Project Title Project Number Privacy Impact Assessment This document is classified as Official and is disclosable under the terms of the Freedom of Information Act. No part of the report should be disseminated or copied without prior approval of the author. For further information as to what to disclose if required under FOI please contact the Information Management (Kent Police). 1
DOCUMENT CONTROL SRO Business Lead Project Manager Author Role Department Contributors Role Department Version Version date Requester of change Summary of change(s) Sign-Off Authority Role Date Signature SRO Business Lead Project Manager Data Protection Officer DOCUMENT REFERENCES Ref Document Name Version Number 2
Table of contents 1. Guidance Introduction... 4 What is Privacy?...4 Purpose of the PIA 5 Who should conduct a PIA and when 5 Consultation Guidance.6 2. PIA Step by Step.6 3. Screening Questions.8 4. Report Overview. 9 5. Data Protection Act 1998 Checklist 10 Linking the PIA to the DPA Principles..10 6. Data Flow Mapping 13 7. Conclusions. 13 8. Sign Off 13 9. Related Information Sources.. 13 (Red numbers likely to change upon completion of document) 3
1. Guidance Introduction The responsibility for conducting the PIA lies with the Senior Responsible Owner (SRO) for a project and is produced as part of the business case however; this activity can be delegated to an appropriate person such as the Project Manager. Once initiated please contact your Data Protection Officer (DPO) in to arrange a brief meeting on the PIA Process. A business case developed for a project can be an ideal base for a PIA. The business case should set out the project proposal and explain how the project will benefit the organisation. The consideration of whether a PIA is required is particularly important when a new business process or technology initiative involves the collection, recording, sharing or retention of personal information. The PIA Screening Questions will have identified whether a PIA is necessary or not. Please read the guidance section of this document fully first, before undertaking the next two sections (Report Template and the Data Protection Checklist) as this will assist you; pay particular attention to the PIA Process. Upon completion of Report Template and Data Protection Checklist email to the Information Asset Owner as the SPOC for gaining approval from the SIRO; also seek approval from the Programme Manager and email the relevant Data Protection team (lucy.power@kent.pnn.police.uk). A Privacy Impact Assessment (PIA) is a process which enables Kent Police to identify and address the likely privacy impact of a new initiative or project. It enables privacy considerations to be made in the early stages of a project where any identified problems can be easier to resolve rather than late or retrospective consideration where solutions can be more costly or delay implementation. It can also identify, following completion of the PIA, whether the project should be continued when balanced with the rights of persons affected. What is Privacy? Privacy is about the integrity of the individual Privacy of the person Privacy of personal information Privacy of personal behaviour Privacy of personal communications Purpose of PIA 4
The purpose of a PIA is to identify where an individual s privacy will be impacted by a new business or technological initiative. Identify and manage risk to individuals privacy Avoid unnecessary costs Avoid inadequate solutions Avoid loss of trust and reputation Support communications strategy Meet legal requirements Identity Management and Privacy Principles Who should conduct a PIA and when The responsibility for ensuring that a PIA is undertaken as part of the business case lies with the Senior Responsible Officer or Project Chair. This activity can be delegated to the Project Manager who will be responsible for ensuring that the appropriate expertise such as a Business Analyst/Consultant, has contributed to the PIA. A Senior Stakeholder from the business (as identified and agreed by the Project Board) will own any residual information risks as the information Asset Owner at the projects closure. It is imperative that the Information Asset Owner is identified at this early stage as they will need to have an overview of, or involvement in, the PIA and Report. The consideration of whether a PIA is required is particularly important when a new business process or technology initiative involves the collection, recording, sharing or retention of personal information. Personal information can be split into 2 types: Personal information is that which is about an identifiable and living individual. Sensitive personal information (as defined by the Data Protection Act 1998) is personal information which pertains to an individual s: commissioned or alleged offending, legal proceedings, racial or ethnic origins, political opinions, religious beliefs, trade union membership, health and sexual life. The PIA screening questions will identify whether a PIA is necessary or not. The PIA process is most valuable when used in the early stages of a project as any identified privacy issues that require solutions can be easier to resolve. Where possible the PIA and Report should be completed in line with the following timescales. Commenced prior to the procurement of the proposed solution; Completed before the proposed solution is put forward for security approval. 5
Consultation Guidance Project Manager to brief PIA Stakeholders. Examples of such stakeholders: Internal Stakeholders External Stakeholders Project Board Engineers, developers ICT Procurement Suppliers / Data Processors Communications Team Frontline Staff / Officers Corporate Governance End Users Data Subjects Representative Groups Interest Groups General Public Regulators 2. PIA - Step by step Senior Management Step 1 Senior Responsible Officer to identify the need for PIA Explain what the project aims to achieve, what the benefits will be to the organisation, to individuals and to other parties. It is helpful to link to other relevant documents related to the project, for example a project proposal. Also summarise why the need for a PIA was identified (this can draw on your answers to the screening questions). Screening questions Establish objectives, outcomes and outputs early Does PIA affect Kent only / Essex only / both? Management support Step 2 Identify the privacy and related risks Explain what practical steps you will take to ensure that you identify and address privacy risks. Who should be consulted internally and externally? How will you carry out the consultation? You should link this to the relevant stages of your project management process. You can use consultation at any stage of the PIA process. Risk management tools/ methodology ICO guidance on particular risk areas 6
Other standards and guidance Types of risk o Individuals o Compliance o Corporate Step 3 Identify privacy solutions Identify the key privacy risks and the associated compliance and corporate risks. PIAs might record this information on risk register. Identify DPA compliance risks. (Refer to Section 5) (Privacy issue, Risk to individuals, Compliance risk, associated organisation/corporate risk) Accept Reduce Eliminate Step 4 Describe information flows Describe the collection, use and deletion of personal data here and it may also be useful to refer to a flow diagram or another way of explaining data flows. How many individuals are likely to be affected by the project? Types of personal data Use of those data Information asset register Data controller Step 5 Record PIA outcomes, sign-off Who has approved the privacy risks involved in the project? What solutions need to be implemented? Document status of each risk Determine solutions Record reasons Sign-off Publication 7
Step 6 Integrate PIA into project plan Project Manager is responsible for integrating the PIA outcomes back into the project plan and updating any project management paperwork. He/she is also responsible for implementing the solutions that have been approved. Project Manager is the contact for any privacy concerns that may arise in the future. Recommendations integrated into project plan Review PIA at key stages or project stage boundaries. Review PIA should the scope of the project change. 3. Screening questions The following questions are intended to help you decide whether a Privacy Impact Assessment (PIA) is necessary. The guidance section of this document (Section 1) will assist you during the project lifecycle. Answering yes to any of the following screening questions is an indication that a PIA would be a useful exercise. You can expand on your answers as the project develops if you need to. If there is no personal data involved then go to section 7. Conclusions Personal data means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. 1) Will the project involve the collection of new information about individuals? Yes, No How? Why? 2) Will the project compel individuals to provide information about them? Yes, No How? Why? 3) Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information? Yes, No How? Why? 4) Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used? 8
Yes, No How? Why? 5) Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition. Yes, No How? Why? 6) Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them? Yes, No How? Why? 7) Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be private. Yes, No How? Why? 8) Will the project require you to contact individuals in ways that they may find intrusive? Yes, No How? Why? 4. Report Overview Project Title / Number: Does the Project affect Kent only / Essex only / Joint (Kent/Essex): PIA Author s name / role: Date of PIA completion: Outline of the project and objectives (if statutory, provide reference): Project: NB: If this is not a new process but a change to an existing project, system, technology then describe the current process and how the proposed changes will effect this Objectives/activities for completion: Primary Objective 9
Secondary objectives Consultation carried out: Internal: (can include informal discussions and e-mails, project management meetings and discussion on agenda of other regular meetings) Project team Data Protection/ Information compliance officer can provide specialist knowledge on privacy issues. Information technology can advise on security risks that may impact on security External: The scope of external consultation should be assessed in the context of the development that is proposed. There are 2 main aims from external consultation. Firstly to enable understanding of the concerns of external stakeholders and secondly to improve transparency by making people aware of how potential new systems will be used. The extent of consultation should be determined in relation to the assessment of the privacy related risks in the context of the project. The ICO Code indicates that where possible, existing consultation tools should be used to gain a better understanding of privacy expectations and experiences. Note - A record should be maintained of the consultation process and findings Outline of the privacy impact and the justification of privacy intrusion: Name and position of nominated Information Asset Owner: List of stakeholders consulted during Privacy Impact Assessment process: 5. Data Protection Act Checklist Linking the PIA to the Data Protection Act (DPA) Principles: Completing this section during the PIA process will help you to identify where there is a risk 10
that the project will fail to comply with the DPA or other relevant legislation, for example the Human Rights Act N.B. ** = Refer this section to your force DPO to explain Principle 1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: a) at least one of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Consider the following: Have you identified the purpose of the project? How will you tell individuals about the use of their personal data? Do you need to amend your privacy notices? Have you established which conditions for processing apply? If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn? If your organisation is subject to the Human Rights Act, you also need to consider: Will your actions interfere with the right to privacy under Article 8? Have you identified the social need and aims of the project? Are your actions a proportionate response to the social need? What categories of personal data will be processed?** Schedule 2 conditions relied upon** What categories of sensitive personal data will be processed (if any)?** 11
Schedule 3 conditions relied upon** Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Consider the following: Does your project plan cover all of the purposes for processing personal data? Have you identified potential new purposes as the scope of the project expands? Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Consider the following: Is the quality of the information good enough for the purposes it is used? Which personal data could you not use, without compromising the needs of the project? Principle 4 Personal data shall be accurate and, where necessary, kept up-to-date Consider the following: 12
If you are procuring new software does it allow you to amend data when necessary? What processes will this entail? How are you ensuring that personal data obtained from individuals or other organisations is accurate? Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes. Consider the following: What retention periods are suitable for the personal data you will be processing? Are you procuring software that will allow you to delete information in-line with your retention periods? Principle 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. Consider the following: Will the systems you are putting in place allow you to respond to subject access requests more easily? Will any decisions that affect individuals be made via automatically processing? If yes, what? Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or 13
damage to, personal data. Consider the following: Do any new systems provide protection against the security risks you have identified? What training and instructions are necessary to ensure that staff knows how to operate a new system securely? What risk management procedures / policies will be in place to prevent any breach or damage/loss of data form occurring? Can include human error, hacking, network failure, theft, destruction of hardware etc. How will the force ensure the Data Processor (if used) will also comply with the DPA? Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Consider the following: Will the project require you to transfer data outside of the EEA? If yes, which countries If you will be making transfers, how will you ensure that the data is adequately protected? What types of data will be transferred? What measures are/will be in place to provide an adequate level of security during transfer and processing 14
6. Data flow mapping How is the data going to be collected, processed, utilised legally/lawfully? (For example the following is a basic illustration of ANPR - delete and replace) Car ANPR Camera Image Local database Data back to Kent Police Positive / Negative result Vehicle Registration Kent Police Required to enforce / provide crime prevention. Able to be accessed by Kent Police Only Criminal Investigation ANPR database required to be reviewed to identify suspect Local Authority Require information for (X) reasons. Make Data flow charts pinpoint where data is collected and processed to illustrate whom has access to data, why and under what legal authority. It can also identify points of potential risk for further research including potential for security / data protection breaches 7. Conclusions Please provide a summary of the conclusions that have been reached in relation to this projects overall compliance with the DPA. Includes references to any changes that were introduced as a result of the PIA process. 8. Sign off Approval required by Programme Manager: Senior Information Risk Owner: Data Protection Officer: 15
9. Related information Information Commissioner's Office (ICO) College of Policing Human Rights Act 1998 16