Privacy Impact Assessments: an essential tool for data protection
A presentation to a plenary session on "New Technologies, Security and Freedom," at the 22nd Annual Meeting of Privacy and Data Protection Officials held in Venice, September 27-30, 2000.
Revised, October 12, 2000
David H. Flaherty, Ph.D.
Professor Emeritus, University of Western Ontario
David H. Flaherty Inc.
Privacy and Information Policy Consultants
1939 Mayfair Drive
Victoria, British Columbia, Canada V8P 1R1
When I had the privilege of giving the keynote address at this annual meeting of this group in Quebec City in 1987, I chose to look towards the future in data protection, with a focus on the then distant year 2000. I never dreamed that in this millennial year I would be standing before you, or have had all of the experiences with dramatic change that we have experienced in the 1990s as individuals, as official data protectors, and as privacy advocates. I do remember, with some misgivings, my fear that by the year 2000 official data protectors would be reduced to a tiny ragbag of individuals with pitchforks trying to hold back the forces of surveillance. (1)
Since I remain an optimist, I do not think that our current situation has reached quite that unfortunate state, but the "privacy police," as I am fond of calling you these days, have very finite resources when it comes to monitoring implementation of data protection.
I do want to return to one of my supposedly controversial points in 1987 (the privacy watchdog analogy), because I think it has stood the test of time, despite the public remonstrations of the then president of the Commission Nationale de l'Informatique et des Libertes (CNIL), who took great umbrage at my use of the term watchdog. Having had the experience of serving as the first Information and Privacy Commissioner for the Province of British Columbia in Canada (1993-1999), I strongly believe that the conception of the data protection commissioner as a privacy watchdog remains a very powerful and relevant image, reminding me, at least, of the continued inadequacies of countries that do not have such independent watchdogs in place.
The realities at the dawn of the 21st century are that privacy and data protection commissioners, and indeed privacy advocates themselves, are facing a continuing stream of technological innovations that have to be evaluated systematically to measure compliance with the fair information practices or data protection principles that are at the heart of all data protection legislation. (2) That problem is the focus of this first plenary session. Data protectors are facing such arduous responsibilities in the face of an increasing work burden, more and more complex and bureaucratic legislation, such as the European Directive on Data Protection and its national clones, and a very fast pace of technological innovation. Understanding any such change can be a complex activity that data protectors will wish to approach in a systematic manner.
What I intend to draw to your attention is an additional tool in the arsenal of the data protector in the form of privacy impact assessments. The idea is to require the preparation of privacy impact assessments for new products, practices, databases, and delivery systems involving personal information. In the last five years, privacy specialists have developed an assessment model for the application of a new technology or the introduction of a new service, which has good potential for raising privacy alarms at an early stage in an organization's planning process in either the public or private sectors. Various models exist for privacy impact assessments that can be customized to the needs of any organization. The essential goal is to describe personal data flows as fully as possible so as to understand what impact the innovation or modification may have on the personal privacy of employees or customers and how fair information practices may be complied with. Ultimately, a privacy impact assessment is a risk assessment tool for decision-makers that can address not only the legal, but the moral and ethical, issues posed by whatever is being proposed.
What I am proposing, and it will not be a novel suggestion for those of you from North America and New Zealand in particular, is that privacy regulators require, or at least encourage, those being regulated to prepare a privacy impact assessment for significant personal data systems that are new or enhanced in some significant way, so that their privacy implications can be analyzed and addressed in a coherent manner. (3) This idea of using privacy impact assessments is an emerging tool for addressing certain types of data protection problems that was pioneered, in my opinion, by New Zealand and by certain Canadian provinces during the last half decade, including Ontario, B.C., and Alberta.
I realized at Stewart Dresner's superb Privacy Laws and Business conference in Cambridge in July, 2000 that whatever other forms of progress in data protection (such as auditing) have occurred in Europe recently, the concept of a privacy impact assessment as an instrument of data protection has not visibly taken root. I believe that the preparation of a privacy impact assessment, in cooperation with a data protection office, can be extremely useful in helping to avoid an overly legalistic, even Talmudic or Jesuitical, focus in the detailed work of privacy protection. That is because the core of an effective privacy impact assessment is a careful description of how a system, (or any application of technology to personal information), actually works. In this process, specific privacy issues can be segregated and addressed in a comprehensive manner. Conducting a privacy impact assessment is also an effective method of engaging a team of persons at any organization, including technology, policy, legal, and privacy specialists, to work together to identify and resolve data protection problems. (4)
- Description of a Privacy Impact Assessment
Simply put, a privacy impact assessment seeks to set forth, in as much detail as required to promote necessary understanding, the essential components of any personal information system or any system that contains significant amounts of personal information. I find it easiest to indicate what I have in mind by listing the following generic categories of information (Table 1) that should be considered for inclusion in an informative and informed privacy impact assessment. (5)
Table 1: Table of Contents for a Model Privacy impact assessment
1. Introduction and Overview
3. General Goals
4. The Need for a System
5. Current and Intended Scope
6. Key Objectives
7. Conceptual Technical Architecture
8. Risk Management
9. Statutory Authorities for the Collection, Use, and Disclosure of Personal Information
10. Privacy Standards and Concerns
11. Original Purposes of Data Collection
12. Information Collected
13. Sources of Data
14. Limits on Data Collected
15. Location of Data
16. Data Retention/Destruction
17. Consent Issues
18. Access Rights for Individuals to their Personal Data
19. Users of Personal Information
20. Disclosure of Personal Information
21. Record Linkages as a Privacy Issue
22. Security Safeguards
23. Disclosure Avoidance Practices
24. The Implications of Future Developments
25. Conclusions about the Privacy Impact
26. Sources of Information for this Privacy impact assessment
Issues of definition and description of the central components of a privacy impact assessment also involve initial questions of whether an organization really needs to prepare one in specific circumstances. In the spring of 1999, as Information and Privacy Commissioner for British Columbia, I had to deal with an issue involving detailed patient waiting lists by specialist for many hospitals in the Lower Mainland and Vancouver Island. The advice of my staff was that a privacy impact assessment was not necessary, but I was concerned about the accuracy of the information about the medical practices of individual physicians and whether physicians themselves had agreed to, or were at least aware of, the personal data to be disseminated in the context of their patient waiting lists. The British Columbia Ministry of Health was reluctant to do the work involved but relented over a weekend and prepared a privacy impact assessment for our review within several days. Even the deputy minister of Health attended the discussion of the privacy impact assessment at our office with my staff. Since we were quite satisfied with the resulting document, we approved it at once and suggested to the deputy minister that he post the privacy impact assessment on the Ministry of Health's web site with the announcement of the waiting list registry, which, ironically, happened the next day (because of the politics of waiting lists for physician services). (6)
If specialized staff of a data protection office have done their homework with their counterparts in organizations, then significant changes in personal information systems will automatically surface and receive appropriate attention, up to and including the most senior staff of the office, including the Privacy Commissioner. I think that it is fruitless to state, up front, that a privacy impact assessment is always required, because it will be quite difficult, given my experience, to make such a decision at an early stage in the development of any system. (7) A better approach in my view is simply to indicate to organizations that privacy impact assessments are highly desirable for significant changes to existing personal information systems or the creation of new ones. Ideally, those responsible for central government oversight of compliance with an Act will ensure that organizations prepare such privacy impact assessments on their own initiative, which can ultimately be reviewed by central government and the Privacy Commissioner's office at an appropriate later step in the process. A similar model can work in the corporate world. A data protection office has to download as much work as possible in order to avoid being swamped. (8)
Organizations must prepare privacy-impact assessments in such a manner as to identify key problems, not try to gloss over them, or skip by them, since the specialists in the offices of privacy commissioners will focus on them in the long term. I admire the "true believers" who are advocating various enhanced information systems for seemingly laudable purposes, since what they are proposing is clearly in the public interest, but privacy impact assessments must be written with a more critical eye to the sensitive issues. The hard questions must be answered and not glossed over. "Solutions" to such issues as consent, for example, will likely also be transferable from one privacy impact assessment to another, if the thought processes of the team involved are insightful and creative.
- Guides to Preparing a Privacy impact assessment
A variety of informed groups in Canada and the United States have prepared detailed guides on how to prepare privacy impact assessments. These include the U.S. Internal Revenue Service, Treasury Board Canada, which oversees the federal government's central administration of compliance with the Canadian federal Privacy Act, and the Ontario Management Board of Cabinet, which plays a comparable role with respect to Ontario's Freedom of Information and Protection of Privacy Act. (9)
In British Columbia, the Information, Science, and Technology Agency and the Office of the Information and Privacy Commissioner have published model forms for the completion of privacy impact assessments. (10) My former Office prides itself on the model and detailed worksheet, including critical questions, that it has prepared for those preparing a privacy impact assessment. (11)
My major criticism of the existing guides to conducting privacy impact assessments is that they violate the KISS principle, that is, keep it simple stupid. They give the appearance of being too complicated and burdensome for the users at organizations that will be asked to do the actual work. My sense is that looking at some of these forms and the listed requirements would be a discouragement to cooperation in what is after all a largely voluntary activity on the part of those being regulated. Suggestions and guidance have to be as user-friendly as possible, which I think the ISTA forms referred to above have achieved to a considerable measure, as have those of my former Office. There is no use trying to persuade busy bureaucrats to assist the task of effective implementation of data protection by filling out privacy impact assessments and then burdening them with so much complex guidance that would try the patience and willingness of even the most tolerant among them to follow through on the process.
- My Direct Experience with the Preparation of Privacy impact assessments
As a privacy and information policy consultant working primarily in Canada during the past fourteen months, I have found that the preparation and encouragement of privacy impact assessments is one of the services that I can offer to clients in the public and private sectors. In particular, I have prepared a substantial privacy impact assessment for a federal-provincial effort in the public health surveillance field that features an Internet display tool for making available appropriate, timely, and relevant data to public health officials.
My direct involvement in the preparation of this privacy impact assessment leads me to make the following observations about the process:
- This particular privacy impact assessment has been expensive to execute and difficult for me to accomplish in practical terms, starting from the fact that I came from outside the project team and was not one of the developers or proponents. In theory, it would be preferable for someone inside such a project to draft a privacy impact assessment and keep it up to date, but the lack of readily available models and privacy expertise to date has made that approach difficult for any organization.
- I have spent more than 100 hours on this project and produced a 39 page privacy impact assessment with literally hundreds of footnotes to the supporting documentation. (The anonymized table of contents is in Table 1) But the cost of the preparation of this privacy impact assessment was less than one percent of the development costs for the complex delivery system.
- From the beginnings of system design several years ago, proponents had every intention of complying with privacy, confidentiality, and security requirements and legislation. But, in my judgment, the burdens of building the innovative system (with the central help of an IBM Global Services team) meant that this commitment smacked of lip service in terms of the contents of the substantial project reports that I was originally able to review and that served as the basis for my privacy impact assessment.
- The project development team itself lacked the trained resources to prepare a proper privacy impact assessment and to resolve critical data protection issues in a systematic manner (although it made a series of correct ad hoc decisions on data protection issues).
- Least I appear to be overly critical as an outsider, let me acknowledge my admiration for, and empathy with, these system designers and project sponsors and all the challenges that they had to overcome. I learned from them to appreciate much more the sheer difficulties of building a sophisticated and innovative data collection and data display system.
- I also learned that there was no use building a system that was so privacy compliant, in terms of disclosure avoidance practices in particular, that it would be of absolutely no use to the public health professionals who are the sole intended users. Some pragmatic rules and solutions needed to be found that would serve all sides of the public good. A cost-benefit analysis and a privacy impact assessment are useful vehicles for balancing competing interests.
- In the first instance, I based the draft privacy impact assessment on literally thousands of pages of documentation prepared by those building the system. For reasons that are not totally clear to me, the relevant literature was given to me in dribs and drabs, leading me to reflect after the fact that I was participating in some kind of dance of the seven veils. Those promoting and executing a project need to document their activities as much as possible, so that those following in their footsteps, such as in the preparation of a privacy impact assessment, can understand as much as they need to know of how the system operates and the levels of personal microdata involved at each stage of creation, use, and disclosure of the data.
- In my judgment, a basic function of a draft privacy impact assessment is to ask probing, detailed questions of the proponents, builders, and designers in order to promote comprehension. The role is in effect that of a devil's advocate.
- One definite mistake that I made was in not obtaining a demonstration of the system at an earlier stage in my work. That mistake reflected issues of costs and federal-provincial politics, or at least my limited understanding thereof. I conclude that the ideal privacy impact assessment of any project is prepared by someone from inside the project and with an up-front demonstration of just how it works or is supposed to work. On the other hand, my experience with another national agency in Canada is of being asked to criticize privacy impact assessments that staff have prepared. To date, I have found them lacking in sophistication and skipping over large and small data protection issues, which can be admittedly problematic to deal with in a bureaucratic world where everyone seems to have too much work to do. Internal advocates of innovative systems are naturally reluctant to be too critical of their scheme. My argument is that the best protection for such a project is for the difficult data protection questions to be posed and then answered by means of appropriate solutions as required.
- My fear is that it is always going to be difficult to find someone building any automated system who knows enough about data protection principles and fair information practices to be able to apply them in a sophisticated manner to the project in question. The evidence is that few persons understand intuitively what fair information practices are all about.
- Executing a successful privacy impact assessment for any application also presupposes a capacity to understand and explain security practices in a manner that the lay reader of any privacy impact assessment will be able to understand. Cutting through jargon is an essential task of the activity.
- A related technical issue is the all important one of disclosure avoidance practices. It is one thing for a critic to raise specific privacy issues around such questions as the risk of re-identification, for example, in the conduct of research and statistical uses of information, but it is much more difficult to measure the real risks and then to decide how to manage them in a reasonable manner. These are methodological issues that require technical assistance from specialists.
- The Uses of Privacy Impact Assessments
- The primary purpose of a privacy impact assessment is to allow the organization building or operating a personal information system to decide whether it is in compliance with relevant data protection legislation at any particular stage in time. (12) An important secondary goal is to meet the privacy expectations of the public with respect to moral and ethical considerations. The Office of a Privacy or Data Protection Commissioner has crucial roles to play in both activities.
- A secondary purpose of a privacy impact assessment is to serve as an educational and negotiating tool for the system operators to use for purposes of compliance reviews by senior management and by the external data protection agent or agency. The privacy impact assessment should make it relatively easy for executives and the privacy commissioner and his or her staff to understand how the system works and what the privacy issues and risks are, if indeed there are any. That is why I favour a sophisticated approach to the contents of a privacy impact assessment that delivers all of the necessary details and does not skirt over real issues. The completion of an effective and meaningful privacy impact assessment requires a dialogue (not a diatribe) between the regulator and the regulated.
- I would like to take issue with the view that a privacy impact assessment cannot be used to obtain a waiver of, or relaxation from, any requirement of a data protection act. That should be possible in a practical sense that reflects political reality and real costs to taxpayers in particular. Fair information practices need to be customized to work in practice. When I was informed that it would cost half a million dollars, for example, for the Workers' Compensation Board in British Columbia to replace the use of Social Insurance Numbers to keep track of workers in the province whose hearing was tested regularly over a period of years, I agreed that the cost was excessive in terms of the benefits of linking the testing records by an efficient method.
- A privacy impact assessment is a protean document in the sense that it is likely to continue to evolve over time with the continued development of a particular system. This is one of its most important characteristics, since the privacy impact assessment can be used to monitor important changes in any system, especially those with potentially negative implications for the privacy of individuals. (13) It is an early warning system for management and responsible ministers or executives.
- I urge public bodies and other organizations in the private sector to post any privacy impact assessment on their web site, so that it is available to anyone and everyone, including privacy advocates who may wish to second-guess the choices that have been made. An effective privacy impact assessment can also be a guide to others seeking to emulate a particular application, especially within the complex federal, provincial, and territorial political system in Canada.
- One of the perhaps semantic issues with a privacy impact assessment is whether or not a Privacy Commissioner really has to approve the finished product. (14) The model process for a privacy impact assessment, based on my experience, is for the staff of the Privacy Commissioner and the staff of the public body to meet and discuss planned innovations in information systems. If the matter is significant enough, the initial meeting may be with the Commissioner, who will naturally express a strong interest in wanting to fully understand how the personal information system will work in practice in the form of a developed privacy impact assessment. My repeated experience was that it took a lot of staff time and persistent effort to figure out what the flows of personal information were in any information system, especially if, as in one instance, the B.C. Ministry of Human Resources was proposing, for selected purposes, to have routine access to the central client registry of the Medical Services Plan of the B.C. Ministry of Health. My considered view is that at the end of the day, any Ministry or organization have the right to be told that it is acting in compliance with the data protection act, if the staff executed their plans according to the privacy impact assessment developed in coordination with the Commissioner's staff. I know that it is customary in such instances to suggest that the Commissioner's views are subject to later revision on the basis of new information or a privacy complaint, but in my six years of experience in British Columbia we never really had to second-guess ourselves with respect to matters of advice giving on a privacy issue. If privacy concerns are to be taken seriously by public bodies and other organizations that are privacy intensive in terms of their use of personal information, then they have the right, after the exercise of due diligence on both sides, to positive expressions about the privacy impact assessment from the Privacy Commissioner.
I am persuaded on the basis of direct experience that a successful privacy impact assessment can be a very effective instrument in the toolkit of the 21st century Data Protection Commissioner. It can also be very helpful to senior public servants and their elected Ministers who do not wish to be blindsided by privacy disasters, such as happened to the Canadian Minister of Human Resources Development in May, 2000. (15) A proper privacy impact assessment, that incorporated the informed observations of the Office of the Privacy Commissioner of Canada, might have prevented a political and public relations disaster for that particular minister and the federal Liberal government.
© Copyright David H. Flaherty, 2000. All rights reserved.
1 David H. Flaherty, "Towards the year 2000: The Emergence of Surveillance Societies in the Western World," the keynote address to the opening session of the International Data Protections Commissioners' Annual Meeting, Quebec, Quebec, September 22, 1987.
3 One of the earliest references that I have found to Privacy impact assessments comes from a Privacy Issues Form in Christchurch, New Zealand, on June 13, 1996 (which I in fact attended and participated in). The presenters were Blair Stewart of the New Zealand Privacy Commissioner's office and Elizabeth Longworth, a leading N.Z. privacy practitioner. I also note that I wrote, in September, 1995, an essay entitled: "Provincial Identity Cards: A Privacy-Impact Assessment." I can document the use of the term "privacy impact statement" as early as the 1970s. Stewart published a series of excellent short articles on privacy impact assessments in Privacy Law & Policy Reporter, vol. 3 (1996), 61-64, 134-38 and vol. 5/8 (1999), 147-49. These reflected, from a critical perspective, his experience with the process in New Zealand.
5 I used these specific headings to prepare a recent Privacy impact assessment. The re-organization of the final product resulted in only 7 broad headings: introduction and overview; description; data collection; disclosure and use of data; privacy standards and security measures; conclusions; and sources.
6 This particular privacy impact assessment is a simple model of what can be done; it can be found at http://www.hlth.gov.bc.ca/waitlist/privacy.html
7 In an ideal world, any personal information system should have its own privacy impact assessment available for continuing updating and revision. But, given the amount of work required to complete a competent privacy impact assessment, I am reluctant to be too dogmatic on this point. The issue is much more clear cut for any privacy-intensive organization that collects and uses significant amounts of personal data.
8 See David H. Flaherty, Protecting Privacy In Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States (University of North Carolina Press, Chapel Hill, NC, 1989), pp. 57, 385-91.
9See Treasury Board Canada, "Model Cross-Jurisdiction Privacy impact assessment Guide," (Draft, October, 1999); Ontario, "Privacy impact assessment Guidelines," (March, 2000, 83pp.), http://www.gov.on.ca:80/MBS/English/fip/; U.S. Internal Revenue Service, "Model Information Technology Privacy impact assessment," (Version 1.3, December 17, 1996, 17pp.), available at http://www.cio.gov/docs/IRS.htm This U.S. model contains a help list of "privacy questions" to guide those preparating an initial privacy impact assessment for review with the IRS's Privacy Advocate. The Ontario Management Board of Cabinet now requires a privacy impact assessment of any submission to it from a government department "seeking approval to begin the detailed design phase or to request funding approval for product acquisition or system development work." (p. 6) It also has lists of helpful questions associated with each component of the privacy impact assessment.
10 What I find especially appealing about ISTA's "Guidelines" is that they include within the Privacy impact assessment Form some sample language under each box on the form as an assist to someone having to fill it out. See www.ista.gov.bc.ca.
11 See www.oipcbc.org
12 The Ontario Management Board Guidelines state: "The end result of a privacy impact assessment process is documented assurance that all privacy issues have been appropriately identified and either adequately addressed or, in the case of outstanding privacy issues, brought forward to senior management for further direction." (p. 25)
13 The Ontario Management Board Guidelines state: "While the completion of a full and detailed privacy impact assessment may only be possible at later stages in the system development and acquisition phase, the privacy impact assessment is best approached as an evolving document which will grow increasingly detailed over time." (p. 11)
14 The Alberta Information and Privacy Commissioner issued two press releases in August 1999 announcing his "acceptance" of two Privacy impact assessment submitted to his office by Alberta Health and Wellness and alberta we//net. They are located under 'reports,' and 'privacy impact assessments' on the office's web site: www.oipc.ab.ca
15 In his final annual report as Privacy Commissioner of Canada, Bruce Phillips drew attention to some data protection problems with a massive research data base maintained by HRDC. When his press release give pride of place to an issue that was otherwise buried in the bowels of the annual report, the media and Opposition political parties in Parliament picked up on the issue and made it front-page news for almost two weeks. An initially defensive Minister subsequent ordered the literal destruction of the linkage devices that had made the data base possible. Many thousands of Canadians simultaneously demanded to know what information was held about them in the data base in question.