Privacy Impact Assessments: an essential tool for data protection

A presentation to a plenary session on "New Technologies, Security and Freedom," at the 22nd Annual Meeting of Privacy and Data Protection Officials held in Venice, September 27-30, 2000.

Revised, October 12, 2000

David H. Flaherty, Ph.D.

Professor Emeritus, University of Western Ontario

David H. Flaherty Inc.

Privacy and Information Policy Consultants

1939 Mayfair Drive

Victoria, British Columbia, Canada V8P 1R1

Fax 250-595-8884

  1. Introduction

When I had the privilege of giving the keynote address at this annual meeting of this group in Quebec City in 1987, I chose to look towards the future in data protection, with a focus on the then distant year 2000. I never dreamed that in this millennial year I would be standing before you, or have had all of the experiences with dramatic change that we have experienced in the 1990s as individuals, as official data protectors, and as privacy advocates. I do remember, with some misgivings, my fear that by the year 2000 official data protectors would be reduced to a tiny ragbag of individuals with pitchforks trying to hold back the forces of surveillance. (1)

Since I remain an optimist, I do not think that our current situation has reached quite that unfortunate state, but the "privacy police," as I am fond of calling you these days, have very finite resources when it comes to monitoring implementation of data protection.

I do want to return to one of my supposedly controversial points in 1987 (the privacy watchdog analogy), because I think it has stood the test of time, despite the public remonstrations of the then president of the Commission Nationale de l'Informatique et des Libertes (CNIL), who took great umbrage at my use of the term watchdog. Having had the experience of serving as the first Information and Privacy Commissioner for the Province of British Columbia in Canada (1993-1999), I strongly believe that the conception of the data protection commissioner as a privacy watchdog remains a very powerful and relevant image, reminding me, at least, of the continued inadequacies of countries that do not have such independent watchdogs in place.

The realities at the dawn of the 21st century are that privacy and data protection commissioners, and indeed privacy advocates themselves, are facing a continuing stream of technological innovations that have to be evaluated systematically to measure compliance with the fair information practices or data protection principles that are at the heart of all data protection legislation. (2) That problem is the focus of this first plenary session. Data protectors are facing such arduous responsibilities in the face of an increasing work burden, more and more complex and bureaucratic legislation, such as the European Directive on Data Protection and its national clones, and a very fast pace of technological innovation. Understanding any such change can be a complex activity that data protectors will wish to approach in a systematic manner.

What I intend to draw to your attention is an additional tool in the arsenal of the data protector in the form of privacy impact assessments. The idea is to require the preparation of privacy impact assessments for new products, practices, databases, and delivery systems involving personal information. In the last five years, privacy specialists have developed an assessment model for the application of a new technology or the introduction of a new service, which has good potential for raising privacy alarms at an early stage in an organization's planning process in either the public or private sectors. Various models exist for privacy impact assessments that can be customized to the needs of any organization. The essential goal is to describe personal data flows as fully as possible so as to understand what impact the innovation or modification may have on the personal privacy of employees or customers and how fair information practices may be complied with. Ultimately, a privacy impact assessment is a risk assessment tool for decision-makers that can address not only the legal, but the moral and ethical, issues posed by whatever is being proposed.

What I am proposing, and it will not be a novel suggestion for those of you from North America and New Zealand in particular, is that privacy regulators require, or at least encourage, those being regulated to prepare a privacy impact assessment for significant personal data systems that are new or enhanced in some significant way, so that their privacy implications can be analyzed and addressed in a coherent manner. (3) This idea of using privacy impact assessments is an emerging tool for addressing certain types of data protection problems that was pioneered, in my opinion, by New Zealand and by certain Canadian provinces during the last half decade, including Ontario, B.C., and Alberta.

I realized at Stewart Dresner's superb Privacy Laws and Business conference in Cambridge in July, 2000 that whatever other forms of progress in data protection (such as auditing) have occurred in Europe recently, the concept of a privacy impact assessment as an instrument of data protection has not visibly taken root. I believe that the preparation of a privacy impact assessment, in cooperation with a data protection office, can be extremely useful in helping to avoid an overly legalistic, even Talmudic or Jesuitical, focus in the detailed work of privacy protection. That is because the core of an effective privacy impact assessment is a careful description of how a system, (or any application of technology to personal information), actually works. In this process, specific privacy issues can be segregated and addressed in a comprehensive manner. Conducting a privacy impact assessment is also an effective method of engaging a team of persons at any organization, including technology, policy, legal, and privacy specialists, to work together to identify and resolve data protection problems. (4)

  1. Description of a Privacy Impact Assessment

Simply put, a privacy impact assessment seeks to set forth, in as much detail as required to promote necessary understanding, the essential components of any personal information system or any system that contains significant amounts of personal information. I find it easiest to indicate what I have in mind by listing the following generic categories of information (Table 1) that should be considered for inclusion in an informative and informed privacy impact assessment. (5)

Table 1: Table of Contents for a Model Privacy impact assessment

1. Introduction and Overview

2. Description

3. General Goals

4. The Need for a System

5. Current and Intended Scope

6. Key Objectives

7. Conceptual Technical Architecture

8. Risk Management

9. Statutory Authorities for the Collection, Use, and Disclosure of Personal Information

10. Privacy Standards and Concerns

11. Original Purposes of Data Collection

12. Information Collected

13. Sources of Data

14. Limits on Data Collected

15. Location of Data

16. Data Retention/Destruction

17. Consent Issues

18. Access Rights for Individuals to their Personal Data

19. Users of Personal Information

20. Disclosure of Personal Information

21. Record Linkages as a Privacy Issue

22. Security Safeguards

23. Disclosure Avoidance Practices

24. The Implications of Future Developments

25. Conclusions about the Privacy Impact

26. Sources of Information for this Privacy impact assessment

Issues of definition and description of the central components of a privacy impact assessment also involve initial questions of whether an organization really needs to prepare one in specific circumstances. In the spring of 1999, as Information and Privacy Commissioner for British Columbia, I had to deal with an issue involving detailed patient waiting lists by specialist for many hospitals in the Lower Mainland and Vancouver Island. The advice of my staff was that a privacy impact assessment was not necessary, but I was concerned about the accuracy of the information about the medical practices of individual physicians and whether physicians themselves had agreed to, or were at least aware of, the personal data to be disseminated in the context of their patient waiting lists. The British Columbia Ministry of Health was reluctant to do the work involved but relented over a weekend and prepared a privacy impact assessment for our review within several days. Even the deputy minister of Health attended the discussion of the privacy impact assessment at our office with my staff. Since we were quite satisfied with the resulting document, we approved it at once and suggested to the deputy minister that he post the privacy impact assessment on the Ministry of Health's web site with the announcement of the waiting list registry, which, ironically, happened the next day (because of the politics of waiting lists for physician services). (6)

If specialized staff of a data protection office have done their homework with their counterparts in organizations, then significant changes in personal information systems will automatically surface and receive appropriate attention, up to and including the most senior staff of the office, including the Privacy Commissioner. I think that it is fruitless to state, up front, that a privacy impact assessment is always required, because it will be quite difficult, given my experience, to make such a decision at an early stage in the development of any system. (7) A better approach in my view is simply to indicate to organizations that privacy impact assessments are highly desirable for significant changes to existing personal information systems or the creation of new ones. Ideally, those responsible for central government oversight of compliance with an Act will ensure that organizations prepare such privacy impact assessments on their own initiative, which can ultimately be reviewed by central government and the Privacy Commissioner's office at an appropriate later step in the process. A similar model can work in the corporate world. A data protection office has to download as much work as possible in order to avoid being swamped. (8)

Organizations must prepare privacy-impact assessments in such a manner as to identify key problems, not try to gloss over them, or skip by them, since the specialists in the offices of privacy commissioners will focus on them in the long term. I admire the "true believers" who are advocating various enhanced information systems for seemingly laudable purposes, since what they are proposing is clearly in the public interest, but privacy impact assessments must be written with a more critical eye to the sensitive issues. The hard questions must be answered and not glossed over. "Solutions" to such issues as consent, for example, will likely also be transferable from one privacy impact assessment to another, if the thought processes of the team involved are insightful and creative.

  1. Guides to Preparing a Privacy impact assessment

A variety of informed groups in Canada and the United States have prepared detailed guides on how to prepare privacy impact assessments. These include the U.S. Internal Revenue Service, Treasury Board Canada, which oversees the federal government's central administration of compliance with the Canadian federal Privacy Act, and the Ontario Management Board of Cabinet, which plays a comparable role with respect to Ontario's Freedom of Information and Protection of Privacy Act. (9)

In British Columbia, the Information, Science, and Technology Agency and the Office of the Information and Privacy Commissioner have published model forms for the completion of privacy impact assessments. (10) My former Office prides itself on the model and detailed worksheet, including critical questions, that it has prepared for those preparing a privacy impact assessment. (11)

My major criticism of the existing guides to conducting privacy impact assessments is that they violate the KISS principle, that is, keep it simple stupid. They give the appearance of being too complicated and burdensome for the users at organizations that will be asked to do the actual work. My sense is that looking at some of these forms and the listed requirements would be a discouragement to cooperation in what is after all a largely voluntary activity on the part of those being regulated. Suggestions and guidance have to be as user-friendly as possible, which I think the ISTA forms referred to above have achieved to a considerable measure, as have those of my former Office. There is no use trying to persuade busy bureaucrats to assist the task of effective implementation of data protection by filling out privacy impact assessments and then burdening them with so much complex guidance that would try the patience and willingness of even the most tolerant among them to follow through on the process.

  1. My Direct Experience with the Preparation of Privacy impact assessments

As a privacy and information policy consultant working primarily in Canada during the past fourteen months, I have found that the preparation and encouragement of privacy impact assessments is one of the services that I can offer to clients in the public and private sectors. In particular, I have prepared a substantial privacy impact assessment for a federal-provincial effort in the public health surveillance field that features an Internet display tool for making available appropriate, timely, and relevant data to public health officials.

My direct involvement in the preparation of this privacy impact assessment leads me to make the following observations about the process:

  1. The Uses of Privacy Impact Assessments
  1. Conclusions

I am persuaded on the basis of direct experience that a successful privacy impact assessment can be a very effective instrument in the toolkit of the 21st century Data Protection Commissioner. It can also be very helpful to senior public servants and their elected Ministers who do not wish to be blindsided by privacy disasters, such as happened to the Canadian Minister of Human Resources Development in May, 2000. (15) A proper privacy impact assessment, that incorporated the informed observations of the Office of the Privacy Commissioner of Canada, might have prevented a political and public relations disaster for that particular minister and the federal Liberal government.

© Copyright David H. Flaherty, 2000. All rights reserved.

1 David H. Flaherty, "Towards the year 2000: The Emergence of Surveillance Societies in the Western World," the keynote address to the opening session of the International Data Protections Commissioners' Annual Meeting, Quebec, Quebec, September 22, 1987.

2 See Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell University Press, Ithaca and London, 1992).

3 One of the earliest references that I have found to Privacy impact assessments comes from a Privacy Issues Form in Christchurch, New Zealand, on June 13, 1996 (which I in fact attended and participated in). The presenters were Blair Stewart of the New Zealand Privacy Commissioner's office and Elizabeth Longworth, a leading N.Z. privacy practitioner. I also note that I wrote, in September, 1995, an essay entitled: "Provincial Identity Cards: A Privacy-Impact Assessment." I can document the use of the term "privacy impact statement" as early as the 1970s. Stewart published a series of excellent short articles on privacy impact assessments in Privacy Law & Policy Reporter, vol. 3 (1996), 61-64, 134-38 and vol. 5/8 (1999), 147-49. These reflected, from a critical perspective, his experience with the process in New Zealand.

4 I am indebted for this point, and other suggestions, to my former colleagues, Lorrainne Dixon and Bill Trott.

5 I used these specific headings to prepare a recent Privacy impact assessment. The re-organization of the final product resulted in only 7 broad headings: introduction and overview; description; data collection; disclosure and use of data; privacy standards and security measures; conclusions; and sources.

6 This particular privacy impact assessment is a simple model of what can be done; it can be found at

7 In an ideal world, any personal information system should have its own privacy impact assessment available for continuing updating and revision. But, given the amount of work required to complete a competent privacy impact assessment, I am reluctant to be too dogmatic on this point. The issue is much more clear cut for any privacy-intensive organization that collects and uses significant amounts of personal data.

8 See David H. Flaherty, Protecting Privacy In Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States (University of North Carolina Press, Chapel Hill, NC, 1989), pp. 57, 385-91.

9See Treasury Board Canada, "Model Cross-Jurisdiction Privacy impact assessment Guide," (Draft, October, 1999); Ontario, "Privacy impact assessment Guidelines," (March, 2000, 83pp.),; U.S. Internal Revenue Service, "Model Information Technology Privacy impact assessment," (Version 1.3, December 17, 1996, 17pp.), available at This U.S. model contains a help list of "privacy questions" to guide those preparating an initial privacy impact assessment for review with the IRS's Privacy Advocate. The Ontario Management Board of Cabinet now requires a privacy impact assessment of any submission to it from a government department "seeking approval to begin the detailed design phase or to request funding approval for product acquisition or system development work." (p. 6) It also has lists of helpful questions associated with each component of the privacy impact assessment.

10 What I find especially appealing about ISTA's "Guidelines" is that they include within the Privacy impact assessment Form some sample language under each box on the form as an assist to someone having to fill it out. See

11 See

12 The Ontario Management Board Guidelines state: "The end result of a privacy impact assessment process is documented assurance that all privacy issues have been appropriately identified and either adequately addressed or, in the case of outstanding privacy issues, brought forward to senior management for further direction." (p. 25)

13 The Ontario Management Board Guidelines state: "While the completion of a full and detailed privacy impact assessment may only be possible at later stages in the system development and acquisition phase, the privacy impact assessment is best approached as an evolving document which will grow increasingly detailed over time." (p. 11)

14 The Alberta Information and Privacy Commissioner issued two press releases in August 1999 announcing his "acceptance" of two Privacy impact assessment submitted to his office by Alberta Health and Wellness and alberta we//net. They are located under 'reports,' and 'privacy impact assessments' on the office's web site:

15 In his final annual report as Privacy Commissioner of Canada, Bruce Phillips drew attention to some data protection problems with a massive research data base maintained by HRDC. When his press release give pride of place to an issue that was otherwise buried in the bowels of the annual report, the media and Opposition political parties in Parliament picked up on the issue and made it front-page news for almost two weeks. An initially defensive Minister subsequent ordered the literal destruction of the linkage devices that had made the data base possible. Many thousands of Canadians simultaneously demanded to know what information was held about them in the data base in question.