Taking The First Step In Privacy Compliance
CAPP’s privacy impact assessments and data protection impact assessments are valuable tools to gauge the ways projects, systems, programs, products or services impact the data an organization holds, and increasingly they are being required by law for certain data processing. Having a good understanding of what a PIAs is, how to conduct one and who needs to be involved can be the key to determining the true effect a new project will have on your organization.
When To Perform a PIA
PIAs should be conducted to assess any new project that involves the collection of personally identifiable information (PII) as well as changes to existing projects that create new privacy risks. A PIA should be integrated into a project lifecycle from beginning to end. Organizations should use PIAs (a) before commencing a project to identify privacy risks in the design and implementation process and assess how to mitigate those risks; (b) during a project’s lifecycle to evaluate changes that create new privacy risks, and (c) at the end of a project’s lifecycle to evaluate how the project’s information should be deleted or maintained after completion.
- Collection of new information about individuals whether compelled or voluntary;
- Conversion of records from paper-based to electronic format;
- Conversion of information from anonymous to identifiable format;
- System management changes involving significant new uses and/or application of new technologies;
- Significant merging, matching or other manipulation of multiple databases containing PII;
- Application of user-authentication technology to a publicly accessible system;
- Incorporation into existing databases of PII obtained from commercial or public sources;
- Significant new inter-agency exchanges or uses of PII;
- Alteration of a business process resulting in significant new collection, use and/or disclosure of PII;
- Alteration of the character of PII due to the addition of qualitatively new types of PII.
- Implementation of projects using third-party service providers.