Peter A Clarke

The ICO has issued a 48 page updated privacy impact assessment code of practice.  Clearly it is tied to the UK Data Protection Act however it is relevant to any practitioners in the Australian environment.

The press release (found here) provides:

The Information Commissioner’s Office (ICO) has published its updated privacy impact assessments code of practice to help organisations respect people’s privacy when changing the way they handle people’s information.

The code explains the privacy issues that organisations should consider when planning projects that use personal information, including the need to consult with stakeholders, identify privacy risks and address these risks in the final project plan.

With a research study carried out by the ICO last year showing that only 40% of people believe that organisations handle their information in a fair and proper way, privacy impact assessments can be an important means of retaining consumer trust by showing that organisations are working to respect people’s privacy.

ICO Head of Policy, Steve Wood, said:

“The development of projects involving the processing of large amounts of personal information is no longer the preserve of the public sector and large businesses. Today even an app developer can be developing a product in their bedroom that involves using thousands of people’s information.

“This is why we have published our updated privacy impact assessments code of practice to help organisations of all sizes ensure that the privacy risks associated with a project are identified and addressed at an early stage during a project’s development.

“The updated code is designed to ensure that privacy impact assessments fit into the project development process, allowing organisations to follow a privacy by design approach to developing new ways of using people’s information. Successfully adopting this approach can only be good for consumers and for business and can enable organisations to demonstrate their compliance with the Data Protection Act.”   

The publication of today’s code follows an external consultation carried out with stakeholders between August and November 2013. The consultation highlighted the need for the updated code to be flexible enough to be applicable to organisations of all sizes and for privacy impact assessments to fit into the existing project development process. These issues have been addressed in the updated guidance.

Organisations can find a more detailed analysis of how privacy impact assessments fit together with project management and risk management methodologies in the research project report privacy impact assessment and risk management, prepared for the ICO by Trilateral Research and Consulting.

The ICO will be working with the different industry sectors to help organisations embed privacy impact assessments into their existing practices.