The UK Information Commissioner's Office (ICO) has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data.
The code explains the privacy issues that organisations should consider when planning projects that use personal data, including the need to consult with stakeholders, identify privacy risks and address such risks in the initial project plan.
PIAs are flexible tools which allow organisations to consider all relevant privacy issues when implementing a new system or project—from inception through to testing and implementation—and address such risks at each stage in order to mitigate any risks.
Traditionally, PIAs were the preserve of public-sector organisations and those large companies in the private sector that were processing significant amounts of personal data. The ICO said that such assumptions have now changed, whereby even an individual app developer working from home can be processing the personal data of thousands of individuals, and therefore, the code is now relevant to a significantly wider number of parties.
The updated code is designed to ensure that PIAs fit into the project development process, allowing organisations to follow a Privacy-by-Design approach to developing new ways of using personal data, enabling organisations to demonstrate their compliance with the UK Data Protection Act.
The publication follows an external consultation carried out with key stakeholders between August and November 2013. The consultation highlighted the need for the updated code to be flexible enough to be relevant for all organisations, of all sizes, and for PIAs to fit into the existing project development process.
A copy of the code is available here.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.