Management, compliance & auditing

Privacy Impact Assessment

1. What is a Privacy Impact Assessment (PIA)?

Privacy Impact Assessment is a process to determine the impacts of a program, system, service, scheme, initiative, application, information system, policy or administrative practice, or database, called for the purpose of this article as "project," on an individual's privacy and the ways to mitigate or avoid any adverse effects (risks).

Conducting a PIA is a good business practice that should be considered in a similar way to financial, legal, operational, and IT practices prior to proceeding with a new project development.

1. Characteristics

A PIA has a consistent format and structured process that helps:

• identify issues that could occur from the collection and use of personal information;
• determine how a project will affect the privacy of individuals who are the subject of the information; and
• in considering the measures required to mitigate or eliminate any such adverse impacts.

The PIA process enables a (Public, Private) Organization, at the earliest time possible to:

• support the individuals' (public, clients, staff) right to know what personal information will be collected about them (for a new project) and how it will be used (helping to assure individuals that their personal information will be adequately handled and protected);
• prevent the deterioration of existing privacy protection levels for an existing project;
• make informed decisions and implement mitigating measures to minimize potential impacts on the individuals' privacy; and to
• avoid adverse publicity, loss of credibility or public confidence and costs associated with legal or remedial actions.

1. When is a PIA required?

An Organization as a good practice should conduct a PIA and document it to forward to its management team when at least one of the following general circumstances applies:

• The proposed project will collect, store, use, disclose, link and/or match personal information which is, or could be made, identifiable.
• New personal data elements will be collected and added to an existing project, or a new project is proposed.
• Project access will be rolled out beyond current parameters, controls, levels or numbers of users.
• Personal information use will be expanded to include data linkage or matching, or other purposes and uses.
• The way that the project is accessed, managed or secured from a technical or managerial perspective is changed significantly (including use of internet technology, outsourcing, cloud computing, etc).
• The retention period of personal information in the project will be extended or become indefinite in length (although this is not possible under the EU data protection legislation), or shortened to less than one year (setting a minimum retention period is common under the Canadian privacy legislation).
• The installation of surveillance cameras or systems is being contemplated.

When a review of the project indicates that it has a limited scope and there are no significant privacy impacts, there is a decreased need for a formal PIA. A mini privacy impact assessment or a Privacy Scan (PS) is a report of the review that was carried out. A PS could be used, for example, where a new project is created but the use of personal information is minimal.

As information systems, outsourcing, and cloud computing become more complex, the probability of unexpected privacy impacts increases so that a project that appears to involve minor technical enhancement for client convenience and the Organization's efficiency may represent significant privacy impacts.

It is recommended that a mixed team made up by privacy professional(s), IT, management and any relevant department within an Organization, meet together in order to determine if a PIA should be done. This evaluation should not be done just by the Data Protection Officer or Chief Privacy Officer alone, as it requires all the technical, managerial, and organizational details in order for the new project to be objectively assessed. A PIA involves all the players involved with the new project within an Organization.

1. Privacy and security are not the same

Security without privacy could exist, but privacy without security cannot.

1. Privacy

Privacy is the ability of an individual to exercise a substantial degree of control over the collection, use, or disclosure (transfer) of their personal information by others. Individuals usually understand that some degree of personal information should be disclosed when for example, buying a flight ticket online. The provider cannot allow you to purchase a ticket if they don't know your name, billing address, credit card information, etc. But at the same time, individuals should be assured that their private information is used just for the purpose of collection (e.g. buying a flight ticket) in a proportionate way (e.g. no irrelevant information for the scope of the purchase is collected)with no further disclosure without notice (e.g. disclosed to advertisers or other businesses) and that their personal information is protected (secure).

Privacy protection involves:

• collecting just the information that the service/program/provider or the governmental authority has the legal right to collect;
• collecting information directly from the individual where possible;
• ensuring the accuracy of information used to make decisions about the individual or to provide products, services, etc.;
• giving the individual the rights to access, block, modify, erase, and update his personal information;
• using and disclosing personal information as legally authorized; and
• taking reasonable security measures to protect the private information of the individuals.

1. Security

Security provides the mechanisms to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, deletion or destruction.

The three main principles related to information security are:

• Confidentiality - refers to limiting information access and disclosure to authorized users only.
• Integrity - refers to the trustworthiness of information sources. It also entails that the data has not been changed inappropriately, whether by accident or deliberately by someone, and that the data should be identified as coming from the source it should have come from, not an unauthorized or unknown source.
• Availability - the information should be available when needed, as by not having data available, it could be much worse depending on how reliant the organization has become on that particular information or information system.

Information security is related to the more technical aspects of protecting information through administrative, physical and information technology measures, such as:

• need-to-know policies and procedures for personal information access;
• physical security and access controls;
• information technology security and access controls;
• waste management controls for personal information;
• records management and disposition schedules; and
• destruction by erasure and physical destruction schedules.

1. Privacy Impact Assessment report

A PIA report could have five parts:

i. Chapter 1

The description of the new project including the actors involved.

ii. Chapter 2

The account of the personal information being collected as a result of the project to be developed or implemented and a description of the information flows within the project and/or linked with the project along with the identification of the information users.

iii. Chapter 3

An analysis of the compliance with the legal data protection/privacy requirements for collecting and processing personal data/information (e.g. Directive 95/46/EC for the European Union or FOIP or PIPA for Canada).

iv. Chapter 4

The identification of potential privacy issues from the perspective of individual privacy and any outstanding privacy issues that should be addressed before or as the project moves forward.

v. Appendix (if needed)

Supporting documentation that helps to describe the project, such as the forms used to collect personal information, samples of charts or graphs the system may generate, and excerpts from legal agreements that govern the activity.

1. Privacy Impact Assessment practical example (Surveillance cameras)
   

Chapter 1: Description of the Surveillance Camera Activity

Organization X decided to install surveillance cameras in their office where they deliver services to the public and where they work with the public during business hours.

The surveillance cameras were installed at their business location, in Romania, Bucharest, at the address: Street. M. Eminescu no. 40, building 4, floor 3, postal code 70000.

The building has a waiting-working room for the public where the surveillance cameras were sought to be installed. This organization delivers services and provides evaluation for accessing the European Commission's funds for agriculture.

Individuals using this space are waiting for their appointments with the case handler. Clients also come here to access reference material, computers, photocopiers and fax machines, all available to the public.

Five surveillance cameras are used as prevention to theft, conflicts and inappropriate behaviors.

The surveillance cameras record images of individuals accessing the Organization's waiting-working room on the third floor. The surveillance cameras are motion-sensitive and are only activated when there is movement in the area, but they do not have audio capacity.

The images are transmitted to a monitor and recording equipment located in a locked room on the third floor. The equipment is not currently operated by anyone and is only accessed if a situation requires it. The video tape recording of images is re-recorded on after a 36 hour loop is finished.

This Privacy Impact Assessment (PIA) focuses on the use of the surveillance cameras.

1. Who is responsible for the surveillance cameras?
   

Organization X is the responsible entity for installing and operating the surveillance cameras located on the third floor of their business location.

1.2 Responsible department

The information security and privacy department is the internal entity in charge of the installation and operation of the surveillance cameras within the Organization's premises.

1.3 Responsible person

Mr. Daniel Dragos Securescu (Information security and privacy officer) is the person in charge of the surveillance cameras' operation, in behalf of the organization. He is the Controller for the data processing as defined under Article 2 (d), Directive 95/46/EC.

His contact details are:

Business: Street. M. Eminescu no. 40, building 4, floor 3, office 2, postal code 70000.

Phone: 00421 2234455

Home: Street Frumoasei, no. 10, building A, floor 1, postal code 78000

Home phone: 00421722333444

1.4 Overview

The surveillance cameras were installed to prevent theft, conflicts and inappropriate behaviors by individuals entering and using the Organization's premises.

1.4.1 Background

In support of the Organization's activities and for accessing the European Commission's Agriculture funds, the use of the surveillance cameras provides an indirect presence in the unsupervised area of Organization X to prevent theft, conflicts and inappropriate behaviors.

1.4.2 Current Situation

The surveillance cameras were installed to record a full view of citizens entering and using the area described above. This room has a 200 square meter area (it is hard to be monitored by a single staff member) and has 50 chairs for seating, 50 computers for citizen use, and a large selection of relevant material, photocopiers, fax machines and phones usable for long distance services as well as 15 local phones. Approximately 2000 individuals per month will use this space, and at any given time, there may be up to 200 individuals waiting or using the facilities throughout the day.

On a daily basis, there have been computers, furniture and confidential files stolen, and the long distance phone lines where heavily abused for personal purposes, producing damage valued at 5000 RON (Romanian currency, approximately 1250 Euros).

This area has three public access doors: one leading to the exit area, one leading to the washrooms (but with access to the street as well) and another leading to the staff office.

As required by the European Union Data Protection legislation transposed into Romanian National Law No. 677/2001, seven visible and distinct signs are displayed, one on each wall and one on each door (outside the door before entering the facility) which reads:

Romanian:

Atentie, acest spatiu este monitorizat de camere de supraveghere. Intrind acest spatiu, veti fii inregistrat de catre camerele de supraveghere instalate. Pentru orice intrebare sau nelamuriri va rugam sunati la: 00421 2234455.

English:

Warning, these premises are under video surveillance. By entering these premises, you may be video-recorded by the installed video surveillance cameras. If you have any questions, please contact 00421 2234455.

French:

Attention, ces locaux sont dans la surveillés vidéo. En entrant dans ces locaux que vous soyez vidéo enregistrée par les caméras de vidéosurveillance installées. Si vous avez des questions s'il vous plaît contactez: 00421 2234455.

In addition, a privacy Notice is also provided (in three languages), which informs the data subject about the purpose of collecting/processing personal information, the person in charge of the data collection (contact details of the controller), the person who should be contacted for any inquiries or requests for access, deletion, objection, modification, etc, the person who has access to their personal data and its retention period, and how to contact the National Data Protection Authority in case of complaints.

Last but not the least, the Organization informed the National Data Protection Authority about the video surveillance project, as required by the Directive 95/46/EC, Article 18, "Notification," as transposed into the national data protection law.

1.4.3 Surveillance Camera Project Overview

The Organization's security and privacy policy and guidelines require the completion of a PIA along with the development of a process for managing the information collected by the surveillance cameras.

The existing policies refer to the decisions made about access, use, disclosure, retention and destruction of the records from surveillance cameras. This is an internal document aimed at addressing all the details regarding the operations for the surveillance cameras.

The surveillance cameras are motion-sensitive and are only activated when there is movement in the area; there is no audio capacity. The monitoring equipment records activity on video tape on a 36-hour loop. The video tape is re-recorded on after the 36 hour loop is finished. There is no public area (the street or other apartment buildings, nor the private washroom) under video surveillance.

The completion of a PIA shows the Organization's understanding and commitment to use best practices in addressing privacy issues around the use of surveillance cameras as identified by the European Data Protection Supervisor.

1.5 Benefits of Surveillance Cameras

1.5.1 Benefits for Clients

A surveillance camera is an effective technique aimed at preventing theft, conflicts and inappropriate behaviors.

The Organization's public area does not have a permanent staff member present to monitor activity. The use of the surveillance cameras allows an indirect presence in the public area.

1. Benefits for the Organization
   

Surveillance cameras may provide a safer work environment for staff by preventing inappropriate behaviors in the public area and to reduce potential conflicts between clients.

The surveillance cameras may also prevent criminal activity, considering that on a daily basis, the Organization is losing expensive inventory items in the value of 1250 Euros.

Chapter 2: Personal Information Collected, Used and Disclosed by Surveillance Cameras

2.1 Personal Information Collected/Processed

When the surveillance cameras are operating, they capture images of the individuals entering the waiting-working area and using reference material and equipment, such as computers, phones, and fax machines. The images are transmitted to a monitor and are recorded on a digital storage medium. The monitor is not currently operated by anyone and only accessed if a situation expressly requires it (e.g. immediate danger, criminal activity, disturbance, etc).

The information captured by the surveillance cameras constitutes information about an identifiable individual as it captures full images of the individuals using the waiting-working area.

2.2 Personal Information Flow

The footage is captured in the waiting-working area and transmitted to the storage area located in a different room on the third floor, which is looked and secured. That area is not accessible to anyone else but the information security and privacy officer, along with the business manager. Each of them holds a magnetic key (access card) and none of them can enter the storage area without using both cards at the same time.

Chapter 3: Protection of Personal Information Analysis

3.1 Collection/Processing of Personal Information/Data

Article 7 "CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE" Directive 95/46/EC provides:

"(a) the data subject has unambiguously given his consent" – Having given a privacy notice before the individuals enter the monitored area, and subsequently before personal data is being collected, means consent is given.

"(d) processing is necessary in order to protect the vital interests of the data subject" – An individual may be in danger in the public area which requires prompt intervention to protect their vital interests. The footage is viewed just under these circumstances. When cameras detect abnormal movements/activity in that area, alert the person in charge via SMS, who comes and checks the footage, and intervenes if required or if anyone is in imminent danger. No one watches the footage preventively or on a daily-basis.

"(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1)" – This refers to the legitimate interest of the Organization for protecting its assets and equipment. By giving the privacy notice, the interests for fundamental rights and freedoms of the data subject are properly balanced with the legitimate interest of the controller.

3.2 Manner of Collection of Personal Information

If an employee of the Organization discovers a threat to public safety, vandalism and/or theft, they will contact the management, the Business Manager and the information security and privacy Officer, who will decide if a viewing of the tape is required for post-event action (not imminent danger).

This collection and processing of personal information/data is authorized under:

SECTION VI, EXEMPTIONS AND RESTRICTIONS, Article 13

"1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:

(c) public security; - threat to others

(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; - If someone steals a computer, for example, and requires further investigation for recovering the computer, or if the law has to be enforced for theft and the footage is to be considered evidence.

(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters" - This Organization deals with the allocation of the European Commission's agricultural funds and if one steals a computer with other applications in progress that could harm the process of accessing grants, or enable someone to access grants in a illegitimate way, sponsored by public money.

1. Data Quality
   

Article 6, Directive 95/46/EC, requires that personal data is:

(a) processed fairly and lawfullyI - Information given to data subject. Collection and processing made lawful under Directive 95/46/EC.

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes - Collected for public safety, criminal matters, law enforcement, vital interests of the individuals, and the controller's legitimate interest.

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed - The manner of collection seems adequate for the purpose of collection as the cameras monitored just that area.

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified - The individuals are informed about their rights and told how to enforce their rights, provided under the privacy notice.

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed - The footage is kept for a determined, reasonable period of time for the purpose described above. No other use is envisioned.

3.4 The data subject's right of access to data

The individuals are given the right to access their own footage, by blurring other individuals' faces in order to properly balance the right of access with the rights and freedoms of others.

Also provided is the right of rectification, erasure or blocking of data if the footage is incomplete or inaccurate, or taken out of context.

Furthermore, provided is the right to object, on request and free of charge, to the processing of personal data relating to the individual for the purposes of direct marketing, or to give consent before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing.

3.5 Security measures

The monitor and recording equipment is located in a secured room on the same floor. This room is locked at all times and can be accessed only by both the Area Business Manager and the information security and privacy officer together.

Images captured on the surveillance cameras are relayed to the television monitor and recording equipment through a cable. No wireless transmission is in place, as it could be intercepted by unauthorized users.

The recording medium has no access to the Internet, making it technically impossible for anyone to post the footage online.

3.6 Use of Personal Information

The use of the surveillance cameras is to act as a prevention measure to reduce theft and the likelihood of conflict between clients. The Organization does not have enough staff members present to monitor activity. The use of the surveillance cameras allows for an indirect presence in the space to be protected.

Retention Period

The footage is kept for 36 hours which is adequate and non-excessive for the purpose of collection and processing. After 36 hours, the footage is erased automatically.

3.8 Disclosure of personal information

In the event of a threat to public safety or the detection of criminal activity, the staff members would notify the information security and privacy officer, the management team, building security, and the authorities (e.g. Police). Information may be documented for law enforcement purposes.

Transfer of personal information

No data is transferred to other parties (except law enforcement authorities or Criminal Court if required) outside Romania or to any third countries (countries outside of European Union).

Chapter 4: Potential Privacy Impacts

4.1 Mitigation of Potential Privacy Impacts

The Organization has in place guidelines and best practices along with the present PIA, addressing the use of surveillance cameras. These materials are available to all staff members, and yearly meetings on privacy and information security are also held by the Information security and privacy officer.

The Privacy Notice and the notice for the area monitoring are available to individuals before entering the monitored space, in a visible manner, giving a real choice to enter or not the facilities under surveillance. Signs are prominently displayed. The sign identifies who to contact to answer questions regarding the surveillance camera.

For those individuals who choose not to enter the public area and be recorded, they are able to obtain the Organization's services by accessing their online resources and registration portal. There is no service denied by not entering the monitored area as the service could also be delivered and accessed through a web-based application.

The Organization's staff members requested the use of the surveillance cameras in that particular public area, in order to feel protected and to stop thieves or abusers who bring harm to the organization's assets and others' well-being.

The building itself and the Organization have security staff at the site to provide security but they are unable to actively monitor all areas. It is believed that the surveillance cameras act as prevention for any potential incidents.

The security measures in place seem appropriate and proportionate with the level of confidentiality and sensitivity of the personal information collected and processed.

The people in charge with the handling of the footage are specially trained in information security and data privacy. Also, the footage cannot be accessed by just anyone, but only by specially designated people and not in an individual manner. Every time they access the storage facilities, they have to use the unlocking cards held by two different individuals and sign in an entry/exit log book.

The recording medium has no access to the Internet, making it technically impossible for anyone to post the footage online. Also, no wireless transmission is in place to prevent illegitimate interception.

4.2 Conclusion

The surveillance cameras were installed as prevention to theft and other potential issues in the Organization's waiting-working area. The goal is to reduce and eliminate conflicts, incidents and theft for an area that is not readily visible to staff or Security.

The surveillance cameras are thus being utilized to record activity in the waiting-working area. Images captured on video tape are only maintained until the 36 hour loop is finished.

The staff members have developed processes, guidelines and procedures for the implementation of the surveillance cameras to ensure that all of the staff are aware of the implications of having the surveillance cameras and their responsibilities. An annual review will be conducted regarding the decision for the implementation of the surveillance cameras to confirm that using this technology is still useful for the waiting-working area.

Privacy Risk Description

Mitigation Measures

For Project

Unauthorized use/ disclosure of information by authorized users Footage Access to the footage is strictly restricted to the Business manager and the Information security and privacy officer. No other internal individuals have access to the footage.

Unauthorized use/ disclosure of information by external parties Footage There is no intention to disclose information to external parties. Also, technically this is impossible as the recording medium has no access to the Internet.

Unauthorized or inappropriate collection/use/ disclosure of information by a business partner/EU Commission/EUAgencies Footage No business partner or external partner, neither the European Commission nor any European Agency which provides the funds for agriculture projects, has access to the footage.

Loss of integrity of information Security of recording and storage medium

The monitor and recording equipment is located in a secured room on the same floor. This room is locked at all times and can be accessed only by the Area Business Manager together with the information security and privacy officer.

The recording medium has no access to the Internet, making it technically impossible for anyone to post the footage online. Also, there's no wireless transmission.

Loss, destruction or loss of use of information Security of Assets A procedure is in place for building security, floor security, and storage room security. Security personnel do rounds on a strict schedule to check the physical integrity of the building's rooms. The storage room is locked and secured.

Other project-specific privacy risks Footage transfer No personal information transfer takes place.

VII. Purpose of this Article

The steps described in this article could be used and is useful for those who:

• design a new program or service;
• make significant changes to an existing program or service;
• convert from a conventional service delivery mode to an electronic service delivery mode.

Firstly, it should be identified if the new project requires the collection, use or disclosure of any personal information, such as name, address, age, identifying number, educational, medical or employment history, etc.

If the answer is "yes," then the present Privacy Impact Assessment tool could be confidently used for determining the privacy risks associated with the new or existing project and to provide a good business practice.