Using a privacy impact assessment template for DPA compliance

The BSI standard is structured into four main areas:

• Planning for a PIMS.
• Implementing and operating the PIMS.
• Monitoring and reviewing the PIMS.
• Improving the PIMS.

A privacy impact assessment template
Like ISO 27001, the selection of appropriate controls is based on a risk assessment of "the level of risk to individuals associated with the processing of their personal information." While the standard is not prescriptive as to the risk assessment method to be used, it does point to the guidance issued by the ICO. The ICO has issued the Privacy Impact Assessment Handbook (PIAH) on its website. The privacy impact assessment template is a comprehensive guide not only to privacy impact assessments (PIA), but also to privacy law compliance checks (PLCC), DPA compliance checks (DPACC) and privacy and electronic communications compliance checks.

The ICO recommends that the PIA is preceded by a screening phase to determine if a full-scale, small-scale or even no PIA is needed. The assessment calls for 11 screening questions to determine if a full-scale PIA is required, followed by 15 further questions to determine if a small-scale PIA is necessary. The four-step PIA screening process is also used to determine if a PLCC and/or a DPACC are required.

Note that the ICO recommends that a PIA is appropriate at the inception of a project. Checking privacy law and DPA compliance once a project is operating is better achieved using a PLCC or DPACC.

A full-scale PIA consists of five phases:

1. Preliminary Phase: This is the initial planning of the PIA to develop a project brief and a project plan.
2. Preparation Phase: This provides the detailed preparation for Phase 3, producing a stakeholder analysis, a consultation plan for the discussions with stakeholders and the formation of a PIA consultative group (PCG) of representatives from the stakeholder groups.
3. Consultation and Analysis Phase: During this phase, discussions are held with the stakeholders to identify the privacy issues with the proposed project, and the design solutions to address those issues. These are documented in an issues register, and the developed solution is documented in a privacy design.
4. Documentation Phase: The end of the PIA process results in a PIA report, containing:
   1. A description of the project;
   2. An analysis of the privacy issues arising from it;
   3. The business case justifying the use of personal information and its implications;
   4. Discussion of alternatives considered and the rationale for the selected solution;
   5. A description of the privacy design features adopted to reduce and avoid privacy intrusion and the implications of these design features;
   6. An analysis of the public acceptability of the scheme and its applications.
   At a later stage, once completed, the PLCC and DPACC can be appended to the PIA report.
5. Review and Audit Phase: This phase is undertaken at an appropriate point in the implementation of the project to ensure the agreed privacy measures are carried forward into implementation.

The PIA is a wider assessment than that which would be performed as part of an ISO 27001 risk analysis. The PIA looks at the types of personal information being processed, whether the processing of that information is allowed under the Data Protection Act, whether it is necessary to process that information, how the processing of that information can be limited and what other measures are required to meet the requirements of the DPA. In order to meet the 7th principle of the Data Protection Act (that personal information is kept secure), it is necessary to perform a risk assessment to determine the appropriate security controls, and to manage the security of the personal information. This is where ISO 27001 comes in; a major component of the ISO standard addresses how to conduct a risk assessment. BS 10012 states that: "Where appropriate, the organisation may wish to consider compliance with ISO 27001". I would strongly recommend that BS 10012 implementation be complemented by compliance with ISO 27001.

BS 10012 together with ISO 27001 provides the basis for management of privacy risk. For new projects, privacy impact assessment templates should be used to determine the proper processing of personal information and compliance with legal requirements, including the Data Protection Act. This will normally include a PLCC and DPACC. For existing projects, a PLCC and DPACC should suffice.

ISO 27001 should be used as the basis of the information security management system to implement the security controls necessary to meet the 7th principle of the DPA. This should include an information security risk assessment, and the implementation and management of appropriate information security controls.

About the author:
Neil O'Connor is Principal Consultant at Activity (www.activityim.com)

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.