By Brian Davidson, CIPP/E

The Information Commissioner’s Office (ICO) has launched a consultation on a draft code of practice for conducting Privacy Impact Assessments (PIAs), which is intended to replace the current ICO PIA Handbook.

The aim of the new code is to produce a practical guide that will help organisations conduct assessments of new projects involving the use of personal information. The code explains the key principles behind a PIA and suggests how such assessments can be integrated with an organization’s project and risk management processes.

The consultation launch is noteworthy for various reasons, including:

• Although at present there is no statutory requirement to carry out a PIA, the ICO expects organisations to do so (in the context of carrying out recent audits, the ICO has criticized organisations who have not rolled-out a framework for carrying out PIAs);
• PIAs are likely to become a mandatory requirement across the EU as the current version of the draft data protection regulation requires ‘Data Protection Impact Assessments’, and
• The fact that the ICO’s guidance will now take the form of a Code of Practice instead of a handbook means that it shall have increased evidentiary significance in legal proceedings before courts and tribunals on questions that are relevant to the conduct of PIAs.

The ICO is therefore seeking the views of stakeholders and the public about the new draft code, with these views helping to form the final version. The closing date for the consultation is November 5, and further details are available here.

Separately, the ICO has also published new guidance for organisations in order to help them deal more effectively with “subject access requests.” As part of the launch on August 8, the ICO published 10 simple steps that organisations should consider when responding to such requests. Further information, including a copy of the guidance, is available here.

Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.