Check your privacy

If your organisation is using CCTV, substance-abuse testing, or checking staff email chat, maybe you should do a Privacy Impact Assessment (PIA). So the Information Commissioner’s Office (ICO) suggests.
The Privacy Impact Assessment (PIA) handbook is described as a new tool for use in the UK. PIAs are ‘a process of ensuring that privacy concerns are identified at the early stage of an initiative so that these can be addressed and safeguards built in rather than bolted on as an expensive after-thought’. Such an assessment could be, the authors suggest, for a major public policy developments like national identity cards, or if you are bringing in a new product or service, which could lead to fraud or theft of information, or (say) someone in the public eye having their personal details leaked to the media, harming your business. “PIAs go wider than simply a data protection compliance check and are aimed at looking at all aspects affecting privacy.”

As the handbook starts, issues around privacy include surveillance of the activities of staff, consumers and citizens, monitoring and recording of individual’s electronic communications and their electronic access to information, and the acquisition of biometrics, body fluids and body tissue. Hence, as the handbook carries on, the law: the Data Protection Act (DPA). But the ICO makes the case for a PIA as a way to anticipate risk – including ‘competitive manoeuvres by other corporations, natural disasters, environmental contamination, cyber-attacks, and the risk of embarrassment’. Certainly the Government has been embarrassed by loss of data. Commenting in late December on the loss of 6,500 people’s data by HM Revenue and Customs in Cardiff after a data cartridge from a pension firm went missing, Shadow Chief Secretary to the Treasury, Philip Hammond, said: “Another day, another data disaster. First we had the lost child benefit CDs, then three million learner drivers’ details go missing in America, and now this.”

What to keep in mind during such an assessment is, by the ICO’s definition, sweeping, including CCTV, the Human Rights Act, and the The Regulation of Investigatory Powers Act 2000, and the British Standard for information security management, BS 7799, besides the DPA. The ICO does have a history of gunning for the likes of private investigators for seeking personal data, in a couple of reports titled What Price Privacy in the last couple of years, although as investigators point out, their clients are for example chasing debtors or checking dubious insurance claims. The handbook claims that such assessment are mainstream in Canada, the USA and Australia. In any case it is questionable what good more assessing will do for the 11 banks and the Immigration Advisory Service that, as the ICO reported last year after a media outcry, discarded personal information in waste bins outside their premises.

The handbook decribes privacy of personal behaviour as the observation of what individuals do, and includes such issues and optical surveillance and ‘media privacy’. Much data may be sensitive, such as sexual preferences and habits, political activities and religious practices. But, the handbook goes on, the notion of ‘private space’ is vital to all aspects of behaviour, is relevant in ‘private places’ such as the home and toilet cubicle, and is also relevant in ‘public places’, where casual observation by the few people in the vicinity is very different from systematic observation, the recording or transmission of images and sounds.

Threats to privacy of personal communications include mail ‘covers’, the use of directional microphones and ‘bugs’ with or without recording apparatus and telephonic interception and recording. In recent years, concerns have arisen about third-party access to email-messages. Individuals generally desire the freedom to communicate among themselves, using various media, without routine monitoring of their communications by other persons or organisations.

And not least there is privacy of the person, which according to the handbook relates to personal safety – implying the scenario of an employer letting a worker’s former partner have personal info which makes possible an attack.

The document points the finger at CCTV and other security measures as privacy-invasive technologies (PITs): “Many technology applications gather data, collate data, apply data, or otherwise assist in the surveillance of people and their behaviour (the “PITs”). Among the host of examples are surveillance technologies (such as CCTV), data-trail generation (such as keystroke monitoring) and identification through the denial of anonymity (e.g., telephone caller ID, loyalty cards and intelligent transport systems), data warehousing and data mining, and the use of biometric information. In an internet context, there is considerable concern about the various types of malware, including viruses, worms, trojans, keystroke-loggers, ‘spyware’ and ‘phishing’.” Here the handbook suggests privacy-enhancing technologies (PETs) such as computer firewalls, and advice against malware.

What would a PIA look like? According to the handbook, the ‘benefits to an organisation of conducting a PIA arise more from the process than the product’. Or, putting it more wordily: “The important thing about PIAs is the process of undertaking the assessment where the organisation considers the impact on privacy and whether there are more privacy friendly alternatives.”

The ICO does say it’s not the law to do a PIA, but adds that it’s ‘eager to encourage use’.

The ICO quotes also a report last year from civil liberties body Liberty. Briefly, the report called for an overhaul of privacy protection. Liberty’s Policy Director and principal author of the report, Gareth Crossman, said: “In times of heightened insecurity we quite rightly compromise some of our privacy for public protection, but if we don’t pause for thought right now, our children will grow up without any sense of the value of privacy.” Among other things the report was critical of CCTV describing it as ‘not a proven crime deterrent’ and ‘poorly regulated’. The report claimed that ‘the DPA fails to provide an effective enforcement tool’ and called for new regulation. Liberty quotes a YouGov poll that found a majority of people agreed that the UK has become a surveillance society. In the detail of the report, however, the authors were not able to point to any public distrust of public space CCTV, falling back on the claim that the public are not informed.

You can download a copy of the PIA at the ICO website; and you can download a copy of the 137-page Liberty report at