The PIA as a tool for stakeholder focus on privacy
How do you maintain stakeholder focus on privacy in the course of the data lifecyle? I discussed the answer to this question at last Thursday’s Philippine Data Privacy Forum organized by Asian Legal Business.
My answer: the Privacy Impact Assessment (PIA) process can be a useful tool in ensuring stakeholder focus.
Just what is a PIA? It is a process to help an organization identify and reduce the privacy risks of a project. I use the term “project” but this could be a new policy, new equipment or software to be used, or a new product to be rolled out. What the PIA does is to guide the organization in planning and reviewing the implementation to ensure that privacy risks are identified and addressed—either by eliminating the risks altogether or just mitigating their effects.
The PIA is widely used in other jurisdictions but not all data protection authorities require that a PIA is conducted. In our case, the National Privacy Commission (NPC) has two issuances on the PIA. In NPC Circular 16-01, the NPC requires a PIA for government agencies processing personal data. According to the NPC, the PIA should be consistent with the size and sensitivity of personal data and the risk of harm from unauthorized processing or personal data. On the other hand, NPC Circular 16-03 on personal data breach management refers to a PIA as one of the safeguards in ensuring security against breach. I have not seen an NPC circular explicitly mandating a PIA for the private sector but the NPC website says as much (see how the drafting of a Privacy Manual is discussed at https://privacy.gov.ph/creating-a-privacy-manual/.
Why do I think the PIA works well in maintaining stakeholder focus on privacy? Well, we can look at the PIA as a guide—or a checklist—that will help an organization identify what factors in their project are crucial to ensuring that the privacy of clients/users is protected.
For one, the PIA process is thorough. A PIA looks at all aspects of the data flow at different phases of the project. Consultation is built in at different stages—whether at the beginning, at midpoint, or after completion of the project, as a tool for review.
The PIA is also accessible. It may be done with the help of experts. Or the staff can it on their own (as long as the organization has adopted a well-designed PIA template). The PIA can be conducted by either management or staff (but a good mix of representatives from both would be ideal). It allows PIA participants or stakeholders to highlight issues based on their own area of interest or expertise. This is crucial because it is rarely the case where an organization has one person who knows all aspects of its operations.
Finally, the PIA is flexible. It can be integrated into the organization’s existing approach to managing projects or its operations. As I said before, the PIA can also be done at the beginning, middle, or end.
Material produced by the Information Commissioner’s Office of the UK lists the following steps for a PIA process:
Identify the need for a PIA.
Describe the information flow.
Identify the privacy and related risks.
Identify privacy solutions.
Sign off and record PIA results.
Integrate the insights into the project plan.
The first step is very important because a PIA is not needed if the undertaking does not involve personal data. It is also very important to record the PIA results since the results will be invaluable at the time of review. After all, you can only know whether something was done or not done if you had a list of the things to do. In some jurisdictions, the PIA results are posted at the organization’s website to inform the public of the possible privacy ramifications of its projects. In the Philippines, this is not a requirement.
Finally, the recorded PIA results will also help an organization prove to the NPC that it has been taking steps to ensure protection of personal data. This will be important in case the organization is unlucky enough to be the victim of a data breach or security incident.
A PIA can be full-scale or small-scale. A full-scale PIA is always recommended at the beginning of any project. Organizations can choose to do small-scale PIAs at certain points of the project process as a way of checking whether the privacy risks identified are being addressed, or even whether the privacy risks have already changed. Why is this regular checking-in important? There are usually three changes that have an impact on a project: change in laws, changes in technology, and changes in practices. These changes may not always be visible to the people implementing the project.
I capped my presentation by bringing the discussion to what I feel is the more important consideration: We say that it is important to maintain the focus of the stakeholders on privacy throughtout the data lifecycle. WHY?
Because privacy is a fundamental human right. And we violate this right when we are careless with our clients’/users’/public’s personal data. In our rush to comply with privacy laws, there is a danger of overlooking this.