Privacy Impact Assessment (PIA) Policy
Privacy Impact Assessments (PIAs) are an integral part of taking a privacy by design approach. PIAs are a tool that the school can use to identify and reduce the privacy risks of a project. A PIA can reduce the risk of harm to individuals through misuse of their personal information. It can also help the school design a more efficient and effective process for handling personal data.
You can integrate the core principals of the PIA process with your existing project and risk management policies. This will reduce the resources necessary to conduct the assessment and spreads awareness of privacy throughout the school.
An effective PIA will allow the school to identify and fix problems at an early stage and PIAs are an integral part of privacy by design. PIAs are often applied to new projects. However, a PIA can also be used if the school are planning changes to an existing process.
The school have a process and guidance on how they will approach PIAs.
PIAs should assist the school in identifying privacy risk, which is the risk of harm through an intrusion into privacy. This is the risk of harm through use or misuse of personal information. Some ways that this risk can arise are through personal information being:
- Inaccurate, insufficient or out of date;
- Excessive or irrelevant;
- Kept for too long;
- Disclosed to those who the person it is about does not want to have it;
- Used in ways that are unacceptable to or unexpected by the person it is about; or
- Not kept securely.
The outcome of a PIA should be to minimise privacy risk. The school should develop an understanding of how it will approach the broad topics of privacy and privacy risk.
The benefits of a PIA are that allows individuals to be reassured that the school which uses their information have followed best practice. A project which has been subject to a PIA should be less privacy intrusive and therefore less likely to affect individuals in a negative way. A PIA should also improve transparency and make it easier for an individual to understand why their information is being used.
The school should also benefit from using PIAs. The process of conducting the assessment will improve how the school use information which impacts on individual privacy. This should in turn reduce the likelihood that the school will fail to meet its legal obligations.
Conducting and publishing a PIA will help the school build trust with the people using their services. The actions taken during and after the PIA process can improve the schools understanding of its stakeholders.
Consistent use of PIAs will increase the awareness of privacy and data protection within the school and ensure that all staff involved in designing projects think about privacy at the early stages.
When should we use PIAs?
The core principals of PIA can be applied to any project that involves the use of personal data, or any other activity which could have an impact on the privacy of individuals.
A PIA should be used on new projects or when making an amendment to a current project. The PIA should be built into the project management structure.
Who should carry out the PIA?
It is the school decision who is best placed to carry out the PIA. The Data Protection Officer (DPO) is well placed to have a significant role in a PIA. However, the PIA is designed to be used by anyone within the school. For the PIA to be effective it should include some involvement from various people within the school, who will each be able to identify different privacy risks and solutions.
What should the PIA do?
The PIA should be flexible so that it can be integrated with the schools existing approach to managing projects. The PIA should incorporate the following:
- Identify the need for a PIA
- Describe the information flows
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Consult with internal and external stakeholders as needed throughout the process.