- Privacy Impact Assessment February 2012
Privacy Impact Assessment
Project Title: ______Service / Dept: ______
Assessment Author: ______IG Lead: ______
Date: ______Chief Executive: ______
Part Privacy Impact Assessment (Questions 1-10)
IDENTIFYING AND ASSESSING THE RISKS / RISK LEVEL / CONTROLS FOR MANAGING THE RISKS / REMAINING RISK1. Does the project apply new or additional information technologies that have substantial potential for privacy intrusion?
2. Does the project involve new identifiers, re-use of existing identifiers, or intrusive identification, identity authentication or identity management ?
3. Might the project have the effect of denying anonymity or converting transaction, identity authentication or identity management process?
4. Does the project involve multiple organisations, whether they are private, voluntary or statutory sector organisations, e.g., outsource service providers or business partners?
5. Does the project involve new or significantly change handling of personal data that is of particular concern to individuals?
6. Does the project involve new changed handling of a considerable amount of personal data about each individual in the database?
7. Does the project involve new or significantly changed handling of personal data about a large number of individuals?
8. Does the project involved new to significantly changed consolidation, intern-linking, cross-referencing or matching of personal data from multiple sources?
9. Does the project relate to data processing which is exempt from legislative privacy protection?
10. Does the project involve systematic disclosure of personal data to, or access by, third parties that are not subject to comparable privacy regulation?
NOTE: If the risk level has been identified as HIGH to any of the above questions you will need to carry out a FULL Privacy Impact Assessment in consultation with IG Lead.
Full Privacy Impact Assessment (Questions 11-23)
IDENTIFYING AND ASSESSING THE RISKS / RISK LEVEL / CONTROLS FOR MANAGING THE RISKS / REMAINING RISK11. Does the project apply new or inherently privacy invasive technologies?
12. Does the project involve an additional use of an existing identifier?
13. Does the project involve use of a new identifier for multiple purposes?
14. Does the project involve new or substantially changed identity authentication requirements
15. Will the project result in the handling of new data about a significant number of people, or a significant change in the population coverage?
16. Does the project involved new linkage of personal data with data in other collections, or significant change in data linkages?
17. Does the project involve new or changed data collection policies or practice that may be unclear?
18. Does the project involve new or changed data quality assurance processes and standards that may be unclear or unsatisfactory?
19. Does the project involve new or changed data security arrangements that may be unclear or unsatisfactory?
20. Does the project involve new or changed data access or disclosure arrangements that may be unclear or extensive?
21. Does the project involve new or changed data retention arrangements that may be unclear?
22. Does the project involve changing the medium of disclosure for publicly available information?
23. Will the project give rise to new or changed data handling that is in any way exempt from legislative privacy protections?
Findings of full PIA are to be discussed with the IG Lead for consideration and required strategy.