Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2013

Roger Clarke's 'PIA Origins and Development'

Privacy Impact Assessment: Its Origins and Development

Roger Clarke **

Published in Computer Law & Security Review 25, 2 (April 2009) 123-135

Publisher's Official Copy

© Elsevier, 2009

This PrePrint is at


Privacy impact assessment (PIA) is a systematic process for evaluating the potential effects on privacy of a project, initiative or proposed system or scheme. Its use has become progressively more common from the mid-1990s onwards.

On the one hand, privacy oversight agencies and privacy advocates see PIAs as an antidote to the serious privacy-intrusiveness of business processes in the public and private sectors and the ravages of rapidly developing information technologies. On the other, governments and business enterprises alike have struggled to encourage public acceptance and adoption of technologies that are very apparently privacy-invasive, and have been turning to PIAs as a means of understanding concerns and mitigating business risks.

This paper distinguishes PIAs from other business processes, such as privacy issues analysis, privacy law compliance checking and privacy audit, and identifies key aspects of the development of PIA practice and policy from their beginnings through to the end of 2007.


1. Introduction

As late as the second quarter of 2008, the highest citation-counts on Google Scholar for articles on the topic of Privacy Impact Assessment (PIA) appeared to be 21, 17, 10 and 9 (for Carter 2000, Clarke 1998a, Raab 2004 and Flaherty 2000 respectively). The ISI Web of Science catalogue, searching across titles only and within a much more restrictive set of journals, disclosed precisely 2 papers, neither with any citations.

The lack of interest in academic circles contrasts with the situation in the policy arena, where the topic has attracted considerable attention, the practice is established, and the method is well-documented. PIAs are often conducted in a highly-charged environment, and the interests of groups with varying degrees of power are usually in at least apparent conflict, and are sometimes locked in combat in a zero-sum game. It is therefore important to document the origins and early history of the method, to inform the inevitable debates of the coming years.

This paper commences with a brief review of the privacy arena, to provide the context within which PIAs have emerged. A definition is provided, and key characteristics of the process described. The paper then identifies related notions that pre-date PIAs and on which the formulation of PIA processes could be based. Applications of 'impact assessment' thinking to privacy issues are identified which pre-date uses of the term PIA. The emergence of the related terms privacy impact 'statement' and 'assessment' are documented. Important threads in the development of PIAs in various countries are noted. In addition to literature relevant to the history of PIAs, references are provided to definitions, guidelines and exemplars.

2. Privacy

Privacy has become a major social issue only since the 1960s. Its emergence as a significant policy consideration can be attributed to the enormous expansion of threats to it. These have arisen from a combination of the increased scale of social and economic institutions, the increasingly professional and mechanistic forms of management in both the private and public sectors, increasing information-dependence to cope with the reduction in face-to-face contact, and advances in information technology, all feeding off one another (Clarke 1988. See also Flaherty 1989, Bennett 1992).

The 'fair information practices' (FIP) movement emerged from the late 1960s, partly in Europe, but particularly in the USA in the work of Westin (Westin 1967, 1971; Westin & Baker 1974). Its purpose was less to protect privacy than to respond to privacy concerns from the perspective of the organisations that were increasingly impacting on it. The FIP movement involved the establishment of bodies of principles that purported to provide protections against the impacts of business practices and technology, while having the minimum possible impact on business and government administration. The still-prevalent attitude in US business and government is well-expressed in this quotation: "I think it quite likely that self- discipline on the part of the executive branch will provide an answer to virtually all of the legitimate complaints against excesses of information- gathering"(Rehnquist, 1971, then a spokesperson for the US Justice Department, subsequently US Chief Justice, quoted in Rule et al. 1980, p. 147).

Of the various bodies of principles that were published during the 1970s, a few sought to impose substantial obligations on organisations (e.g. HEW 1973, NSWPC 1977, PPSC 1977). Most, however, adopted the narrower and (for organisations) less painful formulations consistent with FIP. A key feature was the power of each organisation to define the purposes of its data processing systems. This has the effect that the collection, storage, use and disclosure principles enshrined in legislation and codes are built on sand, and hence provide only limited privacy protection. Another device was the establishment of weak privacy oversight agencies (variously Inspectorates, Registries and Commissions) with limited powers and limited resources.

The FIP movement achieved an international convention in the form of the OECD Guidelines (OECD 1980). The Guidelines' pro-business and anti-privacy purpose was explicit and unequivocal: to " ... advance the free flow of information between Member countries and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries" (OECD 1980). The OECD Guidelines have in turn shaped virtually all laws and guidelines since the end of the 1970s. New sets are still being produced, however, as business and government continue to seek relief from what they see as the more onerous among the impositions of the FIP/OECD model. Two of significance are the US Administration's 'safe harbor' provisions (USDOC 2000) and the APEC Privacy Framework (APEC 2005).

Although the nature of FIP was recognised by some commentators from the outset (e.g. Rule 1974, Rule et al. 1980), it has only slowly permeated the consciousness of the wider public. Since 1980, with the exception of a few elements of the EU Directive (EU 1995), there has been little further development in privacy protections. Existing laws still reflect both the pro-business-and-government / anti-privacy agenda of FIP, and the long-superseded information technologies of the 1970s. The scene during the closing years of the twentieth century included weak privacy oversight agencies, frustrated privacy advocacy organisations, and a public that was increasingly wary and evasive in its dealings with business and government. The conditions were ripe for a change in approach.

3. Privacy Impact Assessments

The concept of a PIA emerged and matured during the period 1995-2005. The driving force underlying its emergence is capable of two alternative interpretations. Firstly, demand for PIAs can be seen as a belated public reaction against the increasingly privacy-invasive actions of governments and corporations during the second half of the twentieth century. Increasing numbers of people want to know about organisations' activities, and want to exercise control over their excesses. Privacy oversight agencies call for the technique to be applied, and privacy advocacy organisations build them into their calls for action. From this perspective, the conduct of a PIA can be viewed as the ceding by a large organisation of some of the substantial power that it exercises over citizens or consumers.

Alternatively, the adoption of PIAs can be seen as a natural development of rational management techniques. Many applications of information technology depend on their adoption by people, and compliance by people with the requirements of the resulting systems. Significant numbers of governmental and corporate schemes have suffered low adoption and poor compliance, and been subjected to harmful attacks by the media. Organisations have accordingly come to appreciate that privacy is now a strategic variable. They have therefore factored it into their risk assessment and risk management frameworks. 'PIA' was the language talked by regulators and privacy lobbyists; so government in particular, and business to a lesser extent, have adopted the term and the technique.

The meaning ascribed to the term 'PIA' has varied over time and across jurisdictions. Aspects are discussed progressively through this paper, and a collection of definitions is provided in Appendix 1. The interpretation adopted by the author is that a PIA is properly distinguished from other kinds of activities by the following characteristics:

The following sections trace the way in which this contemporary interpretation of PIAs came about.

4. The Emergence of PIAs

This section adopts a chronological approach to the emergence of PIAs, via its precursors, the concept, and the term 'privacy impact statement', to the term 'privacy impact assessment'.

4.1 Precursors

There would appear to be two primary intellectual threads that gave rise to the concept and term 'PIA'.

One is the idea of 'technology assessment', as practised in the Office of Technology Assessment (OTA) of the US Congress, 1972-1995, and in a range of European contexts. An early treatment of the Office's methods is in OTA (1977). See also Porter et al. (1980).

The other pregenitor is the 'impact statement'. Its early application was in the form of Environmental Impact Statements (EIS), which originated in the 'green' movements of the 1960s. The US implemented a requirement for an EIS for major projects in 1970, and few jurisdictions in economically advanced nations are without some kind of requirement. There have been great tensions in this area, however. EIS are costly, and inevitably involve considerable delay. There has accordingly been a great deal of lobbying by powerful corporations, and by development-oriented government agencies, resulting in a wide array of compromises to the processes and products.

Of even greater relevance to the history of PIAs has been the cynicism about the EIS notion that arose among the people affected by major projects. If the law only requires that an EIS be prepared, then there remain many ways in which projects could gain approval despite having excessive negative impacts on the environment. The process that produces the EIS may be subject to inadequate controls, insufficiently audited, or insufficiently auditable, and hence the EIS may succeed in glossing over problems. An EIS may gain insufficient media coverage, and hence a development-minded agency or Government may be able to ignore illogic, and value negative impacts and negative public opinion very lightly.

A more substantial notion is 'impact assessment' which is usefully defined as "the identification of future consequences of a current or proposed action". The weaknesses of an EIS are countered by the notion of an Environmental Impact Assessment (EIA). This lifts the focus beyond product alone to include process, and is a more fully articulated concept, including prior publication, public consultation, further publication and review. Official training materials are provided by UNEP (2002). Many government agencies provide guidelines. EIS has become the document that is produced at the end of an EIA, rather than the end in itself.

A professional community exists, the International Association for Impact Assessment (IAIA), which has long since applied the idea beyond its environmental origins. In addition to guidance on Environmental Impact Assessment (IAIA 1999), IAIA also provides guidance on Social Impact Assessment (IOCSIA 1994, (IAIA 2003). See also the segment on social impact assessment in UNEP (2002) and Becker & Vanclay (2003).

Privacy is not a focal point of the social impact assessment movement, however. IAIA does not appear to have recognised PIA as a sub-domain, and its Journal, after 25 Volumes, does not appear to have published a single article on the topic.

4.2 Origins of the Concept

The concept now widely referred to as a PIA did not arrive with a pre-determined name. Hence most of the early publications do not mention the term.

Data protection laws that pre-dated the OECD Guidelines (e.g. those of Hesse 1970, Sweden 1973 and Austria, Denmark, France and Norway all of which passed laws in 1978) commonly required registration or licensing, and a check was necessary to ensure that the data controller's behaviour was in compliance with the law. Flaherty (1989, p. 405) documents instances where pre-decisional assessments were occasionally used in some European countries such as the Scandinavian countries and the U.K., and Bygrave (2002) points out that the Norwegian Data Inspectorate was required to assess "whether the establishment and use of the register in question may cause problems for the individual person ..." (s. 10, Norwegian Personal Data Registers Act of 1978, since superseded). Impact Assessment involves a much broader study than merely compliance with a specific law; but interpretations and discretions within those laws would have doubtless enabled the privacy oversight agency to make some contributions along the lines of what would later be referred to as a PIA. See also Bennett (1992).

The process was institutionalised in 1995 in Article 20 of the European Directive, which mandated what is referred to as 'prior checking' against applicable standards, particularly of sensitive information systems. This is further discussed in section 5 below.

The concept is also evident in an important, early document on the other side of the Atlantic: "Each time a new personal data system is proposed (or expansion of an existing system is contemplated) those responsible for the activity the system will serve, as well as those specifically charged with designing and implementing the system, should answer such questions as ... What purposes will be served by the system and the data to be collected? How might these purposes be accomplished without collecting these data? ..." (HEW 1973, p.51).

The final paragraph of Chapter 13 of a US Study Commission's report, PPSC (1977), states "Perhaps the most significant finding in the Commission's assessment of the [US] Privacy Act [1974] arises from its examination of the vehicles available for evaluating and assessing existing record systems, new systems, and agency practices and procedures. Quite simply, there is no vehicle for answering the question: "Should a particular record-keeping policy, practice, or system exist at all?" While the Act takes an important step in establishing a framework by which an individual may obtain and question the contents of his record, it does not purport to establish ethical standards or set limits to the collection or use of certain types of information. Without such standards, however, the principal threat of proliferating records systems is not addressed. Nowhere, other than in the ineffective section requiring the preparation and review of new system notices, does the Act address the question of who is to decide what and how information should be collected, and how it may be used. To deal with this situation, the Congress and the Executive Branch will have to take action" (emphasis added in this paper).

It would therefore appear that the concept, although not yet the term, was in use in some quarters as early as the first half of the 1970s. Moreover, the notion was sufficiently well-developed for a national commission to frame one of its 160 recommendations around it (and indeed one that survived the endeavours of the Ford Administration to reduce the report's scope, although the Recommendation was not taken up).

A later reference to a procedure readily recognisable as an antecedent to the PIA process appears in Australian legislation relating to the specific practice of data matching (referred to as 'computer matching' in the USA). The Data-Matching Program (Assistance and Tax) Act 1990 included in Schedule 1 a requirement for a 'program protocol'. This is closely related to the PIA notion in that it includes requirements to document "the justifications for the program, ... what methods other than data matching were available and why they were rejected [and] any cost/benefit analysis or other measures of effectiveness which were taken into account in deciding to initiate the program" (para. 3.1).

Another thread that contributes to the emergence of PIAs is cost-benefit analysis (CBA). This is a cluster of techniques that enable the evaluation of a project based on narrow financial criteria, or on broader financial and non-financial factors, or on a yet broader range of factors in order to reflect perspectives additional to that of the sponsor. CBA was applied to the assessment of computer matching projects in Clarke (1995a). The proposal for a regulatory scheme for computer matching in Clarke (1995b) includes the equivalent of a PIA, although it does not use the term and it focusses more heavily on the scheme's benefits and costs than on its impacts and disbenefits.

4.3 Origins of the Term 'Privacy Impact Statement'

In keeping with usage in the precursor context of environmental impact, the original concept was of a 'statement' prepared as a condition precedent to approval of a project or to parliamentary debate about legislation. Flaherty has stated that he can document the use of the term as early as the 1970s (2000, footnote 3). However the first literature reference to the term 'privacy impact statement' located by this author is a passage published by Flaherty in 1989, quoting a 1984 document of the Canadian Justice Committee: "The Justice Committee recommended ... the submission of a privacy impact statement [by an agency to the Canadian Privacy Commissioner] in relevant situations. The Cabinet ... rejects the formal requirement of an impact statement to accompany each piece of legislation [footnoted to Re Ternette and Solicitor General of Canada, Dominion Law Reports 10, 4th ser. (1984): 587]" (Flaherty 1989, p.277-278, emphasis added in this paper).

Flaherty also uses the term at two other locations in the same book: "The data protection agency can ... [prepare] its own evaluations of the potential impact on personal privacy of proposed legislation and information systems. ... It is important that small data protection agencies encourage the main government departments to prepare their own initial reviews of the impact of new technology, preferably in the form of 'privacy impact statements' ..." (Flaherty 1989, p.405, emphasis added in this paper); and "The US Privacy Protection Study Commission wisely recommended the preparation of a privacy impact statement for each piece of federal legislation" (p. 413, fn. 26, emphasis added in this paper). A search of PPSC (1977) does not detect any use of term, although the concept (as discussed earlier) is indeed evident.

Several years later, also in Canada, and at the point in time when PIA began to become mainstream, a paper on smart cards by staff of the Ontario Information and Privacy Commissioner's office included a "sample privacy impact statement" (IPCO 1993, emphasis added in this paper). It is unfortunately not part of the version of the document that is currently available on the Web.

4.4 Origins of the Term 'Privacy Impact Assessment'

The term that has been current since the mid-1990s is the more comprehensive 'PIA'. In addition to resulting in a less unattractive acronym, it has the effect of emphasising process rather than product, and encompasses published information, consultation, publication and review.

The earliest mention of the term that the author has identified is advice provided by Lance Hoffman (private communication, 2004) that he assisted in the preparation of a Berkeley, California ordinance requiring a Privacy Impact Assessment, and that the ordinance is included in Hoffman (1973). Some years later, Daniel et al. (1990) focussed on privacy impacts of traffic management technologies (a predecessor term for what is currently referred to as Intelligent Transportation Systems), but referred to 'social impact assessment' rather than PIA. Stewart advised (private communication, 2004) that the term was used in Longworth (1992).

Early contributions were made by the then Ontario Privacy Commissioner Tom Wright (IPCO 1993, 1994, 1995, 1997) and by the then British Columbia Privacy Commissioner David Flaherty (Flaherty 1994, 1995). The earliest mention of the term for which the author can provide a copy is a recommendation to the Ontario legislature "Pro-active Consideration of Access and Privacy Implications" in the form of "a regulation that requires institutions to conduct a privacy impact assessment, as defined in the regulation, prior to the introduction of any computer information systems" (IPCO 1994, at s. 50, emphasis added in this paper).

By the mid-1990s, Privacy Commissioners and a small number of specialist consultants and academics, variously in Canada, New Zealand and Australia were thinking about PIAs in a systematic manner as an "essential tool for data protection" (Flaherty 2000). The idea spread rapidly around the policy community, although, as will be discussed below, the formalisation of tools to implement the PIA process took a further 5-10 years to mature.

5. Articulation

Developments in PIA philosophy, law and practice occurred in parallel in various countries, and differed among them, in some respects substantially. Because this paper's focus is on the history of PIAs, it does not attempt a thorough intellectual examination, but merely identifies key aspects. It draws on a variety of sources, including ICO (2007a) and the detailed Appendices to that Study, C to I inclusive.

This section outlines developments in approximately chronological order, in the jurisdictions that, in the author's view, made the most significant contributions. The section is supported by Appendices that identify definitions, examplars and guidelines. The subsequent section identifies some key themes.

(1) New Zealand

In 1996, Blair Stewart, Deputy N.Z. Privacy Commissioner, published two of the earliest formal papers on PIAs, in the Australasian journal Privacy Law & Policy Reporter (Stewart 1996a, 1996b). Stewart also organised a discussion session on PIAs in Christchurch, New Zealand, on 13 June 1996 (Flaherty 2000).

In 1996-97, in the context of public concerns about a driver licensing scheme, the then Commissioner, Bruce Slane, adopted a policy of encouraging PIAs in particular circumstances. In January 1999, the NZPC published a 'Guidance Note in Information Matching Privacy Impact Assessments'. This was restricted in its scope to matching programmes, which are the subject of specific requirements under the Act. The current version of the document is dated 2006. A hard-copy collection of 'Approaches, Issues And Examples' was published as Stewart (2001), and a further paper appeared as Stewart (2002).

In 2002, the NZPC published a 'Privacy Impact Assessment Handbook' (NZPC 2002). The Handbook acknowledges the authorship of Blair Stewart, prior and parallel work in Alberta, Ontario and British Columbia, and interactions with Hong Kong. It also references prior publications by Stewart (1996a, 1996b, 1999, 2001), Flaherty (2000) and Waters (2001). The New Zealand Commissioner hosted an international symposium on PIAs in 2003.

(2) Three Provinces of Canada

As noted in the previous section, the then Privacy Commissioners of Ontario and British Columbia were also very early movers. Alberta moved soon afterwards, and almost all Provinces have become active users of PIAs, in name at least.

In Ontario, since the late 1990s, the principal driver behind government policy in relation to PIAs was not the privacy oversight body, but a central agency called the Management Board Secretariat (MBS). As early as June 1998, a completed PIA became a pre-requisite for approval of Information and Information Technology (I&IT) project plans submitted for Cabinet approval. Guidelines were published in December 1999 (MBS 1999). With effect from 2006, the function has been absorbed within the Ministry of Government Services (MGS).

As noted earlier, the academic book Flaherty (1989) included an outline description of what a PIA entailed. During his subsequent term as Privacy Commissioner of British Columbia from 1993 to 1999, Flaherty took the opportunity to apply the theory. Within the province's public sector, PIAs of some kind were mainstream, although not mandatory, by the late 1990s. Impetus was provided by a public furore over disclosure of the City of Victoria property value assessments on its public website (Flaherty 1998).

In 2002, the B.C. Freedom of Information and Protection of Privacy Act was amended such that s. 69(5) requires agencies to conduct PIAs for "a new enactment, system, project or program". The process has been supported by guidance since as early as 1998. A database of PIA summaries has been maintained since then, which had reached a count of about 150 by the end of 2007. The scope is limited, however, to the determination of their compliance with the Act, i.e. it is little more than a data protection law compliance check and falls a long way short of being a comprehensive PIA.

In Alberta, s.64 of the Health Information Act, passed in 1999, imposes on public agencies in the health care sector the requirement to conduct PIAs. In devising the process, the architects drew on their background in environmental management. The scope is defined as being "proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information [that] may affect the privacy of the individual who is the subject of the information". PIAs are not mandated elsewhere in the Alberta public sector. However a central agency, Services Alberta, provides guidelines in relation to their conduct (SA 2005).

(3) Australia

In Australia, as indicated above, an early form of PIA referred to as a 'program protocol' was imposed on a particular family of data matching programs by s.12 and the associated Schedule to the Data-Matching Program (Assistance and Tax) Act 1990. Non-binding guidelines for application to other data matching programs were published shortly afterwards (OFPC 1992). Both sets were prepared by Nigel Waters, Deputy to the then Privacy Commissioner, Kevin O'Connor.

The earliest mention of the term 'PIA' found in Australian sources appears to be a 1995 acknowledgement by the Telecommunications Industry Ombudsman that PIAs had a role to play (referred to in Dixon 1997). Further stimulation arose from Stewart (1996a and 1996b) which, although authored by a New Zealander, were published in an Australasian journal.

In 1997, a call was made for implementation of PIAs, invoking both Stewart's publications and Flaherty's work in British Columbia (Dixon 1997). Soon afterwards, descriptions of the PIA process at lesser and greater depth were published in Clarke (1998a, 1998b).

In December 2001, the then Privacy Commissioner, Malcolm Crompton, issued 'Guidelines for Agencies using PKI to communicate or transact with individuals' (OFPC 2001). A draft set of generic guidelines was released for public consultation in 2004, and published in final form by Crompton's successor two years later (OFPC 2006).

In 2004, the State of Victoria issued a guide (OVPC 2004). The other major State, New South Wales, is supportive of PIAs but has lacked the resources and Government commitment to pursue the matter.

(4) Canada

At federal level in Canada, significant impetus was provided in 2000 by "the highly publicised debacle over Human Resources Development Canada's (HRDC) Longitudinal Labour Force File (LLF) whose ... dismantlement, following public complaints about the database, cost the department millions of dollars" (Bloomfield 2004. See also HRDC 2000).

Policy responsibility in relation to the conduct of PIAs rests with a central agency, the Treasury Board, which has published guidance and a tool (TBC 2002a, 2002b, 2003). The guidelines require that "initiatives ... comply with privacy requirements and ... resolve privacy issues that may be of potential public concern" (TBC 2002a, p. 4), and the process is accordingly not limited to compliance with privacy laws.

The Office of the Privacy Commissioner has an audit and review function, and an Audit Report containing multiple recommendations for improvements was published in late 2007 (OPCC 2007).

(5) Hong Kong

In early 2000, the then Privacy Commissioner, Stephen Lau, advised the Immigration Department to conduct a PIA in respect of the planned replacement of the HKSAR ID Card. As a result, the scheme was the subject of a PIA at each of four phases between 2000 and 2004. The first PIA Report was published (Pacific Privacy 2000), but the subsequent three appear not to have been. Some other PIAs have been undertaken, but no formal guidelines have yet been published.

(6) U.S.A.

It might appear incongruous that the USA has not appeared earlier in this section, given that guidance from the Office of the Privacy Advocate in the Internal Revenue Service (IRS) dates from December 1996. This was reflected over time in similar documents prepared by a range of other agencies, and some further impetus was provided by the Electronic Government Act of 2002. The reason for de-valuing these activities is that their contributions to the development of PIA law, policy and practice have been largely negative.

In the current version of the IRS guidelines, for example, which date from 2000, the language used is expansive, but the actual activity that they require is very limited. The document refers not to the 'conduct' of a PIA but to its 'completion', indicating that it is perceived as a product rather than as a process that influences design. Worse, it is driven from the very limited and patchy provisions in US statutes, and not from an examination of the proposal and its impacts. This is fairly typical of the US federal approach to privacy, which has always been pragmatic and reactive rather than substantive and anticipatory (Bennett 1992).

The Department of Homeland Security's Privacy Officer has authority under s. 222 of the Homeland Security Act of 2002 to require PIAs. A Privacy Threshold Analysis (PTA) instrument is used to determine whether a PIA is required. The examinations required are so superficial, and so unrelated to actual privacy needs and expectations, that extraordinarily privacy-invasive measures have been instituted in a wide range of systems that perform at least nominal roles in the Bush Administration's 'war on terror'. Such activities are PIAs in name only. Their actual form is that of a mere data protection law compliance checklist. With rare exceptions, the USA remains a wasteland from the viewpoint of privacy policy.

Outside government, the ideology of the US private sector is hostile to the notion that consumers might have a participatory role to play in the design of business systems. This is of considerable significance internationally, because US corporations have such substantial impact throughout the world. Their lack of appreciation of the privacy impacts of their operations, and of the annoyance that their arrogance causes, has given rise to substantial clashes between the privacy cultures and legal frameworks of the USA and Europe.

One device for forestalling legislative provisions is the creation and publication of a technical or management standard or code. A US standard for PIAs exists in the form of ANSI (2004); but this was merely a limited response to the provisions of the US Financial Services Modernization Act of 1999 (usually referred to as the Gramm-Leach-Bliley Act). Corporations that wish to sustain the privileged position that they achieved through the FIP movement exist in many countries other than the USA. An international standard is being developed through a committee of the International Standards Organisation: ISO/IEC JTC-1 SC-27 WG-5. As is commonly the case with standards organisations, these processes have lacked the least vestige of consultation with people, or with their representatives or advocates for their interests.

(7) States of the U.S.A.

As late as the end of 2007, there was still very little evidence of PIAs at State level. Even in California (whose population of 36 million is exceeded by only 6 members of the EU, and whose GDP is much the same as that of the U.K. and of France), the only signs of progress have been a 2006-07 legislative debate over a Bill that mentioned PIAs, and a bland (and, at the time of writing, unfulfilled) statement by the State's Office of Privacy Protection that it is developing a method and tools for agencies to use.

(8) Europe

The term 'PIA' and the processes that a PIA involves have largely been developed in the Anglophone world. Academic literature searches in 2007 generated virtually no material in the English language focused on PIAs in Member States of the European Union (EU), and a practitioner literature search did no better (ICO 2007a, Appendix H). The term PIA has certainly been known in some European countries, however, not least The Netherlands. See, for example, Kenny & Borking (2002).

Article 20 of the 1995 EU Directive (EU 1995), headed 'Prior Checking', states that: "Member States shall determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and shall check that these processing operations are examined prior to the start thereof". The requirement appears to have been implemented in the laws of some 17 of the EU nations. The form in which it is expressed is highly varied, however, and the coverage is very patchy. Moreover, the actual extent to which the various laws are respected is far from clear.

In the U.K. in April 2002, a Cabinet Office document advocated the use of PIAs to promote more consistent decision making across public services on privacy and data sharing issues. (Recommendation 19 and Annex D of UKCO 2002, reported in Stewart 2002). In 2007, the U.K. Information Commissioner's Office commissioned a project to deliver a comprehensive review of PIA law, policies and practices around the world (ICO 2007a, on which this paper has drawn heavily), and a PIA Handbook (ICO 2007b).

At least two other EU countries appear to be moving in the direction of PIAs. Finland has proposed a model that has a resemblance to the PIA models found in Canada, Australia and New Zealand (DPOF 2007). In addition, the Irish Data Protection Commissioner's Office has recommended the conduct of a PIA in relation to any proposal to apply biometrics in the workplace or school (DPCIE 2007).

6. Key Themes

This section identifies a small set of key themes that arise from a survey of laws, policies and practices relating to PIAs around the world. The themes selected as being of greatest significance are the scope of the PIA concept, the balance between mandation and voluntary conduct of PIAs, and the areas in which PIAs have been applied.

The definitions used in various publications are provided in Appendix 1. In some jurisdictions, especially the USA but also a number of Canadian Provinces, the scope is so limited that the activity is not really impact assessment, but merely data protection law compliance audit. In most jurisdictions, however, the scope is reasonably broad, and a PIA is primarily a process, with the PIA Report treated as just one of the deliverables rather than as an end in itself.

In a few cases, the requirement to undertake a PIA has been enshrined in law. Any mandation of PIAs is generally worded carefully, however. Requiring that one be conducted for every project is likely to be counter-productive because it tends to encourage merely formal checklist-filling rather than intellectual engagement with the issues. It is more common for organisations to be required to consider whether a PIA is needed. Hence, in most jurisdictions, PIAs are regarded as an instrument of policy.

In many jurisdictions, the PIA process is motivated by the need for public trust, and is framed in terms of risk management. That was evident in the EU Directive in 1995, and has been commented on by, among others, Raab (2004). The evolution of PIAs needs to be seen within the context of larger trends in advanced industrial societies to manage 'risk' and to impose the burden of proof for the harmlessness of a new technology, process, service or product on its promoters. Personal information systems should be "regarded as (relatively) dangerous until shown to be (relatively) safe, rather than the other way around" (Bennett & Raab 2006, p. 62).

From the late 1990s onwards, PIAs were increasingly recognised as an idea whose time had come. Guidelines have been published, some by privacy oversight bodies, some by central agencies, and others by consultants. Many sets of Guidelines are of the nature of checklists, and can easily lead to the generation of documents that evidence a superficial understanding of the privacy issues arising from the project.

Other sets of Guidelines, on the other hand, are educational, and intentionally designed to stimulate constructive approaches to what are usually complex and multi-dimensional problems. Placement within the context of risk management is particularly noticeable in the Guidelines of Ontario (MBS 1999), Canada (TBC 2002b, OPCC 2007), Alberta (SA 2005), Australia (OFPC 2006) and the U.K. (ICO 2007b). Appendix 3 identifies all sets of PIA guidelines known to the author, classified into recommended authorities, early documents, and other current documents.

The performance of PIAs has to date been predominantly a public sector activity. Many of the guidelines apply equally to the private sector, however, and there are instances in most jurisdictions of the technique being applied at least in the context of public-private partnerships, and in some cases by industry associations and corporations as well.

7. Conclusions

Since its emergence in the mid-1960s, privacy protection has been constrained by the Fair Information Practices model to a framework that has been more protective of corporate and government interests than of people's data, let alone of people themselves. The early emphasis was on bodies of principles that could be applied to individual organisations, business processes, and projects. Among the challenges that confronted this approach were the dominance of the FIP notion, and the enormous diversity of business and government, and of applications of information technologies. The bodies of principles are accordingly riddled with exemptions and exceptions, and have been continually undermined by subsequent laws.

Since the mid-1990s, PIA has established itself as an important tool. It can be distinguished from processes such as compliance checks and privacy audits because of its anticipatory, positive and risk-management orientations. The PIA meme is already mature in several countries, most notably in Canada and Australia, is making advances in other countries such as the New Zealand and the United Kingdom, and has gained a toe-hold in Hong Kong. It may be emergent in countries on the Continent of Europe, although the technique is of course subject to local variants and local naming conventions.

On the other hand, PIAs as defined in this paper are almost non-existent in the USA In the US public sector, government agencies have subverted the term to refer to a mere legal compliance study; and US private sector philosophies reject the notion that public policy and consumers have a role to play in the design of business systems. The lack of comprehension of privacy issues among US corporations has serious implications, because of their continuing endeavours to apply privacy-invasive technologies and business processes throughout the world, and to negotiate privacy protection laws down to the low level prevalent in their domestic economy.

Outside the USA, PIAs have become an instrument whereby commentators and advocates can demand more information and more consultation, and privacy oversight agencies, despite their dismal lack of formal powers, can argue for deeper consideration of privacy by government agencies and corporations. Organisations perceive them as a means to analyse and manage risk, and it appears that this positive approach may be in the process of overtaking the hostile, reactionary approaches such as industry standards, and attempts to re-kindle the Fair Information Practices movement.

The coming years will tell whether PIAs achieve their aims of surfacing issues, involving the public, and ensuring a multi-stakeholder approach to initiatives. Without PIAs of the kind described in this paper, it will be difficult to achieve appropriate balances among conflicting interests, and to avoid serious harm to return on business technology investments resulting from high levels of distrust by consumers of corporations, and by citizens of governments.


Appendix 1: Definitions

Impact Assessment is defined by International Association for Impact Assessment (IAIA) as "the identification of future consequences of a current or proposed action".

The two earliest definitions of Privacy Impact Assessment found in the literature are:

The following list of definitions of Privacy Impact Assessment from documents published by national and sub-national privacy oversight agencies draws heavily on ICO (2007a, p. 3):

Appendix 2: Exemplars

This Appendix identifies the earliest-known examplars of PIA Reports, together with sources of PIA Reports in a number of jurisdictions.

Early Exemplars

PIA Exemplars in Australia - Federal

Sections of Appendix E within ICO (2007), and within that :

PIA Exemplars in Alberta (but mostly without PIA-relevant content)

The Alberta Privacy Commissioner's PIA Registry is at:

PIA Exemplars in British Columbia (largely Data Protection Law Compliance)

BC's Personal Information Directory containing PIA summaries is at

Data Protection Law Compliance Checklist Exemplars in the USA

Department of Homeland Security at

Internal Revenue Service at,,id=122989,00.html

US Postal Service at

Department of Transportation at

Department of Labor at

Department of State at

Department of Justice at

Department of Health and Human Services at

Department of Education at

Bureau of the Census at

Appendix 3: Guidelines

This Appendix identifies the small set of Guidelines recommended by the author, the earliest-known guidelines in relation to the conduct of PIAs, and other known Guidelines.

Recommended Guidelines

The following small set of Guidelines is recommended by the author as a basis for the conduct of PIAs. The set is provided in chronological order, most recent first:

Early Guidelines

Other Current Guidelines

The following Guidelines, which are adjacent to PIAs, or overly specific, or dated, or are otherwise not recommended by the author, are listed in chronological order:

Guidance is increasingly appearing in commercial documents and books, such as Karol (2001) and Marcella & Stucki (2003, pp. 332-348).


All items for which URLs are provided were most recently accessed on 2 February 2008, unless otherwise noted.

ANSI (2004) 'Privacy Impact Assessment Standard' American National Standards Institute, ANSI X9.99:2004

APEC (2005) 'APEC Privacy Framework' Asia-Pacific Economic Cooperation, 2005, at

Becker H. & Vanclay F. (2003) 'The International Handbook of Social Impact Assessment' Cheltenham: Edward Elgar, 2003

Bennett C.J. (1992) 'Regulating Privacy: Data Protection and Public Policy in Europe and the United States' Cornell University Press, Ithaca, 1992

Bennett C.J. & Raab C.D. (2006) 'The Governance of Privacy: Policy Instruments in Global Perspective' MIT Press, Cambridge, 2006

Bloomfield S. (2004) 'The Role of the Privacy Impact Assessment' Office of the Privacy Commissioner of Canada, 2004 at:

Bygrave L. (2002) 'Data Protection Law: Approaching Its Rationale, Logic and Limits' Kluwer Law International, 2002

Carter M. (2000) 'Integrated electronic health records and patient privacy: possible benefits but real dangers' Medical Journal of Australia 172 (January 2000) 28-30, at

Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) 498-512, at

Clarke R. (1995a) 'Computer Matching by Government Agencies: The Failure of Cost/Benefit Analysis as a Control Mechanism', Informatization and the Public Sector (March 1995), at

Clarke R. (1995b) 'A Normative Regulatory Framework For Computer Matching' Computer & Information Law XIII,4 (Summer 1995) 585-633 , at

Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy', Proc. Conf. I.S. Audit & Control Association (EDPAC'96), Perth, 28 May 1996, at

Clarke R. (1998a) 'Privacy Impact Assessments', Xamax Consultancy Pty Ltd, February 1998, at

Clarke R. (1998b) 'Privacy Impact Assessments', Xamax Consultancy Pty Ltd, February 1998, at

Daniel M., Webber M.J. & Wigan M.R. (1990) 'Social impacts of new technologies for traffic management' Australian Road Research Board, Research Report ARR 184, 1990

DPCIE (2007) 'Biometrics in the workplace' Data Protection Commissioner of Ireland, 2007?, at

DPOF (2007) 'Privacy Impact Assessment' Presentation Slides, Data Protection Ombudsman of Finland, August, 2007, Slide 15

EU (1995) 'Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data' Directive 95/46/EC, 1995 O.J. (L 281) 31-50, at

Flaherty D. (1989) 'Protecting Privacy in Surveillance Societies' Uni. of North Carolina Press, 1989

Flaherty D.H. (1994) 'Submission to Industry Canada re the Information Highway', December 1994, in particular Appendix A, at [Link active in 2004, but broken in 2007]

Flaherty D.H. (1995) 'Provincial Identity Cards: A Privacy-Impact Assessment', September, 1995, at [broken link at 4 February 2004]

Flaherty D. (1998) 'An investigation concerning the disclosure of personal information through public property registries' Office of the Information and Privacy Commissioner of British Columbia' Investigation P98-011, 31 March 1998, at

Flaherty D.H. (2000) 'Privacy Impact Assessments: an essential tool for data protection', October 2000, A presentation to a plenary session on "New Technologies, Security and Freedom," at the 22nd Annual Meeting of Privacy and Data Protection Officials held in Venice, September 27-30, 2000. Reprinted in Privacy Law & Policy Reporter 7,5 (2000) 85-90 (November 2000), at Revised version in Perrin S., Black H., Flaherty D.H. & Rankin T. M. (2001) 'The Personal Information Protection and Electronic Documents Act' Irwin Law, Toronto, 2001

Harding E. (1999) 'Privacy Impact Assessment and Commentary on the Mental Health Information Project' New Zealand Health Information Service, February 1999, formerly at, mirrored at

HealthBC (1997) 'Sample Privacy Impact Statement' British Columbia Ministry of Health, 1994, 1997, at [broken link at 4 February 2004]

HEW (1973) 'Records, Computers and the Rights of Citizens' U.S. Dept. of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, MIT Press, Cambridge. Mass., 1973, at

Hoffman L. (1973) 'Security and Privacy in Computer Systems' Melville Publishing Co. (a division of Wiley), Los Angeles, California, 1973

HRDC (2000) 'HRDC Dismantles Longitudinal Labour Force File Databank' Human Resources and Social Development Canada, 29 May 2000, at:

IAIA (1999) 'Principles of Environmental Impact Assessment Best Practice Practice', International Association For Impact Assessment, in cooperation with U.K. Institute of Environmental Assessment, January 1999, at

IAIA (2003) 'Social Impact Assessment: International Principles' Association for Impact Assessment, May 2003, at

ICO (2007a) 'Privacy Impact Assessments: International Study of their Application and Effects' Information Commissioner's Office, Wilmslow, I.K., December 2007, at

ICO (2007b) 'Privacy Impact Assessment Handbook' Information Commissioner's Office, Wilmslow, I.K., December 2007, at

IOCSIA (1994) 'Guidelines and Principles For Social Impact Assessment' Interorganizational Committee on Guidelines and Principles for Social Impact Assessment (U.S. Department of Commerce, National Oceanic and Atmospheric Administration, and National Marine Fisheries Service), May 1994, at

IPCO (1993) 'Smart Cards', Information and Privacy Commissioner/Ontario April 1993, at

IPCO (1994) 'Suggested Changes to the Municipal Freedom of Information and Protection of Privacy Act: Submission to The Standing Committee on the Legislative Assembly', Information and Privacy Commissioner/Ontario, January 1994, at

IPCO (1995) 'Eyes on the Road: Intelligent Transportation Systems and Your Privacy', Information and Privacy Commissioner/Ontario (March 1995), at [broken link at 4 February 2004]

IPCO (1997a) Appendix to 'Geographic Information Systems', Information and Privacy Commissioner/Ontario, April 1997, at, and mirrored in Clarke (1998)

IPCO/ACTA (1997) 'Smart, Optical and Other Advanced Cards: How to do a Privacy Assessment', Information and Privacy Commissioner/Ontario and Advanced Card Technology Association of Canada, September 1997, at

IPCO/ACTA (2000) 'Multi-Application Smart Cards: How to do a Privacy Assessment', Information and Privacy Commissioner/Ontario and Advanced Card Technology Association of Canada, August 2000, at

IRS (1996) 'IRS Privacy Impact Assessment' Office of the Privacy Advocate, Internal Revenue Service, Version 1.3, December 1996, as adopted by the [U.S.] CIO Council in February 2000, at

ISO/IEC JTC-1 SC-27 WG-5 - Identity management and privacy technologies Committee, listed at

Karol T.J. (2001) 'Cross-Border Privacy Impact Assessments:  An Introduction', Information Systems Control Journal, 3 (March 2001), at

Kenny S. & Borking J. (2002) 'The Value of Privacy Engineering', Refereed Article, The Journal of Information, Law and Technology (JILT) 2002 (1), at

Longworth L. (1992) 'Telecommunications and Privacy Issues' Report for the N.Z. Ministry of Commerce, 1992

Longworth E. (1996) 'Notes on Privacy Impact Assessments' Privacy Issues Forum, Christchurch, NZ, 13 June 1996, in NZPC (1997)

Marcella A.J. & Stucki C. (2003) 'Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues' Wiley, 2003

MBS (1999) 'Privacy Impact Assessment Guidelines' 1999, revised 2001, Management Board Secretariat, Government of Ontario, at

NSWPC (1977) 'Guidelines for the Operation of Personal Data Systems', N.S.W. Privacy Committee, Sydney, document BP31, April 1977, at

NZPC (1997) 'A Compilation of Materials in Relation to Privacy Impact Assessment' New Zealand Privacy Commissioner, 1997

NZPC (2002) 'Privacy Impact Assessment Handbook' Office of the New Zealand Privacy Commissioner, March 2002, at

OECD (1980) 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data', Organisation for Economic Cooperation and Development, Paris, 1980, at,3343,en_2649_201185_1815186_1_1_1_1,00.html

OFPC (1992) 'The use of data matching in Commonwealth administration - Guidelines' Office of the Federal Privacy Commissioner, 1992, rev. February 1998, at

OFPC (2001) 'Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to Communicate or Transact with Individuals' Office of the Federal Privacy Commissioner, December 2001, at

OFPC (2006) 'Privacy Impact Assessment Guide' Office of the Federal Privacy Commissioner, August 2006, at

OIPC-AB (2001) 'Privacy Impact Assessment: Instructions and Annotated Questionnaire' Office of the Information and Privacy Commissioner Alberta, Canada, January 2001, at

OPCC (2007) 'Assessing the Privacy Impacts of Programs, Plans, and Policies', Office of the Privacy Commissioner of Canada, October 2007, at

OTA (1977) 'Technology Assessment in Business and Government' Office of Technology Assessment, NTIS order #PB-273164', January 1977, at

OVPC (2004) 'Privacy Impact Assessments - A Guide', Office of the Victorian Privacy Commissioner, August 2004, at$FILE/OVPC_PIA_Guide_August_2004.pdf

Pacific Privacy (2000) 'Hong Kong Special Administrative Region Identity Card Project - Report on Initial Privacy Impact Assessment' Pacific Privacy Pty Ltd, November 2000, at

Porter A.L., Rossini F.A. & Carpenter S.R. (1980) 'A Guidebook for technology assessment and impact analysis' Elsevier, 1980

PPSC (1977) 'Personal Privacy in an information Society' Privacy Protection Study Commission, U.S. Government Printing Office, Washington D.C., July 1977, at,

Raab C. (2004) 'The future of privacy protection' Office of Science and Technology, London, 2004, at

Rule J.B. (1974) 'Private Lives and Public Surveillance: Social Control in the Computer Age' Schocken Books, 1974

Rule J.B., McAdam D., Stearns L. & Uglow D. (1980) 'The Politics of Privacy' New American Library, 1980

SA (2005) 'Privacy Compliance: Privacy Impact Assessments' Service Alberta, 2005, at

SSNYPSC (1991) 'Statement of Policy on Privacy in Telecommunications' State of New York Public Service Commission, 22 March 1991, reprinted in Information and Privacy Commissioner of Ontario submission to the Ontario Telephone Service Commission 'Privacy and Telecommunications', September 1992

Stewart B. (1996a) 'Privacy impact assessments' Privacy Law & Policy Reporter 3, 4 (July 1996) 61-64, at

Stewart B. (1996b) 'PIAs - an early warning system' Privacy Law & Policy Reporter 3, 7 (October/November 1996) 134-138, at

Stewart B. (1999) 'Privacy impact assessment: towards a better informed process for evaluating privacy issues arising from new technologies' Privacy Law & Policy Reporter 5, 8 (February 1999) 147-149, at

Stewart B. (2001) 'Privacy Impact Assessment: Some Approaches, Issues And Examples' Proc. Conf. N.Z. Privacy Commissioner, 2001

Stewart B. (2002) 'Privacy impact assessment roundup' Privacy Law & Policy Reporter 9, 5 (October 2002) 90-91, at

TBC (2002a) 'Privacy Impact Assessment Policy' Treasury Board of Canada Secretariat, 2002, at

TBC (2002b) 'Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks' Treasury Board of Canada Secretariat, 2002, at

TBC (2003) 'Privacy Impact Assessment (PIA) e-learning tool' Treasury Board Secretariat, Ottawa, October 2003, at

UKCO (2002) 'Privacy and data-sharing: The way forward for public services: Annex D: The analytical framework and privacy impact assessments', UK Cabinet Office Strategy Unit, April 2002, at [Annex D was at, link active in 2004, but broken in 2008]

UNEP (2002) 'Environmental Impact Assessment Training Resource Manual' United Nations Economics and Trade Programme, 2nd Edition, June 2002, at

Uni Alberta (1998) 'Privacy Impact Assessment Model' University of Alberta, 1 April 1998, at University of Alberta, at [Link active in 2007, but broken in 2008]

USDOC (2000) 'Safe Harbor' U.S. Department of Commerce, 2000, at

USDOI (2002) 'Privacy Impact Assessment and Guide' Department of the Interior, July 2002, at

USDOJ (2000) 'Privacy Impact Assessment for Justice Information Systems' Working Paper, August 2000, at [Link active in 2004, but broken in 2008]

Waters N. (2001) 'Privacy impact assessment - traps for the unwary' Privacy Law & Policy Reporter 7, 9 (February) 176, at

Westin A.F. (1967) 'Privacy and Freedom' Atheneum 1967

Westin, A.F., Ed. (1971) 'Information Technology in a Democracy', Harvard University Press, Cambridge, Mass., 1971

Westin A.F. & Baker M.A. (1974) 'Databanks in a Free Society: Computers, Record-Keeping and Privacy' Quadrangle 1974

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.


A preliminary version of this paper was prepared in February 2004, which formed the basis for a presentation at Queens University, Kingston Ontario, on 9 June 2004. Many people provided assistance during the preparation of that version, including Blair Stewart (NZ), Nigel Waters, Graham Greenleaf, Philip George and Chris Connolly (AU), Ann Cavoukian, David Flaherty, Peter Hope-Tindall, Pierrot Peladeau and Stephanie Perrin (CA), Dave Banisar, Robert Gellman, Lance Hoffman and Willis Ware (US), Herbert Burkert (Germany), and Lee Bygrave (Norway).

The next opportunity to further develop the paper did not arise until the second half of 2007, when a team led by Loughborough University was commissioned by the U.K. Information Commissioner's Office to undertake an international study of laws, policies and practices relating to PIAs around the world (ICO 2007a), and prepare a PIA Handbook (ICO 2007b). The author greatly appreciates the assistance of his colleagues on that project, Robin Bayley, of Linden Consulting Inc and Prof. Colin Bennett of the University of Victoria, both in Victoria, British Columbia, Andrew Charlesworth of the University of Bristol, and Adam Warren (Project Manager) and Prof. Charles Oppenheim (Project Director), both of Loughborough University. The permission of the Information Commissioner's Office's to reproduce relevant material arising from that Study as part of this paper is also acknowledged.

All evaluative comments, however, are the responsibility of the author alone.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 40 million by the end of 2012.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 6 February 2004 - Last Amended: 9 April 2008 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy