Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

David Flaherty on PIAs

Privacy Impact Assessments: an essential tool for data protection

David Flaherty

Professor Emeritus, University of Western Ontario

David H. Flaherty Inc., Privacy and Information Policy Consultants, Victoria BC, Canada

A presentation to a plenary session on "New Technologies, Security and Freedom", at the 22nd Annual Meeting of Privacy and Data Protection Officials held in Venice, September 27-30, 2000

Version of October 12, 2000

© Copyright David H. Flaherty, 2000. All rights reserved

This document is at


1. Introduction

When I had the privilege of giving the keynote address at this annual meeting of this group in Quebec City in 1987, I chose to look towards the future in data protection, with a focus on the then distant year 2000. I never dreamed that in this millennial year I would be standing before you, or have had all of the experiences with dramatic change that we have experienced in the 1990s as individuals, as official data protectors, and as privacy advocates. I do remember, with some misgivings, my fear that by the year 2000 official data protectors would be reduced to a tiny ragbag of individuals with pitchforks trying to hold back the forces of surveillance.[1] Since I remain an optimist, I do not think that our current situation has reached quite that unfortunate state, but the "privacy police," as I am fond of calling you these days, have very finite resources when it comes to monitoring implementation of data protection.

I do want to return to one of my supposedly controversial points in 1987 (the privacy watchdog analogy), because I think it has stood the test of time, despite the public remonstrations of the then president of the Commission Nationale de l'Informatique et des Libertes (CNIL), who took great umbrage at my use of the term watchdog. Having had the experience of serving as the first Information and Privacy Commissioner for the Province of British Columbia in Canada (1993-1999), I strongly believe that the conception of the data protection commissioner as a privacy watchdog remains a very powerful and relevant image, reminding me, at least, of the continued inadequacies of countries that do not have such independent watchdogs in place.

The realities at the dawn of the 21st century are that privacy and data protection commissioners, and indeed privacy advocates themselves, are facing a continuing stream of technological innovations that have to be evaluated systematically to measure compliance with the fair information practices or data protection principles that are at the heart of all data protection legislation.[2] That problem is the focus of this first plenary session. Data protectors are facing such arduous responsibilities in the face of an increasing work burden, more and more complex and bureaucratic legislation, such as the European Directive on Data Protection and its national clones, and a very fast pace of technological innovation. Understanding any such change can be a complex activity that data protectors will wish to approach in a systematic manner.

What I intend to draw to your attention is an additional tool in the arsenal of the data protector in the form of privacy impact assessments. The idea is to require the preparation of privacy impact assessments for new products, practices, databases, and delivery systems involving personal information. In the last five years, privacy specialists have developed an assessment model for the application of a new technology or the introduction of a new service, which has good potential for raising privacy alarms at an early stage in an organization's planning process in either the public or private sectors. Various models exist for privacy impact assessments that can be customized to the needs of any organization. The essential goal is to describe personal data flows as fully as possible so as to understand what impact the innovation or modification may have on the personal privacy of employees or customers and how fair information practices may be complied with. Ultimately, a privacy impact assessment is a risk assessment tool for decision-makers that can address not only the legal, but the moral and ethical, issues posed by whatever is being proposed.

What I am proposing, and it will not be a novel suggestion for those of you from North America and New Zealand in particular, is that privacy regulators require, or at least encourage, those being regulated to prepare a privacy impact assessment for significant personal data systems that are new or enhanced in some significant way, so that their privacy implications can be analyzed and addressed in a coherent manner.[3] This idea of using privacy impact assessments is an emerging tool for addressing certain types of data protection problems that was pioneered, in my opinion, by New Zealand and by certain Canadian provinces during the last half decade, including Ontario, B.C., and Alberta.

I realized at Stewart Dresner's superb Privacy Laws and Business conference in Cambridge in July, 2000 that whatever other forms of progress in data protection (such as auditing) have occurred in Europe recently, the concept of a privacy impact assessment as an instrument of data protection has not visibly taken root. I believe that the preparation of a privacy impact assessment, in cooperation with a data protection office, can be extremely useful in helping to avoid an overly legalistic, even Talmudic or Jesuitical, focus in the detailed work of privacy protection. That is because the core of an effective privacy impact assessment is a careful description of how a system, (or any application of technology to personal information), actually works. In this process, specific privacy issues can be segregated and addressed in a comprehensive manner. Conducting a privacy impact assessment is also an effective method of engaging a team of persons at any organization, including technology, policy, legal, and privacy specialists, to work together to identify and resolve data protection problems.[4]

2. Description of a Privacy Impact Assessment

Simply put, a privacy impact assessment seeks to set forth, in as much detail as required to promote necessary understanding, the essential components of any personal information system or any system that contains significant amounts of personal information. I find it easiest to indicate what I have in mind by listing the following generic categories of information (Table 1) that should be considered for inclusion in an informative and informed privacy impact assessment.[5]

Table 1: Table of Contents for a Model Privacy impact assessment

  1. Introduction and Overview
  2. Description
  3. General Goals
  4. The Need for a System
  5. Current and Intended Scope
  6. Key Objectives
  7. Conceptual Technical Architecture
  8. Risk Management
  9. Statutory Authorities for the Collection, Use, and Disclosure of Personal Information
  10. Privacy Standards and Concerns
  11. Original Purposes of Data Collection
  12. Information Collected
  13. Sources of Data
  14. Limits on Data Collected
  15. Location of Data
  16. Data Retention/Destruction
  17. Consent Issues
  18. Access Rights for Individuals to their Personal Data
  19. Users of Personal Information
  20. Disclosure of Personal Information
  21. Record Linkages as a Privacy Issue
  22. Security Safeguards
  23. Disclosure Avoidance Practices
  24. The Implications of Future Developments
  25. Conclusions about the Privacy Impact
  26. Sources of Information for this Privacy impact assessment

Issues of definition and description of the central components of a privacy impact assessment also involve initial questions of whether an organization really needs to prepare one in specific circumstances. In the spring of 1999, as Information and Privacy Commissioner for British Columbia, I had to deal with an issue involving detailed patient waiting lists by specialist for many hospitals in the Lower Mainland and Vancouver Island. The advice of my staff was that a privacy impact assessment was not necessary, but I was concerned about the accuracy of the information about the medical practices of individual physicians and whether physicians themselves had agreed to, or were at least aware of, the personal data to be disseminated in the context of their patient waiting lists. The British Columbia Ministry of Health was reluctant to do the work involved but relented over a weekend and prepared a privacy impact assessment for our review within several days. Even the deputy minister of Health attended the discussion of the privacy impact assessment at our office with my staff. Since we were quite satisfied with the resulting document, we approved it at once and suggested to the deputy minister that he post the privacy impact assessment on the Ministry of Health's web site with the announcement of the waiting list registry, which, ironically, happened the next day (because of the politics of waiting lists for physician services). [6]

If specialized staff of a data protection office have done their homework with their counterparts in organizations, then significant changes in personal information systems will automatically surface and receive appropriate attention, up to and including the most senior staff of the office, including the Privacy Commissioner. I think that it is fruitless to state, up front, that a privacy impact assessment is always required, because it will be quite difficult, given my experience, to make such a decision at an early stage in the development of any system.[7] A better approach in my view is simply to indicate to organizations that privacy impact assessments are highly desirable for significant changes to existing personal information systems or the creation of new ones. Ideally, those responsible for central government oversight of compliance with an Act will ensure that organizations prepare such privacy impact assessments on their own initiative, which can ultimately be reviewed by central government and the Privacy Commissioner's office at an appropriate later step in the process. A similar model can work in the corporate world. A data protection office has to download as much work as possible in order to avoid being swamped.[8]

Organizations must prepare privacy-impact assessments in such a manner as to identify key problems, not try to gloss over them, or skip by them, since the specialists in the offices of privacy commissioners will focus on them in the long term. I admire the "true believers" who are advocating various enhanced information systems for seemingly laudable purposes, since what they are proposing is clearly in the public interest, but privacy impact assessments must be written with a more critical eye to the sensitive issues. The hard questions must be answered and not glossed over. "Solutions" to such issues as consent, for example, will likely also be transferable from one privacy impact assessment to another, if the thought processes of the team involved are insightful and creative.

3. Guides to Preparing a Privacy impact assessment

A variety of informed groups in Canada and the United States have prepared detailed guides on how to prepare privacy impact assessments. These include the U.S. Internal Revenue Service, Treasury Board Canada, which oversees the federal government's central administration of compliance with the Canadian federal Privacy Act, and the Ontario Management Board of Cabinet, which plays a comparable role with respect to Ontario's Freedom of Information and Protection of Privacy Act.9 In British Columbia, the Information, Science, and Technology Agency and the Office of the Information and Privacy Commissioner have published model forms for the completion of privacy impact assessments.[10] My former Office prides itself on the model and detailed worksheet, including critical questions, that it has prepared for those preparing a privacy impact assessment.[11]

My major criticism of the existing guides to conducting privacy impact assessments is that they violate the KISS principle, that is, keep it simple stupid. They give the appearance of being too complicated and burdensome for the users at organizations that will be asked to do the actual work. My sense is that looking at some of these forms and the listed requirements would be a discouragement to cooperation in what is after all a largely voluntary activity on the part of those being regulated. Suggestions and guidance have to be as user-friendly as possible, which I think the ISTA forms referred to above have achieved to a considerable measure, as have those of my former Office. There is no use trying to persuade busy bureaucrats to assist the task of effective implementation of data protection by filling out privacy impact assessments and then burdening them with so much complex guidance that would try the patience and willingness of even the most tolerant among them to follow through on the process.

4. My Direct Experience with the Preparation of Privacy impact assessments

As a privacy and information policy consultant working primarily in Canada during the past fourteen months, I have found that the preparation and encouragement of privacy impact assessments is one of the services that I can offer to clients in the public and private sectors. In particular, I have prepared a substantial privacy impact assessment for a federal-provincial effort in the public health surveillance field that features an Internet display tool for making available appropriate, timely, and relevant data to public health officials.

My direct involvement in the preparation of this privacy impact assessment leads me to make the following observations about the process:

5. The Uses of Privacy Impact Assessments

6. Conclusions

I am persuaded on the basis of direct experience that a successful privacy impact assessment can be a very effective instrument in the toolkit of the 21st century Data Protection Commissioner. It can also be very helpful to senior public servants and their elected Ministers who do not wish to be blindsided by privacy disasters, such as happened to the Canadian Minister of Human Resources Development in May, 2000.[15] A proper privacy impact assessment, that incorporated the informed observations of the Office of the Privacy Commissioner of Canada, might have prevented a political and public relations disaster for that particular minister and the federal Liberal government.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 23 October 2000 - Last Amended: 23 October 2000 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy