Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2017
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Professor, Baker & McKenzie Cyberspace Law & Policy Centre, University of N.S.W.
Visiting Professor, E-Commerce Programme, University of Hong Kong
Visiting Fellow, Department of Computer Science, Australian National University
Draft of 6 February 2004
© Xamax Consultancy Pty Ltd, 2004
MORE SUBSTANTIAL, REFEREED PAPERS ON THIS THEME ARE AT CLARKE (2008) AND CLARKE (2009)
This document is at http://www.rogerclarke.com/DV/PIAHist.html
Privacy Impact Assessment emerged during the 1980s from precursor notions of 'technology assessment' and 'environmental impact statements'. The idea achieved currency through the 1990s, and is increasingly evident in the early years of the new century, as governments and business alike struggle to encourage public acceptance and adoption of quite apparently privacy-invasive technologies.
The concept of a Privacy Impact Assessment gained currency during the last decade of the old century. An introductory paper on the concept is Clarke (1998). The purpose of the present paper is to trace the origins and development of the meme.
There would appear to be two primary intellectual threads that gave rise to the concept and term 'PIA'.
One is the idea of 'technology assessment', as practised in the Office of Technology Assessment (OTA) of the U.S. Congress, 1972-1995, and in a range of European contexts. An early treatment of the Office's methods is in OTA (1977). [Later works, which would reflect the OTA's next 15-18 years' experience, have to date eluded me]
The other pregenitor is the concept of an Environmental Impact Statement (EIS). The origins of this idea are to be found in the 'green' movements of the 1960s. The U.S. implemented a requirement for an EIS for major projects in 1970, and few jurisdictions in economically advanced nations would be without some kind of requirement.
There have been great tensions in this area. EIS are costly, and inevitably involve considerable delay. There has accordingly been a great deal of lobbying by powerful corporations, and by development-oriented agencies, resulting in a wide array of compromise to the processes and products.
Of even greater relevance to the history of PIAs has been the cynicism about the EIS notion that has arisen among the people affected by major projects. If the law only requires that an EIS be prepared, then there remain many ways in which inappropriate projects can gain approval. The EIS may be insufficiently audited, or insufficiently auditable, and hence may succeed in glossing over problems. The EIS may gain insufficient media coverage, and hence a development-minded agency or government may be able to ignore illogic, and value public opinion very lightly.
A more substantial notion that counters the weaknesses of an EIS is Environmental Impact Assessment (EIA). This is a more articulated concept, including public consultation, publication and review; and it lifts the focus beyond product alone to include process. Official training materials are provided by UNEP (2002). Links to government sources are available on various sites, including that of the Australian Department of Environment & Heritage.
A professional community exists, the International Association for Impact Assessment (IAIA), which has long since applied the idea to additional areas. The Association's journal, Impact Assessment and Project Appraisal, commenced publication in the early 1980s. IAIA defines impact assessment as "the identification of future consequences of a current or proposed action". IAIA provides guidance on Environmental Impact Assessment (IAIA 1999).
UNEP (2002) includes a segment on Social Impact Assessment, but privacy is not mentioned. IAIA provides guidance on Social Impact Assessment (IOCSIA 1994, (IAIA 2003). See also Becker & Vanclay (2003). But, despite its broad scope, IAIA and its journal do not appear to have recognised a sub-domain of 'privacy impact assessment'.
It may prove impracticable, and in any case unprofitable, to search too studiously for the first usage of the relevant terms. It is as well, however, to document that which comes readily to hand.
In keeping with usage in the precursor context of environmental impact, the original concept was of a 'statement' prepared as a condition precedent to approval of a project, or the debate of legislation.
The first literature reference to 'privacy impact statements' that I have located to date is, by way of Stewart (2001), at Flaherty (1989, p.405): "The data protection agency can ... [prepare] its own evaluations of the potential impact on personal privacy of proposed legislation and information systems. ... It is important that small data protection agencies encourage the main government departments to prepare their own initial reviews of the impact of new technology, preferably in the form of 'privacy impact statements' ...".
Further, in respect of the Canadian Federal Privacy Commissioner, he wrote "The Justice Committee recommended ... the submission of a privacy impact statement [by an agency to the Privacy Commissioner] in relevant situations. The Cabinet ... rejects the formal requirement of an impact statement to accompany each piece of legislation [footnoted to Re Ternette and Solicitor General of Canada, Dominion Law Reports 10, 4th ser. (1984): 587]" (p.277-278).
Flaherty's Footnote 26 on p. 413 also states that "The U.S. Privacy Protection Study Commission wisely recommended the preparation of a privacy impact statement for each piece of federal legislation". The final paragraph of PPSC's Chapter 13 states "Perhaps the most significant finding in the Commission's assessment of the Privacy Act arises from its examination of the vehicles available for evaluating and assessing existing record systems, new systems, and agency practices and procedures. Quite simply, there is no vehicle for answering the question: "Should a particular record-keeping policy, practice, or system exist at all?" While the Act takes an important step in establishing a framework by which an individual may obtain and question the contents of his record, it does not purport to establish ethical standards or set limits to the collection or use of certain types of information. Without such standards, however, the principal threat of proliferating records systems is not addressed. Nowhere, other than in the ineffective section requiring the preparation and review of new system notices, does the Act address the question of who is to decide what and how information should be collected, and how it may be used. To deal with this situation, the Congress and the Executive Branch will have to take action" (my emphasis).
It would therefore appear that at least the concept, and perhaps the term, was in use in some quarters as early as 1977. Moreover, the notion was sufficiently well-developed for a national commission to frame one of its 160 recommendations around it (and indeed one that escaped the hatchetry of the Ford Administration, although of course the Recommendation was not taken up).
Interestingly, in one of the formative documents, HEW (1973), the concept can be traced, but not the term. In particular "Each time a new personal data system is proposed (or expansion of an existing system is contemplated) those responsible for the activity the system will serve, as well as those specifically charged with designing and implementing the system, should answer such questions as ..." (p.51).
The term that has been in currency since at least the second half of the 1990s is the more comprehensive 'PIA'. In addition to resulting in a less unattractive acronym, it is focussed on process as well as product, and encompasses consultation, publication and review.
There are claims of the term 'PIA' being used in the 1970s. [David Flaherty says he can document the use of the term as early as the 1970s (2000, footnote 3), and I look forward to receiving a list of references from him!]
[Lance Hoffman advises that Hoffman (1973) includes a Berkeley, California ordinance requiring a Privacy Impact Assessment, which he helped write]
The term was used in discussions I had with Karl Reed and others in the context of the Australian Computer Society's Economic Legal & Social Implications Committee (ELSIC), in the mid-1980s. We toyed with both 'Social Impact Assessment' and 'Privacy Impact Assessment' at the time, as a means of forcing government agencies and corporations to confront the impacts and implications of applications of advanced information technologies.
Daniel et al. (1990) refers to 'social impact assessment' of traffic management technologies (a predecessor term for what is currently referred to as Intelligent Transportation Systems); but its primary focus is on privacy impacts.
The first documentary usage that I have traced to date is in IPCO (1993), a paper on smart cards by Ann Cavoukian and staff of her Ontario Information and Privacy Commissioner's office. [It appears that this is no longer accessible on the Web, and I have not yet located a printed copy]
The concept did not arrive with a pre-determined name. Hence most of the early papers do not mention the term 'PIA'.
The original, pre-OECD Guidelines data protection laws (e.g. those of Hesse 1970, Sweden 1973 and Norway 1978) commonly required registration or licensing. A check was required to ensure that the data controller's behaviour was in compliance with the law. For example, Bygrave (2002) points out that the Norwegian Data Inspectorate was required to assess "whether the establishment and use of the register in question may cause problems for the individual person ..." (s. 10, Norwegian Personal Data Registers Act of 1978, since superseded). Impact Assessment involves a much broader study than merely compliance with a specific law; but interpretations and discretions within those laws would have doubtless enabled Registrars to make some contributions to what we know understand to be a PIA.
The Australian Data-Matching Program (Assistance and Tax) Act 1990 includes in Schedule 1 a requirement for 'program protocols', which are a form of PIA.
Stewart says that the term was used in Longworth (1992). [But that's another reference I haven't seen, and hence I can't enlarge upon the statement]
Early contributions were made by Privacy Commissioners Cavoukian in Toronto (IPCO 1993, 1995) and Flaherty in Vancouver (Flaherty 1995). [But they appear to have disappeared from the Web, and I have yet to locate printed copies of them]
Another important thread is Cost-Benefit Analysis, which was applied to the assessment of computer matching projects in Clarke (1995a). A substantial proposal for a regulatory scheme for computer matching is in Clarke (1995b). An examination of the means whereby an organisation can adopt a strategic approach to privacy is in Clarke (1996).
Early usage of the PIA process was reported on in IPCO (1993, 1995). [I have not yet located copies of these, and hence cannot trace the elements that appeared in them]
As noted in Flaherty (2000), a discussion session on PIAs was organised by Blair Stewart in Christchurch, New Zealand, on 13 June 1996. The considerable New Zealand contributions are summarised in Stewart (1996a, 1996b and 1999).
A considerable contribution to progress in the area arose from early applications of the ideas. The earliest exemplars that I have identified to date are:
Stewart (2001) states that "official guidelines for the preparation of PIAs date from at least 1991 ... See SSNYPSC (1991)". Other early sets of guidelines include 'Suggested Rules for Evaluating the Privacy Impacts of Emerging Technologies', Appendix A to Flaherty (1994), IRS (1996), HealthBC (1997), IPCO/ACTA (1997, 2000) and Uni Alberta (1998).
From the late 1990s onwards, PIAs were recognised by a succession of government agencies as an idea whose time had come. A large number of Guidelines were prepared, which have varying degrees of authority and influence.
It is normal for the routinisation of procedures to result in fairly mindless procedures and documents. Many sets of Guidelines are of the nature of checklists, and can easily lead to the generation of guideline-compliant documents; whereas others are intentionally introductory and designed to stimulate constructive approaches to what are usually complex and multi-dimensional problems.
Recent official documents include Ontario (1999, 2001), USDOJ (2000 - which applies specificially to Justice Information Systems), OIPC-AB (2001) OIPC-AB (2001), OFPC (2001 - for public key infrastructure projects), NZPC (2002), Canada (2002), UKCO (2002) and USDOI (2002).
Guidance is increasingly appearing in commercial documents and books, such as Karol (2001) and Marcella & Stucki (2003, pp. 332-348).
Since its emergence in the mid-1960s, privacy protection has been constrained by a mere 'fair information practice' model to a framework that has been more protective of corporate and government interests than of people or even of their data.
The early emphasis was on bodies of principles that could be applied to individual organisations, business processes, and projects. Among the challenges that confronted this approach was the enormous diversity of business and government, and of applications of information technologies.
PIAs have emerged from an early fog, and are now mainstream. The coming years will tell whether they force the surfacing of issues, the involvement of the public, and a multi-stakeholder approach to development initiatives that reflects the privacy interest, and achieves balances among conflicting interests that are less privacy-insensitive than was the case during the last three decades of the twentieth century.
Thanks to the many people who've contributed to the establishment of this document, especially Blair Stewart (NZ), Nigel Waters, Graham Greenleaf, Philip George and Chris Connolly (AU), Ann Cavoukian, David Flaherty, Peter Hope-Tindall, Pierrot Peladeau and Stephanie Perrin (CA), Dave Banisar, Robert Gellman, Lance Hoffman and Willis Ware (US), Herbert Burkert (Germany), and Lee Bygrave (Norway).
Becker H. & Vanclay F. (2003) 'The International Handbook of Social Impact Assessment' Cheltenham: Edward Elgar, 2003
Bygrave L. (2002) 'Data Protection Law: Approaching Its Rationale, Logic and Limits' Kluwer Law International, 2002
Canada (2002) `Privacy Impact Assessment Policy' Treasury Board Secretariat, Government of Canada, April 2002, at http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist_e.asp
Clarke R. (1995a) 'Computer Matching by Government Agencies: The Failure of Cost/Benefit Analysis as a Control Mechanism', Informatization and the Public Sector (March 1995), at http://www.rogerclarke.com/DV/MatchCBA.html#CBA
Clarke R. (1995b) 'A Normative Regulatory Framework For Computer Matching' Computer & Information Law XIII,4 (Summer 1995) 585-633 , at http://www.rogerclarke.com/DV/MatchFrame.html
Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy', Proc. Conf. I.S. Audit & Control Association (EDPAC'96), Perth, 28 May 1996, at http://www.rogerclarke.com/DV/PStrat.html
Clarke R. (1998) 'Privacy Impact Assessments', Xamax Consultancy Pty Ltd, 10 February 1998, at http://www.rogerclarke.com/DV/PIA.html
Daniel M., Webber M.J. & Wigan M.R. (1990) 'Social impacts of new technologies for traffic management' Australian Road Research Board, Research Report ARR 184, 1990
Flaherty D. (1989) 'Protecting Privacy in Surveillance Societies' Uni. of North Carolina Press, 1989
Flaherty D.H. (1994) 'Submission to Industry Canada re the Information Highway', December 1994, in particular Appendix A, at http://www.oipcbc.org/publications/other/Industry-Canada.html
Flaherty D.H. (1995) 'Provincial Identity Cards: A Privacy-Impact Assessment', September, 1995, at http://www.oipcbc.org/publications/presentations/identity_cards.html [broken link at 4 February 2004]
Flaherty D.H. (2000) 'Privacy Impact Assessments: an essential tool for data protection', October 2000, A presentation to a plenary session on "New Technologies, Security and Freedom," at the 22nd Annual Meeting of Privacy and Data Protection Officials held in Venice, September 27-30, 2000. Reprinted in Privacy Law & Policy Reporter 7,5 (2000) 85-90 (November 2000), at http://www.austlii.edu.au/au/journals/PLPR/2000/45.html
HealthBC (1997) 'Sample Privacy Impact Statement' British Columbia Ministry of Health, 1994, 1997, at http://www.hlth.gov.bc.ca/him/bc/sc/impact.html [broken link at 4 February 2004]
HEW (1973) 'Records, Computers and the Rights of Citizens' U.S. Dept. of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, MIT Press, Cambridge. Mass., 1973, at http://aspe.os.dhhs.gov/datacncl/1973privacy/tocprefacemembers.htm
Hoffman L. (1973) 'Security and Privacy in Computer Systems' Melville Publishing Co. (a division of Wiley), Los Angeles, California, 1973
IAIA (1999) 'Principles of Environmental Impact Assessment Best Practice Practice', International Association For Impact Assessment, in cooperation with U.K. Institute of Environmental Assessment, January 1999, at http://www.iaia.org/Members/Publications/Guidelines_Principles/Principles%20of%20IA.PDF
IAIA (2003) 'Social Impact Assessment: International Principles' Association for Impact Assessment, May 2003, at http://www.iaia.org/Members/Publications/Guidelines_Principles/SP2.pdf
IOCSIA (1994) 'Guidelines and Principles For Social Impact Assessment' Interorganizational Committee on Guidelines and Principles for Social Impact Assessment (U.S. Department of Commerce, National Oceanic and Atmospheric Administration, and National Marine Fisheries Service), May 1994, at http://www.iaia.org/Members/Publications/Guidelines_Principles/SIA%20Guide.PDF
IPCO (1993) 'Smart Cards', Information and Privacy Commissioner/Ontario (April 1993), at http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/smcard-e.htm [broken link at 4 February 2004]
IPCO (1995) 'Eyes on the Road: Intelligent Transportation Systems and Your Privacy', Information and Privacy Commissioner/Ontario (March 1995), at http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/its-e.htm [broken link at 4 February 2004]
IPCO (1997) Appendix to 'Geographic Information Systems', Information and Privacy Commissioner/Ontario, April 1997, at http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/gis.htm#APPENDIX [broken link at 4 February 2004], but mirrored in Clarke (1998)
IPCO/ACTA (1997) 'Smart, Optical and Other Advanced Cards: How to do a Privacy Assessment', Information and Privacy Commissioner/Ontario and Advanced Card Technology Association of Canada, September 1997, at http://www.actcda.com/resource/single.pdf
IPCO/ACTA (2000) 'Multi-Application Smart Cards: How to do a Privacy Assessment', Information and Privacy Commissioner/Ontario and Advanced Card Technology Association of Canada, August 2000, at http://www.actcda.com/resource/multiapp.pdf
IRS (1996) 'IRS Privacy Impact Assessment' Office of the Privacy Advocate, Internal Revenue Service, Version 1.3, December 1996, as adopted by the [U.S.] CIO Council in February 2000, at http://www.cio.gov/Documents/pia_for_it_irs_model.pdf
Karol T.J. (2001) 'A Guide to Cross-Border Privacy Impact Assessments', Deloitte & Touche, March 2001, at http://www.itgi.org/cbprivacyguide.doc
Longworth L. (1992) 'Telecommunications and Privacy Issues' Report for the N.Z. Ministry of Commerce, 1992
Longworth E. (1996) 'Notes on Privacy Impact Assessments' Privacy Issues Forum, Christchurch, NZ, 13 June 1996, in NZPC (1997)
Marcella A.J. & Stucki C. (2003) 'Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues' Wiley, 2003
NZPC (1997) 'A Compilation of Materials in Relation to Privacy Impact Assessment' New Zealand Privacy Commissioner, 1997
NZPC (2002) `Privacy Impact Assessment Handbook' Office of the New Zealand Privacy Commissioner, March 2002, at http://www.privacy.org.nz/comply/pia.html
OFPC (2001) `Privacy and Public Key Infrastructure: Guidelines for Agencies using PKI to Communicate or Transact with Individuals' Office of the Federal Privacy Commissioner, December 2001, at http://www.privacy.gov.au/publications/pki.doc
OIPC-AB (2001) `Privacy Impact Assessment: Instructions and Annotated Questionnaire' Office of the Information and Privacy Commissioner Alberta, Canada, January 2001, at http://www.oipc.ab.ca/ims/client/upload/pia-instructions-1.1.pdf
Ontario (1999, 2001) `Privacy Impact Assessment Guidelines' 1999, re., 2001, Management Board Secretariat, Government of Ontario, at http://www.gov.on.ca/mbs/english/fip/pia/pia1.html
OTA (1977) 'Technology Assessment in Business and Government' Office of Technology Assessment, NTIS order #PB-273164', January 1977, at http://www.wws.princeton.edu/~ota/disk3/1977/7711_n.html
PPSC (1977) 'Personal Privacy in an information Society' Privacy Protection Study Commission, U.S. Government Printing Office, Washington D.C., July 1977, at http://aspe.hhs.gov/datacncl/1977privacy/toc.htm
SSNYPSC (1991) 'Statement of Policy on Privacy in Telecommunications' State of New York Public Service Commission, 22 March 1991, reprinted in Information and Privacy Commissioner of Ontario submission to the Ontario Telephone Service Commission 'Privacy and Telecommunications', September 1992
Stewart B. (1996a) 'Privacy impact assessments' Privacy Law & Policy Reporter 3, 4 (July 1996) 61-64, at http://www.austlii.edu.au/cgi-bin/disp.pl/au/journals/PLPR/1996/39.html
Stewart B. (1996b) 'PIAs - an early warning system' Privacy Law & Policy Reporter 3, 7 (October/November 1996) 134-138, at http://www.austlii.edu.au/cgi-bin/disp.pl/au/journals/PLPR/1996/65.html
Stewart B. (1999) 'Privacy impact assessment: towards a better informed process for evaluating privacy issues arising from new technologies' Privacy Law & Policy Reporter 5, 8 (February 1999) 147-149, at http://www.austlii.edu.au/cgi-bin/disp.pl/au/journals/PLPR/1999/8.html
Stewart B. (2001) 'Privacy Impact Assessment: Some Approaches, Issues And Examples' Proc. Conf. N.Z. Privacy Commissioner?
Stewart B. (2002) `Privacy impact assessment roundup' Privacy Law & Policy Reporter 9, 5 (October 2002) 90-91
UKCO (2002) `Privacy and data-sharing: The way forward for public services: Annex D: The analytical framework and privacy impact assessments', UK Cabinet Office Strategy Unit, April 2002, at http://www.piu.gov.uk/2002/privacy/report/annex-d.htm
UNEP (2002) 'Environmental Impact Assessment Training Resource Manual' United Nations Economics and Trade Programme, 2nd Edition, June 2002, at http://www.unep.ch/etu/publications/EIAMan_2edition_toc.htm
Uni Alberta (1998) 'Privacy Impact Assessment Model' University of Alberta, 1 April 1998, at University of Alberta, at http://www.ualberta.ca/FOIPP/mud/s212a.htm
USDOI (2002) 'Privacy Impact Assessment and Guide' Department of the Interior, July 2002, at http://www.doi.gov/ocio/privacy/Privacy_Impact_Assessment_9_16_02.doc
USDOJ (2000) `Privacy Impact Assessment for Justice Information Systems' Working Paper, , August 2000, at http://www.ojp.usdoj.gov/archive/topics/integratedjustice/piajis.htm
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 31 January 2004 - Last Amended: 6 February 2004 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PIAHist.html