A Privacy Impact Assessment (PIA) is a process designed to help the University (or any organisation) identify and minimise the privacy risks presented by the development of new or changed services, procedures or policies. A PIA can also be used for research projects.
Privacy risks include risks to individuals, in terms of damage and distress caused when personal data is mishandled, and organisational risks, such as financial and reputational damage resulting from data breaches.
The outcome of a PIA should be a reduction in privacy risk and improved compliance with the Data Protection Act 1998. Consideration of whether a PIA is required is therefore an important stage in any project plan.
PIAs should be applied to new projects and policy or service changes involving use of personal data. They should be considered at an early stage, where there is the greatest scope for addressing risks and influencing project design and implementation.
For existing systems and policies, a data protection audit may be more appropriate. Contact firstname.lastname@example.org for information on data protection audits.
Full PIAs should always be conducted for major projects undertaken at UEA, where there is a large amount of personal data involved, but the core principles can also be used for smaller projects or activities which impact on the privacy of individuals.
PIAs can be run alongside or be integrated with other project activities.
The Information Commissioner’s Office (ICO) Code of Practice on PIAs lists the following benefits:
- Assurance that we have followed best practice. The ICO writes ‘A project which has been subject to a PIA should be less privacy intrusive and therefore less likely to affect individuals in a negative way.’
- Improved transparency. Makes it easier for people to understand how and why their personal data is being used.
- Reduced risk of failing to meet legal obligations under the Data Protection Act.
- Increased awareness of privacy and data protection issues across the organisation.
- Financial benefits. Early identification of privacy problems can be less costly and ongoing costs can be reduced if use of personal data is minimised.
The University’s Strategy, Policy and Compliance (SPC) team have overall responsibility for PIAs across the organisation, however much of the PIA process can be completed by the project team, using the PIA template documents (see below for details).
Ideally, a member of the project team should be identified as having responsibility for overseeing the PIA. One of the SPC team will work with the project team to provide advice and guidance and ensure the necessary documents are completed.
Data Protection legislation underpins the PIA. UEA does not require members of project teams to have in-depth knowledge of the Data Protection Act, however it should be noted that DPA training is mandatory for all staff working with personal data. Training can be online or face to face. See training and resources for further details.
- Identify the need for a PIA (document A) This stage should be done for all projects, big and small, to identify what – if any – further action is required. Consult with SPC team on completion of this stage
- Describe the information flows (document B) The project team will complete this stage
- Identify the privacy and related risks (document B) The SPC team will work with the project team to complete this stage
- Identify and evaluate the privacy solutions (document B) The SPC team will work with the project team to complete this stage
- Sign off and record the PIA outcomes (document B) The SPC team will work with the project team to complete this stage
- Integrate the outcomes into the project plan (document B) The project team will complete this stage
At all stages: Consult with internal and external stakeholders as needed throughout the process.
All steps should be completed for large projects and those involving sensitive or large amounts of personal data. For smaller, lower-risk projects not all steps may be required. The SPC team will advise, on completion of document A.
The PIA process is flexible and scalable, therefore it is difficult to provide an estimate. However for large projects you should allow approximately 1 – 2 days for completion of the documents and discussion with SPC team. The SPC team will check the documentation on your behalf, before reporting back to you. Further consultation may be required, depending on the outcome of the PIA.
The SPC team will endeavour to work to your timescale, but please provide as much notice as possible to allow us to fit the PIA in with other work. Note that the PIA process will be most efficient when built in to the project plan. Retrospective consideration of privacy risks is typically more time-consuming and less effective.
On completion of a full-scale PIA, the project team and the SPC team should have a completed set of documents.
The results of the PIA should be fed back into the project management process (see steps 5 & 6 above) to be considered at project closure, post-project review and lessons learned. If the project aims evolve throughout the process, the project team should review step 1, to ensure the PIA is still required or fit for purpose.
The Information Commissioner recommends organisations publish the outcome of a PIA, and there is a section (3.5) in our publication scheme specifically for completed PIAs. Any PIA documentation (including associated emails) may also be requested under the Freedom of Information Act 2000. Proactive publication improves transparency and can be an important part of a project’s communication plans, however it may be that some aspects of the PIA are commercially sensitive. Such information should be clearly identified within the documentation.