The SCL is preparing its own response to this consultation, but as I’m not involved in that process, and as the discussion led to my forming some fairly strong views on how the current draft guidance applies to SMEs, I’m submitting my own response (in a personal capacity) to the consultation.
Basically I think that the current proposal will completely alienate SMEs (not to mention many larger companies), who will see no relevance to what comes across as a highly complex and bureaucratic process – for all its claims to “flexibility”. However, at its heart, the concept of a Privacy Impact Assessment (PIA) is one that could be useful to SMEs, if the guidance were constructed in a simpler, more “bottom-up” way.
My draft answers are after the fold. Suggestions for improvement are welcomed…
1. Does the draft code of practice explain clearly why and how an organisation should conduct a PIA?
I’ve answered “no” to this, saying:
The organisations that are most likely to benefit from having an explanation as to “why” a PIA is beneficial are likely to be SMEs, and they will benefit from a punchier, clearer explanation of the business benefits of a PIA – both in terms of avoiding regulatory problems but also of fostering customer confidence and making more effective, scalable use of the information they process.
Similarly, the current details as to “how” are likely to put off SMEs from even considering the use of PIAs. They will conclude that PIAs are a bureaucratic process intended solely for large, generally public sector, organisations, with little real relevance to SMEs. In my opinion, that would be an entirely rational conclusion for them to reach.
2. Is the process described in the guidance flexible enough to be adapted by organisations conducting a PIA?
Another “no” from me, with the following explanation:
The process is too “top-down” in nature. It comes across as a rather “heavy”, bureaucratic process suited for public sector bodies and for large private sector organisations with specialist privacy compliance functions. As such, it misses an opportunity to encourage better practice among SMEs by building the design of PIAs in a “bottom-up” way – see my comments under section 7. This is especially important given that the guidance will become a more important resource for SMEs if and when Data Protection Impact Assessments come into force under an EU Data Protection Regulation.
The remainder of my response is then set out against q.7:
7. Please provide any further comments or suggestions on our draft code of practice.
As noted above, the current guidance, while claiming to be flexible, is lengthy, complex, and appears primarily geared towards public sector organisations, followed by large private sector organisations with specialist privacy compliance functions that can take on the burden of carrying out a PIA (though even then, some provisions – such as the encouragement to publish PIAs – are likely to be seen as unhelpful by most companies).
As such, the guidance misses an opportunity to encourage the use of PIAs by SMEs. I would urge the ICO to restructure the PIA guidance so that, rather than starting with a complex process from which a simpler process can be derived, it should start with a relatively simple framework which can be built upon by organisations with more complex needs.
I would answer the question “What is a PIA?” by saying that a PIA is an assessment of the privacy risks of any new product, service, project or initiative that may affect individuals’ privacy rights in any way, and that it consists of the following elements:
- Assessing how the product uses information and what the information flows are: where it comes from, how it is used, and who will receive/have access to the information.
- Identifying the privacy risks arising from the product – both risks to individuals and risks to the organisation.
- Identifying ways to eliminate, reduce or mitigate those risks.
The point is that by saying that the above steps are what a PIA is, you turn the PIA into something that can be genuinely flexible. The above steps could be carried out quite informally where this is appropriate, or they could be developed into a more complex and formal process to the extent a risk-based approach suggests this is advisable – and then the guidance would set out both how to assess the need for this and the details of what this would involve, much as it does at present.
The point is that this is not continuing two levels of PIA, but having a single framework for PIAs that nevertheless truly allows for the flexibility, and encourages the widespread adoption, which are stated aims of the guidance.
As mentioned above, I’m submitting this in my personal capacity, and nothing here represents the views of my employer. It’s more based on my experience in advising SMEs when I was in private practice. Bluntly, I cannot conceive of advising an SME to follow the current guidance, but the sort of basic framework advocated in my response to q.7 is one which I do think SMEs should be taking on board.