Volume 25 (2014) / Issue 3
Privacy impact assessments (PIAs) may soon be standardised. The European Commission plans to make PIAs mandatory if Article 33 of its proposed Data Protection Regulation is adopted without any serious depredations by lobbyists. Concurrently, the International Organization for Standardization (ISO) is considering a standard for PIAs. The approaches currently being pursued by the Commission and the ISO have their antecedents in the PIA methodologies used in Australia, Canada, Ireland, New Zealand, the UK and the US. However, almost no attention has been paid to actual PIA reports to see how well or poorly they have been prepared and how closely they follow the PIA guidance documents in their countries. This paper argues that it is worth doing - to review actual PIA reports to see what can be learned from how they are implemented and whether their implementation offers any signposts for the policymaking process. However, finding actual PIA reports is something of a challenge. Following a search for UK PIA reports, this paper provides the results of analysis of some of those in terms of how well they followed the ICO PIA Handbook guidance, and what we can learn from an analysis of actual PIA reports. Along the way, this paper argues that organisations in the UK should create a registry of publicly available PIA reports.
All rights reserved