Part I Background information
Chapter I – Overview
PIAs and other processes
Compliance checking and data protection audit
A PIA must be seen as a separate process from compliance checking ordata protection audit processes. Often organisations ask whether a PIAcan be conducted on a project that is being implemented or has been upand running for some time. The nature of the PIA process means that it isbest to complete it at a stage when it can genuinely affect the developmentof a project. Carrying out a PIA on a project that is up and running runs therisk of raising unrealistic expectations among stakeholders duringconsultation. For this reason, unless there is a genuine opportunity to alterthe design and implementation of a project, the ICO recommends thatprojects which are already up and running are not submitted to a PIAprocess, but to either a compliance check or a data protection audit,whichever is more appropriate.The PIA process is considerably broader than just an audit of compliancewith existing privacy related laws. A complementary process is needed toensure that the project is legally compliant. That process can begin early,but cannot be finalised until late in the project life-cycle, when the designis complete. Separate guidance is provided in Chapter VI and Chapter VIIof this handbook relating to theconduct of compliance checking. The costand delay involved in compliance checking need not be great, because theprocess draws heavily on work undertaken during the course of a PIA.A PIA needs to be distinguished from a privacy or data protection audit. Anaudit is undertaken on a project that has already been implemented. Anaudit is valuable in that it either confirms that privacy undertakings and/ orprivacy law are being complied with, or highlights problems that need to beaddressed. To the extent that it uncovers problems, however, they arelikely to be expensive to address and may disturb the conduct of theorganisation’s business. A PIA aims to prevent problems arising, andhence avoid subsequent expense and disruption.The ICO Data Protection Audit Manual is available atwww.ico.gov.uk.
Information security procedures
Many organisations feel that if they complete an information security orinformation assurance process that they have completed a similar processto that of a privacy impact assessment. However, while many of the issuesaddressed by PIAs are addressed as part of information security orassurance procedures, these are limited in scope to the needs of theorganisation and do not, as a general rule, seek to garner views from arange of stakeholders who may be affected by a project.While information security and assurance procedures will enablecompliance with the law, they do not look at the broader issues of whetheror not a particular project should be implemented from a privacyperspective, how to ensure that external privacy concerns are identifiedand addressed or whether a particular programme is compliant with thebroader rights to privacy and confidentiality provided by UK and Europeanlaw.
Managing the expectations of anyone who has an interest in a project orwho may be affected by its outcome is vital in the public and privatesectors. The PIA process will cover a lot of the same ground as