The Information Commissioner’s Office (ICO) has published a new privacy impact assessment code to help organisations to manage the data protection risks of implementing new projects and policies. The code replaces the ICO’s privacy impact assessment (PIA) handbook.
The Data Protection Act 1998 does not oblige organisations to carry out PIAs, but the ICO recommends that undertaking one will help organisations to comply with the act. The process it outlines could also help to address compliance risks at an early stage, when making the necessary changes is likely to be less costly.
PIAs are suitable for a variety of situations, for example:
- A new IT system for storing and accessing personal data;
- A data sharing initiative between organisations;
- A proposal to identify people in a particular demographic and initiate a course of action; or
- A new database which consolidates information held by separate parts of an organisation.
A copy of the code can be found here.