London, UK (PRWEB) October 16, 2011
At a meeting in Brussels this week, the PIAF research consortium presented a report to data protection authorities outlining the benefits of an “optimised” privacy impact assessment (PIA) methodology for protecting the privacy of Europeans. The methodology could be used by any organisation, from government departments to private sector companies, that processes personal data.
PIA has been used in Australia, Canada and the United States for the past 10 years or more, but is relatively new to Europe. The UK’s Information Commissioner’s Office was the first to publish a PIA Handbook in Europe in December 2007. The Irish Health Information and Quality Authority was the second to do so, in December 2010. An industry-developed PIA framework for RFID was endorsed by European regulators in February 2011.
The report defines a privacy impact assessment (PIA) as a methodology for assessing the impacts on privacy of a project, technology, service or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise the negative impacts.
The European Commission is widely expected to propose that PIA be mandatory when it introduces its revisions to Europe’s data protection regulatory framework in early 2012. In its Communication of 4 November 2010, the European Commission said it was considering “an obligation for data controllers to carry out a data protection impact assessment in specific cases, for instance, when sensitive data is being processed, or when the type of processing otherwise involves specific risks, in particular when using specific technologies, mechanisms, or procedures, including profiling or video surveillance.”
The new report, prepared by a consortium of Vrije Universiteit Brussel (VUB), Trilateral Research & Consulting, and Privacy International, identifies benefits to organisations, their employees, contractors, customers, citizens and regulators of using PIA. The report says PIA provides a way to detect potential privacy problems, take precautions and build tailored safeguards before, not after, a company or government agency makes heavy investments in developing a new technology or service. It helps an organisation to avoid costly or embarrassing privacy mistakes.
“In the event of an unavoidable privacy risk or breach occurring, the PIA report can provide evidence that the organisation acted appropriately in attempting to prevent the occurrence. This can help to reduce or even eliminate any liability, negative publicity and loss of reputation. A PIA can help an organisation to gain the public’s trust and confidence that privacy has been built into the design of a project, technology or service,” says David Wright, Managing Partner of London-based Trilateral Research & Consulting, and lead author of the report.
The 200-page report reviews PIA methodologies, policies and legal bases in Australia, Canada, Hong Kong, Ireland, New Zealand, the UK and US. It includes an analysis of 10 PIA case studies. The concluding chapter identifies the benefits of PIAs and the best elements from existing methodologies which the authors recommend for construction of an “optimised”, state-of-the-art PIA framework for Europe.
The consortium says its report represents the most complete compendium and analysis of PIA policies and practices yet compiled and published.
The report is the first deliverable of the Privacy Impact Assessment Framework (PIAF) project which is funded by the European Commission’s Directorate General Justice. The project began in January 2011 and concludes in August 2012.
The PIAF consortium presented the report to a meeting of European data protection authorities and officials from DG Justice in Brussels on Wednesday, 12 October.
The report can be downloaded free of charge from the PIAF project website: http://www.piafproject.eu.