Current approaches regarding the conduct of privacy impact assessments vary widely, partly because they are considered best practice but are not mandatory under Irish law. Since privacy risks, and the risks of noncompliance with data protection law, are increasing and because data protection impact assessments will be mandatory in certain circumstances from May 2018 when the GDPR comes into force, many organisations who are not familiar with carrying out privacy impact assessments are searching for guidance or templates. For this purpose, the recent publication by the HSE of a privacy impact assessment for the Individual Health Identifier ("IHI") may be welcome, particularly but not only for those operating in the health sector.
Under current Irish law, while there are good reasons for carrying out privacy impact assessments, including that they may benefit both the affected individuals and the organisation carrying them out as regards managing its legal, operational and/or commercial risks, they are not mandatory. This will change in May 2018, when the General Data Protection Regulation ("GDPR") will replace the current data protection regime in Ireland and across the EU. Amongst many other changes and reforms to be introduced, the GDPR requires that a data protection impact assessment must be carried out in advance where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, including in certain specified circumstances. As a result, privacy impact assessments will become increasingly important (but will continue to be optional) as organisations prepare for the application of the GDPR and, from 25 May 2018, will be mandatory in certain circumstances.
Although privacy impact assessments are identified as recommended best practice in guidance materials published by the Office of the Data Protection Commissioner and other public or regulatory bodies, there are few publicly available Irish resources relating to privacy impact assessments. Accordingly, some Irish organisation rely on resources published in other jurisdictions, such as those published by the UK Information Commissioner's Office. The main exception is the health sector, for which the Health Information and Quality Authority ("HIQA") has published specifically applicable privacy impact assessment guidelines and resources. While the HSE's privacy impact assessment for the IHI clearly applies to the health sector and is, in part, based on the HIQA materials, its structure and stated methodology could be adapted for use in other areas. In particular, the manner in which privacy issues arising from the IHI are identified, assessed and addressed through proposed mitigation measures provides a useful framework for conducting and documenting privacy impact assessments.
It is worth bearing in mind, however, that the privacy impact assessment for the IHI was conducted and published for a specific purpose and that there is no generally prescribed form or methodology for carrying out privacy impact assessments (with the exception of the HIQA guidelines that apply to the health sector and certain conditions that will apply to data protection impact assessments carried out for the purpose of the GDPR). As a result, organisations in the private sector and others whose status or function is different from the HSE may wish to conduct and present their privacy impact assessments in a very different format. In particular, the prospect of potential liability for breaches of data protection law and obligations should be taken into account when considering who should carry out a privacy impact assessment, how it should be documented and whether it should be published.