The IT Law Wiki
The IT Law Wiki

Definitions[]

Australia[]

A privacy impact assessment (PIA) is:

a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.[1]

United Kingdom[]

A privacy impact assessment (PIA) is:

a process which helps an organisation to identify and reduce the privacy risks of a project. An organisation should use a PIA throughout the development and implementation of a project, and can use existing project management processes. A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.

The purpose of the PIA is to minimize privacy risks while meeting the aims of the project. Organizations can identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice. They can test this analysis by consulting with people who will be working on, or affected by, the project.[2]

United States[]

A privacy impact assessment (PIA) is:

an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.[3]

Overview[]

A PIA is a structured, repeatable, type of analysis of how information relating to or about individuals, or groups of individuals, is handled. PIAs have become an important tool for examining the privacy impact of IT systems, programs, technologies, or rule-makings. The PIA is based on the FIPPs framework and touches on general areas such as scope of information collected, use of information collected, information security, and information sharing.

  1. The PIA process begins with the completion of a Privacy Threshold Analysis (PTA) to determine which systems actually need a PIA. This analysis will identify information that will be exchanged, with whom it will be exchanged, and whether there are any associated privacy, civil rights, or civil liberties implications.
  2. Next, the PIA poses a series of questions that help stakeholders identify and understand any risks their systems may pose to the privacy, civil rights, and civil liberties of personally identifiable information.
  3. Privacy policies emerge as the result of the identification and analysis that occur during the PIA process, generating discussion and decision making on how to address and mitigate, if necessary, the identified privacy vulnerabilities.[4]

The PIA process must be documented, and must explain: (1) what PII will be collected, maintained, or disseminated, including the nature and source of the data; (2) why the PII is being collected (i.e., purpose); (3) intended use or uses of the PII; (4) with whom the information will be shared or disclosed; (5) options and methods for individuals to exercise choice or give consent for collection or use; (6) how the PII will be secured; and (7) whether a system of records is being created under the Privacy Act of 1974.

A report, similar to that of an audit report, is generated to describe the types of privacy risks discovered based upon each privacy category, to document the findings, and then to provide recommendations for mitigating the privacy risk findings.

Common goals of a PIA include:

  1. Determining if the information handling and use within the identified scope complies with legal, regulatory, and policy requirements regarding privacy;
  2. Determining the risks and effects of collecting, maintaining, and disseminating information in identifiable, or clear text, form in an electronic information system or groups of systems; and
  3. Examining and evaluating the protections and alternative processes for handling information to mitigate the identified potential privacy risks.

The analysis section reinforces critical thinking about ways to enhance the natural course of system development by including privacy in early stages.

E-Government Act of 2002[]

Under the E-Government Act of 2002,[5] and OMB Memorandum M-03-22, a Federal agency may not develop or procure information technology to collect, maintain, or disseminate PII from or about members of the public unless the agency first performs a privacy impact assessment (PIA) to assess and address the privacy impact of that technology. Agencies must conduct a PIA: (1) before developing or procuring information technology that collects, maintains, or disseminates information that is in a personally identifiable form or (2) before initiating any new electronic data collections containing personal information on 10 or more individuals.

A PIA analyzes how information will be handled to ensure such handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, to determine the risks and effects of collecting, maintaining, and disseminating such information, and to examine and evaluate protections and alternative processes for handling the information to mitigate potential privacy risks.

Under the law, PIAs are public documents and are supposed to contain a description of the project, a risk assessment, a discussion of potential threats to privacy, and ways to mitigate those risks. To the extent that PIAs are made publicly available, they provide explanations to the public about such things as the information that will be collected, why it is being collected, how it is to be used, and how the system and data will be maintained and protected.

Department of Homeland Security[]

The E-Government Act of 2002 does not require PIAs on national security systems or systems containing information about federal employees and contractors;[6] as a policy matter, however, the DHS Privacy Office requires all information technology systems, including classified systems, to conduct PIAs.[7] Nonetheless, classified systems may be exempted from the requirement to publish a PIA.

The PIA is the method by which the DHS Privacy Office’s Compliance Group reviews system management activities in key areas such as security and how/when information is collected, used, and shared. If a PIA is required, the DHS component will draft the PIA for review by the component Privacy Officer/PPOC and component counsel. Part of the PIA analysis includes determining whether an existing SORN appropriately covers the activity or a new SORN is required by the Privacy Act of 1974.

Through the PIA process, specific questions related to analytical use of data are asked, to identify and mitigate any privacy risks from the use of such technology. Once the PIA is approved at the component level, the component Privacy Officer or PPOC submits it to the DHS Privacy Office Compliance Group for review and approval by the Chief Privacy Officer.

The Chief Privacy Officer conducts a final review before signing. Once approved, the PIA is made publicly available on the DHS Privacy Office website with the exception of a small number of PIAs deemed classified for national security reasons.

Office of Management and Budget[]

OMB is tasked with providing guidance to agencies on how to implement the provisions of these two acts and has done so, beginning with guidance on the Privacy Act, issued in 1975. The guidance provides explanations for the various provisions of the law as well as detailed instructions on how to comply. OMB’s guidance on implementing the privacy provisions of the E-Gov Act of 2002 identifies circumstances under which agencies must conduct PIAs and explains how to conduct them.

Among other actions that should require a PIA, according to guidance from OMB, is significant merging of information in databases, for example, in a linking that “may aggregate data in ways that create privacy concerns not previously at issue” or “when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources.”

However, according to OMB, no assessment is required when the information relates to internal government operations, the information has been previously assessed under an evaluation similar to a PIA, or when privacy issues are unchanged.

References[]

  1. Guide to Undertaking Privacy Impact Assessments, at 1.
  2. Conducting Privacy Impact Assessments Code of Practice, at 4.
  3. OMB Memorandum M-03-22.
  4. Guide to Conducting Privacy Impact Assessments: Privacy Impact Assessment Template, at 3.
  5. E-Government Act of 2002, §208. Section 208(b)(1)(B)(iii) of the Act requires agencies, if practicable, to make PIAs publicly available through agency web sites, publication in the Federal Register, or by other means.
  6. The DHS Privacy Office does require a PIA for federal employee and contractor systems that are deployed throughout DHS.
  7. See 6 U.S.C. §142(1).

See also[]