Privacy Impact Assessments (PIAs) or data protection impact assessments used to be discussed in the context of specific technologies or industry sectors (see, for instance, the European Commission’s recommendations in relation to applications supported by radio-frequency identification (RFID) and the development of smart grids). However, this situation is about to change. PIAs are increasingly being promoted by national data protection authorities as an element of controllers’ accountability and more importantly they also feature in the European Commission’s proposal for a new General Data Protection Regulation (see InsidePrivacy Vote on EU Data Protection Regulation Again Postponed, June 21, 2013).
The European Commission proposes to introduce an obligation for controllers and processors to carry out a data protection impact assessment (DPIA) prior to risky processing operations. Its legislative proposal includes several examples in which a data processing operation is deemed to be risky, some of which are potentially relevant for companies in the life sciences sector, including especially the pharmaceutical industry but also the medical devices sector. These include:
- processing for the analysis or prediction of a person’s health or behavior (subject to certain conditions);
- processing of information on health, race and ethnic origin;
- the processing of information for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases (subject to certain conditions); and,
- personal data in large scale filing systems on genetic or biometric data.
Life sciences companies should note that the list of examples is not exhaustive. Moreover, national regulators will be allowed to require DPIAs for processing operations that are subject to a proposed prior consultation requirement.
The current EU data protection legal framework is silent on PIAs and guidance by regulators is scarce. As a result, at present, different approaches are being taken towards PIAs, including with respect to questions such as:
- What type of organization should complete a PIA?
- What circumstances trigger a PIA?
- Who completes a PIA?
- When should they take place?
- How thorough should they be?
- Should stakeholders be consulted (as is foreseen in the European Commission’s proposal)?
- Should the report be made public (as is recommended by the UK regulator)?
PIAs are widely used by government departments and agencies, local authorities, national health service trusts and by companies in the UK, according to a survey carried out in early 2013. The UK Information Commissioner’s Office (ICO) was also the first regulator in Europe to publish a Privacy Impact Assessment Handbook. The ICO is currently consulting on a new code of practice on conducting privacy impact assessments, which is intended to replace the current PIA Handbook. The ICO’s draft code of practice includes, among other things, some sample screening questions (e.g., Does the project involve using new technology which might be perceived as being privacy intrusive (for example, the use of biometrics)? Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations (for example, health records)?) and a PIA template.
As PIAs are rapidly becoming an essential data protection compliance tool and best industry practice, companies are well advised to develop and integrate PIAs into their project and risk management policies and procedures and to embed PIAs as a privacy by design element into the development of new products and services. This will not only help prevent, reduce or justify privacy risks, but ultimately save costs and avoid non-compliance and reputational damage.
Covington & Burling will moderate a half-day workshop on “Privacy Impact Assessments – when they are needed and how to conduct them” at PDP’s 12th Annual Data Protection Conference in London on September 11, 2013.