Privacy Impact Assessment – Summary Report
This summary report is for the Research and Intelligence Database. The database helps officers safeguard vulnerable adults and children and provides a fast and efficient way of accessing the data they need, replacing manual processes. This enables the City Council to protect data as well as share data lawfully.
What is a Privacy Impact Assessment?
A Privacy Impact Assessment (PIA) is a process that helps assess privacy risks to individuals in the collection, use and disclosure of information. PIAs help identify privacy risks, foresee problems and bring forward solutions. The primary purpose of a PIA is to demonstrate that an organisation acts responsibly in relation to privacy. PIAs are not legal requirements but show the use of best practice and improve transparency.
It is important to remember that ultimately the focus of a PIA is compliance with the Data Protection Act (DPA). However, compliance with any other relevant legislation will also have been considered.
Why was a Privacy Impact Assessment conducted?
The objective of conducting a PIA for the Research and Intelligence Database (the RI Database) was to identify and manage any data protection issues associated with the project.
How did we go about conducting a Privacy Impact Assessment?
The Information Commissioner’s Office (ICO) identifies six stages in conducting a PIA:
- Identifying the need for a PIA. An initial assessment (i.e. the Screening Process) examined the project at an early stage and made an initial assessment of privacy risk, deciding which level of assessment, if any was necessary. The RI Database’s potential impact on privacy could be substantial, which indicated that a thorough PIA be carried out.
- Describing data flows. The different organisations holding relevant information were identified and data lifecycles were produced showing step by step how information would be collected from them, how it would be stored and how it would be evaluated.
- Identifying privacy and related risks. This assessed the privacy risks to individuals and the risks to the organisations involved, collectively referred to as stakeholders, by carrying out consultations with the organisations through data sharing workshops. The main possible risks identified to individuals were loss of privacy and unfair processing of their information. Potential corporate risk was seen as loss of reputation or penalties related to individuals’ loss of privacy or unfair processing.
- Identifying and evaluating privacy solutions. This identified security measures, for example the use of ICT, staff access protocols and staff confidentiality agreements that could be used to reduce risk. Information sharing agreements between the organisations were also identified as needed to help eliminate risks by setting out clearly the information to be shared, its purpose, how it is to be used and stored; and arrangements for its retention and disposal. The solutions were evaluated as managing the identified risks, which were accepted by the organisations.
- Signing off and recording the PIA outcome. The PIA was signed off by the RI Database project board and this summary records its outcome.
- Integrating the PIA outcomes into the project plan. So far the organisations have entered into the information sharing agreements identified in the PIA. Integrating the PIA outcomes will be an on-going process throughout the life of the project.
What happens next?
Appropriate actions are in place to address privacy issues that might arise and a review of the PIA will be conducted once a year to ensure a continuing response to possible privacy issues.
Want to know more?
If you would like to know more about the PIA for the Research and Intelligence Database please contact: iBase@manchester.gov.uk.