A Privacy Impact Assessment (PIA), put simply, is an assessment of the impact of the risks associated with Information Governance compliance with respect to a system or process. Sounds easy, right? But, of course, the process of undertaking a PIA can be complex.
A PIA is generally broader than a Data Protection Impact Assessment (DPIA), which is compulsory for any high-risk processing of personal or special category data under the General Data Protection Regulation (GDPR) and focuses solely on the impact of the regulation itself.
A robust PIA should take a broader approach and encompass all aspects of Information Governance as well as Data Protection or GDPR. So, where do we start?
Firstly, what is high-risk?
To assess whether you need a DPIA or PIA you could initially undertake an assessment of whether the processing may be high-risk, for example, by looking at the type of data in the processing activity and how many individuals are affected. It makes sense that the higher the number and the more sensitive the type of data, the higher the risk of the processing.
However, this is a very basic calculation.
I would suggest that looking at the outcome of a complete DPIA or a PIA should give a more robust idea as to the risk rating for the impact assessment. So, it follows on that, a DPIA or a PIA is needed on all processing, systems or projects to give an accurate indication of whether the processing is deemed high-risk or not.
This may seem daunting but let’s look at the positive impact a PIA could have in more detail.
Positive impact of a PIA
A PIA can help you perform effective risk assessment saving you time and money in the long run. Who doesn’t want to save time and money? Done well, a PIA can give you a system that is robust in terms of Information Governance and Data Protection compliance. This can give you peace of mind that the chances of a data breach have been reduced. It is also something that you can impress your customers with when they ask about your Information Governance compliance.
Let’s look at what a PIA covers in more detail.
Risk Assessment as part of a PIA
Risk management is a subjective process, there is a body of research into the metrics of risk but none have (yet?) replaced the human as a problem-solving tool to provide an effective outcome. So, as a human, you need to position your thinking to look at the problem, for example, have you considered any financial or reputational impact of the processing? How to quantify financial impact may be easier than reputational impact, especially when considering the potential fines for a data breach, but both are important.
If we are looking at clinical systems, Information Governance risks may not obviously directly cause a clinical safety risk, however, there may well be an impact to the mental or physical health of an individual if data is mis-managed. What harm that could occur, how likely that is to occur and how many patients could be potentially affected also contribute to the final risk rating.
A lot of the time, the focus is on technological Information Security solutions, which are, of course, very important. If budget cuts have meant that updating the encryption to the latest standards has been put back (again), this ill-advised behaviour could land a fine that blows any saving out of the water if you are unlucky enough to suffer a data breach. Not to mention the cost of lost custom a malicious attack or even non-malicious incident could cause.
Still, the job isn’t done once you have the latest encryption in place.
The front door, or user interface, may well be one of the riskiest parts of a PIA. Do your colleagues know how to set a good password? Is two factor authentication set up? Is it set up for everyone? Have your colleagues read the online training or just taken the test enough times to pass? Have you?
We could review a PIA from a process point of view. The PIA process encompasses the whole system but each part of the system may have a differing risk outcome. If the process itself is very complicated, this increases the likelihood of data integrity issues and data sharing mistakes, for example.
Thinking about Confidentiality as part of a PIA is important as this runs hand in hand with Data Protection. Who has access to data is key. Access should be locked down to those with a need to know only, even if access is audited (and all actions in a clinical system should be audited). Ensuring that access is removed from leavers is key as well.
The above are just some examples of perspective to take as part of a Privacy Impact Assessment and hopefully shows that ensuring the appropriate point of view (the relativity as Einstein might say) is a key part of risk assessment.
What is the PIA process?
Once you’ve decided to undertake a PIA, you need to follow a process that you either create inhouse with the available templates in mind (here is some more information from the Information Commissioner’s Office) or use an external Information Governance consultant’s tried and tested process to do this for you.
Privacy Impact Assessments need specialists to work together. Your project team will know everything about the project and your Information Governance specialist knows everything about IG (or at least knows enough to know what they don’t know and how to assimilate information to fill that gap) and they all play a part.
The process will start with mapping the data flow and understanding the impact of each separate part of the flow. This may seem time consuming but it is pertinent to get this right from the very start of a project and, this is the part people forget, revisit this regularly and at every major change in the processing.
Once an understanding of the project has been obtained, the Information Governance specialist can go about the risk assessment. The goal being to help you to ensure that your system is Information Governance compliant, saving you time and money in the long run.
Essentially, Privacy Impact Assessments are there to ensure that privacy is included by design and default, this is the lasting legacy I will take from Elizabeth Denham’s tenure as Information Commissioner.
If you need help, you can contact someone (me!) currently studying for a PhD relating to Privacy Impact Assessments. Details below:
Louise Paddock, Director and Head Consultant at Paddock Privacy
Email: louise@paddockprivacy.com Tel: 07369 238 967