Although it is great to see Privacy Impact Assessment (PIA) being discussed in mainstream media, the recent Lateline program on ABC TV was also depressing in its conclusion: that PIAs are not being done routinely (and if done, are mostly not being done ‘properly’), even when the privacy issues are most acute – as is typically the case with major national security initiatives.
But how do you know when to do a PIA? And how are you supposed to know if you are doing it ‘properly’?
The analysis underpinning Lateline’s story was this report from privacy advocate Roger Clarke. He developed a five-factor test, to judge 72 national security initiatives, legislative or otherwise, introduced since 2001.
Clarke reviewed:
- whether there was evidence of a PIA being performed
- whether advocacy organisations were aware of the PIA
- whether advocacy organisations were engaged in the PIA
- whether the PIA Report was published, and
- whether advocacy organisations’ views were appropriately reflected in the PIA Report.
He concluded that only three of the 72 initiatives passed this test.
There is a conflict of interest here – not only is Roger Clarke the immediate past Chair of one of the advocacy organisations he expects to be consulted, the Australian Privacy Foundation (APF), but he also runs a privacy consultancy business, offering PIA services – as do we. So he is sitting in judgment on not only himself, but also his professional competitors. (Luckily for us, Salinger Privacy got Clarke’s stamp of approval for two of the three PIAs he deemed to be sufficient; his own was the third. And my own declaration: I was also an active member of the APF, including two years as Chair, from 2004 to 2007.)
I am a big fan of stakeholder consultation when conducting PIAs. It’s common sense project management. Why wouldn’t you want a ‘heads up’ on what your biggest critics might think or say? And if your initiative is a major national security project or piece of legislation affecting large numbers of citizens or visitors, then absolutely, meet with the APF, EFA, CCL or Liberty Victoria, and others. You might be surprised at how they can assist.
But is engagement with privacy or civil liberties advocates a pre-condition of what makes a ‘proper’ PIA? No. Sometimes the stakeholders to consult with will be purely internal; or they might be individuals or organisations representing your customers.
I think the question of whether or not a PIA has been done ‘properly’ is too subjective to be tested at all. It is often said that PIAs are more art than science. They don’t sit easily with black letter lawyers.
Actually, PIAs are more like cooking than either art or science. A privacy impact assessment has to take the business objective of the project, whisk it thoroughly with some law that is already ‘fuzzy’, and then stir in a measure of stakeholder input, a good dollop of community expectations, and a pinch of unpredictability. And don’t forget to set the oven dial to ‘Privacy by Design’.
There are cookbooks like the OAIC PIA guide to help you along your way. There are handy lists of the ingredients that might trigger a PIA, or the questions that you might ask.
But the ultimate tests are: Have you identified all the privacy risks that might arise? And then, have you found ways to mitigate those risks?
The proof of that pudding will only ever be in the eating.
Photograph © Shutterstock
