Data Analytics context that could negatively impact individuals' rights and freedoms when they occur. Based on a sample of 159 articles, we applied a thematic analysis to all identified risks which resulted in the definition of nine Privacy Touch Points that summarise the identified risks. The coverage of these Privacy Touch Points was then analysed for ten Privacy Impact Assessment (PIA) methodologies. The insights gained from our analysis will inform the next phase of our research, in which we aim to develop a comprehensive DPIA methodology that will enable data processors and data controllers to identify, analyse and mitigate privacy and data protection risks when storing and processing data involving Big Data Analytics.
Privacy and security in digital therapeutics
2022, Digital Therapeutics for Mental Health and Addiction: The State of the Science and Vision for the Future
Digital health products and services (digital therapeutics) are fueling a transformation of traditional healthcare structures, enabling patients to become more proactive in managing their health. However, as digital therapeutics involve the processing of sensitive information—potentially by several entities—security and privacy vulnerabilities inherent to these systems also introduce risks to patients’ data. These risks range from unvetted or intrusive targeted advertising to inferences about an individual's behavior and health condition. These risks are even more crucial for the mental health domain; hence digital therapeutics designers and researchers must be aware of these risks, apply appropriate procedures for evaluating data practices, and design necessary safeguards. In this chapter, we map the common risks related to the protection of patient data in digital therapeutics, provide pointers for navigation of the relevant regulatory landscape, and outline available evaluation methods and guidelines to address security and privacy risks in digital therapeutics.
A typology of Smart City services: The case of Data Protection Impact Assessment
2020, Cities
Citation Excerpt :
However, both public and private sector DPOs agree on the relevance of the Smart City service complexity. We demonstrate, in accordance with the theorizing of van Zoonen (2016) and Wright (2012), that there is no one-size-fits-all in data protection for Smart City services. Inherent service characteristics play an important role in determining the amount of required resources.
The implementation of the General Data Protection Regulation within the European Union intensifies regulatory requirements in terms of data protection for Smart City services. In particular, the mandatory Data Protection Impact Assessment (DPIA) process constitutes a complex managerial challenge. To reduce the complexity, this study develops a typology of Flemish Smart City services based on DPIA costs.
Our explorative case study, based on face-to-face interviews and a workshop, shows that DPIA costs vary along the complexities of i) the urban environment in which a Smart City service is provided, and ii) the Smart City service itself. The research further demonstrates that these complexities represent multilayered concepts. The complexity of the urban environment consists of three layers: i) city size, ii) diversity of urban stakeholders, and iii) total of Smart City services in the urban region. Similarly, the complexity of the Smart City service is composed of five layers: i) number of different data streams, ii) clarity of data ownership, iii) amount of use-cases, iv) privacy invasiveness, and v) visibility of the Smart City service. While most layers of the respective complexities unequivocally matter in the eyes of the experts, others are more contested, such as the size of the city and the visibility of the Smart City service.
This cost-based framework is of value to city administrations and Smart City service providers as it allows them to make the DPIA process more efficient by shortening the learning curve and improving decision making by clustering services based on data protection needs. In particular, stakeholders that have little expertise in-house, and that are looking for an easy-to-understand, rational framework can benefit from these results. Furthermore, based on both the literature review and the obtained results, our systematic data protection impact-cost-approach is generalizable beyond the EU-borders.
Privacy Impact Assessments in the Wild: A Scoping Review
2024, arXiv
Privacy Impact Tree Analysis (Pita): Attack Trees for Privacy
2024, SSRN

View all citing articles on Scopus

David Wright ([email protected]) is Managing Partner of Trilateral Research & Consulting, London. He is co-editor, with Paul De Hert, of Privacy Impact Assessment, Springer, Dordrecht, 2012.

View full text