On August 6, 2013, the UK Information Commissioner’s Office (ICO) announced a consultation on a draft code of practice for conducting privacy impact assessments (PIAs). The consultation document can be found here. The draft code of practice can be found here. The consultation will end on November 5, 2013.

The consultation and the draft code of practice are most relevant to organizations that fall within the jurisdiction of the ICO. However, other organizations, including those in Canada, may wish to review the code of practice as it provides a thorough starting point for the development of a PIA process that is consistent with the Canadian “privacy by design” framework promoted by Ontario’s Information and Privacy Commissioner and adopted by other regulators, including the Federal Trade Commission.

As the ICO points out, a PIA need not be time consuming or complex. However, “there must be a level of rigour in proportion to the privacy risks arising.” The ICO proposes a flexible methodology comprising six stages or steps.

  1. Identifying the need for the PIA by using screening questions.
  2. Describing the information flows of the project (collection, access, use, disclosure).
  3. Identifying the privacy risks (individual risk, organizational risk, compliance risk).
  4. Identifying privacy solutions (cost/benefit and effectiveness analysis).
  5. Signing off and recording the PIA outcomes (including integrating into privacy disclosures).
  6. Integrating the PIA outcomes into the project plan (monitor actions and review outcomes).

Consultation (internal and, if necessary, external) is not a separate step. Instead, the ICO recommends that it take place throughout the PIA process.