PRIVACY IMPACT ASSESSMENT: SOME APPROACHES, ISSUES AND EXAMPLES

The paper examines the concept and practice of privacy impact assessment (PIA). After introducing and defining the topic, the paper outlines some approaches (the “what”, “when”, “who” and “why” of PIA). The paper discusses aspects of the process from its start, where terms of reference are suggested, through its undertaking, with regard to a variety of guidelines, to the end of the process, where the PIA findings should be integrated into project decision-making. Following general coverage of the subject, the paper examines several particular issues including the relationship between PIA and privacy law, the role of lawyers, public access to PIA findings, and whether PIA should, in addition to identifying alternatives to a proposal, evaluate such alternatives. The paper closes with three appendices which set out recent articles, guidelines adopted in several jurisdictions and, for the first time, lists PIAs undertaken in Hong Kong, New Zealand and Canada.