Privacy Impact Assessments Draft Code Of Practice

more+
less-

On August 6, 2013, the UK Information Commissioner’s Office (ICO) announced a consultation on a draft code of practice for conducting privacy impact assessments (PIAs). The consultation document can be found here. The draft code of practice can be found here. The consultation will end on November 5, 2013.

The consultation and the draft code of practice are most relevant to organizations that fall within the jurisdiction of the ICO. However, other organizations, including those in Canada, may wish to review the code of practice as it provides a thorough starting point for the development of a PIA process that is consistent with the Canadian “privacy by design” framework promoted by Ontario’s Information and Privacy Commissioner and adopted by other regulators, including the Federal Trade Commission.

As the ICO points out, a PIA need not be time consuming or complex. However, “there must be a level of rigour in proportion to the privacy risks arising.” The ICO proposes a flexible methodology comprising six stages or steps.

  1. Identifying the need for the PIA by using screening questions.
  2. Describing the information flows of the project (collection, access, use, disclosure).
  3. Identifying the privacy risks (individual risk, organizational risk, compliance risk).
  4. Identifying privacy solutions (cost/benefit and effectiveness analysis).
  5. Signing off and recording the PIA outcomes (including integrating into privacy disclosures).
  6. Integrating the PIA outcomes into the project plan (monitor actions and review outcomes).

Consultation (internal and, if necessary, external) is not a separate step. Instead, the ICO recommends that it take place throughout the PIA process.

Topics:  Code of Conduct, ICO, New Regulations, Privacy Policy, UK

Published In: General Business Updates, International Trade Updates, Privacy Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »