The Value in Conducting a Privacy Impact Assessment

Slides:



Advertisements
Similar presentations
The Risk Management Process (AS/NZS 4360, Chapter 3)
Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Promoting quality for better health services Best practice for laying the groundwork.
Process and Procedure Documentation. Agenda Why document processes and procedures? What is process and procedure documentation? Who creates and uses this.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Auditing, Assurance and Governance in Local Government
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Privacy by Design Maureen H Falconer Sr Guidance & Promotions Manager Building a Successful Information Sharing Partnership: Privacy by Design 13 August.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Big Data and data protection
Delivering privacy and data protection messages in the world of drones Anne Russell Budapest Drones Conference 5 February 2015.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
First Practice - Information Security Management System Implementation and ISO Certification.
Transparency in Public Administration – FOI and EIR
NMC revalidation Frances Cannon SPO NIPEC –
Audiences NI Data Protection Workshop
How the Information Commissioner’s office operates as a regulator David Smith Deputy Information Commissioner.
Internal Auditing and Outsourcing
Public Sector Case Studies: THE ESTABLISHMENT OF A PRIVACY OFFICE.
Manage Project Scope Unit Guide Diploma of Project Management Qualification Code BSB51507 Unit Code BSBPMG502A.
Care.Data an ICO Update EMIS National User Group Conference East Midlands Conference Centre Nottingham 3 rd October 2013 Lynne Shackley Lead Policy Officer.
Privacy Impact Assessment Workshop Maureen H Falconer Sr Guidance & Promotions Manager Scotstat Public Sector Analysts Network 30 September 2010.
Data Protection and Elected Members A Round Table Event From Bradford Council and iNetwork The Banqueting Hall, Bradford 11 th November 2013 Useful links.
Project Life Cycle – Project Initiation © Ed Green Penn State University All Rights Reserved.
Right to Complain – Brussels30 November 2006 Right to complain Complaint mechanisms at the European Investment Bank 30 November 2006.
Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Local Government Reform: Incorporating Planning Functions Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s.
Data Protection: What You Need to Know Shauna Dunlop 1 July 2015.
BSBPMG505A Manage Project Quality Manage Project Quality Unit Guide Diploma of Project Management Qualification Code BSB51507 Unit Code BSBPMG505A.
Regulatory Transparency and Efficiency in the Communications Industry in Australia Jennifer Bryant Office of Regulation Review Australia.
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
European Data Protection reform: preparing for the future Richard Syers - Strategic Liaison, ICO 12 September 2014.
STAGE #5: CLOSING 5 Process Stages of Project Management.
Information sharing: the view from the ICO Vicky Cetinkaya, Senior Policy Officer, ICO One Staffordshire Information Sharing Protocol launch event Stafford,
IAEA International Atomic Energy Agency Methodology and Responsibilities for Periodic Safety Review for Research Reactors William Kennedy Research Reactor.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
MITM743 Advanced Project Management Dr. Abdul Rahim Ahmad Assoc. Professor College of IT, UNITEN Project Management Body of Knowledge PMBOK 4 (Section2)
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Information Sharing & Corporate Governance Dave Parsons, Information Governance Manager, City of Cardiff Council.
Collaborative Working & Best Practice A Seminar by the Public Services Ombudsman for Wales.
Information Security tools for records managers Frank Rankin.
Information Sharing Gateway Kevin Whittaker University Hospitals of Morecambe Bay NHS FT On behalf of Lancs & Cumbria IG Group.
GM Associates Management Consultants 40 Tullyhubbert Road, Ballygowan, Newtownards BT23 6LZ. Co. Down, N. Ireland Tel Mobile
Data Protection Officer’s Overview of the GDPR
CCTV and Surveillance October 2016.
The UK Information Commissioner’s Office (ICO)
Privacy Impact Assessments (PIAs)
Project Management Processes
The Public Sector Equality Duty (PSED) & Integration Joint Boards
Regulatory Transparency and Efficiency in the Communications Industry in Australia Jennifer Bryant Office of Regulation Review Australia.
General Data Protection Regulations: what you really need to know
Information Sharing Gateway
Project Roles and Responsibilities
GDPR Security: How to do IT? IT reediness for competitive advantage
GDPR - New Data Protection Regulation
Collaborative Working & Best Practice
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
How we’ll prepare for the General Data Protection Regulation (GDPR)
Project Management Processes
The Elements of appropriate Internal Controls
Collaborative Working & Best Practice
Caring for People and their Data
Local Govt Reorganisation: Information Flows
Data Security and Protection Toolkit Assurance 2018/19
Data Protection Privacy Impact Assessment Project Management Process V0.4 Last updated – 29/01/2019.
Outputs Estimated Tendering Process Timeline (16 – 31 weeks)
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

The Value in Conducting a Privacy Impact Assessment Rachael Gallagher Senior Policy Officer 2 December 2014 RG

Introduction What is a PIA? What is Privacy? What are the benefits? What types of projects? Who should be responsible? RG

Code of Practice Privacy by design From Handbook to Code of Practice RG

The PIA process Consultation RG Identify need for a PIA 1 Identify need for a PIA 2 Describe information flows 3 Identify privacy risks 4 Identify privacy solutions 5 Record PIA outcomes, and sign-off 6 Integrate PIA outcomes into project plan All of the PIA should be capable of being integrated into your own project and risk management tools. Tweak as necessary Throughout all of this, consult with internal, contracted and external stakeholders RG

Consultation Internal stakeholders External stakeholders Project board Engineers, developers IT Procurement Suppliers / data processors Comms team Frontline staff Corporate Governance Senior management End users Data subjects Representative groups Interest groups General public Regulators Consultation should be timely – at the right stage of the project and with enough time to receive responses Clear and proportionate – explicit scope and focus Reach and representative – giving a voice to all those likely to be affected Ask objective questions and present realistic options Feedback – provide info about result of consultation MF

The PIA process Establish objectives, outcomes and outputs early 1 Identify need for a PIA Establish objectives, outcomes and outputs early Screening questions Management support All of the PIA should be capable of being integrated into your own project and risk management tools. Tweak as necessary Will need to have clear project objectives, outcomes and outputs to assist. Suggested screening questions will enable any project officer to identify the need for a PIA. Can then proceed with specialist input. Support of a senior manager will be important for conducting the PIA. MF

The PIA process Types of personal data Use of those data 2 Describe information flows Types of personal data Use of those data Information asset register Data controller? Thorough description of the types of personal data and how it is to be used within the scope of the project. Might be able to do this if you have an information asset register. MF

The PIA process Risk management tools/methodology ICO guidance 3 Identify privacy risks Risk management tools/methodology ICO guidance Other standards and guidance Types of risk Individuals Compliance Corporate Can use existing risk management tools to identify the privacy risks and possible solutions. RAG ratings will help you understand each risk better. Guidance from ICO, professional or trade associations, other appropriate regulators may be of assistance in understanding what risks there might be in aspects of your project Individual – inappropriate data sharing, function creep, intrusive/honey trap, mass merging of data, impact on vulnerable people/groups Compliance – Data Protection Act, PECR, Human Rights and Equalities Acts, legislation specific to organisation or sector. Professional standards and ethics Corporate – Regulatory actions, fines. Inadequate solutions lead to greater costs. Avoidance of engaging with project by others. Poor information management reduces business efficiencies, mistrust and reputational damage. Compensation claims or other court actions. MF

The PIA process Accept Reduce Eliminate MF Identify privacy solutions 4 Identify privacy solutions Accept Reduce Eliminate Any privacy risks should be proportionate to the project’s objectives. Can determine there is a risk, but it is low so accept that Can determine there is a risk but certain actions could reduce it Can determine that changing certain aspects could eliminate that risk entirely MF

The PIA process Document status of each risk Determine solutions 5 Record PIA outcomes, and sign-off Document status of each risk Determine solutions Record reasons Sign-off Publication Document status of each risk (accept, reduce, eliminate). Determine which solutions to progress to reduce the privacy risks to an acceptable level. Record reasons for each decision Have sign-off at a sufficiently high-level e.g. Project director or another Executive Director. If privacy risk assessment is off the chart, this should make the project board to question the validity of the project in its current form. Produce a proportionate PIA report and good practice to publish it, to make you transparent and to help other organisations at a later date. Good practice for public authorities to include PIAs in their publication scheme under FoI MF

The PIA process Recommendations integrated into project plan 6 Integrate PIA outcomes into project plan Recommendations integrated into project plan Review PIA at key stages Final evaluations PIA report all very well but recommendations must be included in project design to be meaningful. PIA should be reviewed and refreshed at key stages of the project, particularly where important changes have been made. Could be part of a gateway review for example. Also evaluate privacy along with the rest of the project once it has been delivered. MF

Conclusions Way of complying with data protection obligations Method of Good Practice Can reduce costs Publish where appropriate Promotes trust

Keep in touch Information Commissioner’s Office 3rd Floor, 14 Cromac Place, Gasworks,  Belfast BT7 2JB. Tel: 028 90278757 / 0303 123 1114  Email: ni@ico.org.uk Subscribe to our e-newsletter at www.ico.org.uk or find us on… www.twitter.com/iconews

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.