PRIVACY IMPACT ASSESSMENTPDF电子书下载

Part Ⅰ Setting the Scene 3

1 Introduction to Privacy Impact Assessment&David Wright and Paul De Hert 3

1.1 Growing Interest 3

1.2 A Few Key Definitions 5

1.3 A PIA Timeline 8

1.4 Why Carry Out a PIA? 10

1.4.1 To Manage Risks 10

1.4.2 To Derive Benefits 16

1.5 Variations in PIA Approaches 17

1.6 Open Issues 23

1.6.1 Scale and Scope of the PIA 24

1.6.2 Who Should Perform the PIA? 25

1.6.3 Should Engaging External Stakeholders Be Part of the PIA Process? 26

1.6.4 Should PIAs Be Published? 27

1.6.5 Should PIAs Be Mandatory? 28

1.6.6 Should the DPA or Privacy Commissioner “Approve” a PIA? 29

1.6.7 Should a PIA Apply to the Development of New Policy? 30

1.6.8 Two or More Organisations Collaborating on a PIA 30

1.6.9 Are Trans-national PIAs Feasible? 31

1.7 Objectives and Scope of This Book 31

2 A Human Rights Perspective on Privacy and Data Protection Impact Assessments&Paul De Hert 33

2.1 Terminology 33

2.2 Data Protection Impact Assessments 34

2.3 Privacy Impact Assessment: What Is Privacy? 38

2.4 Privacy Impact Assessments: Privacy and Permissible Limitations 40

2.5 The Technology Should Be Used in Accordance with and as Provided by the Law （First PIA Element） 45

2.5.1 Open Questions About the Transparency and Legality Requirement 48

2.6 The Technology or Processing Should Serve a Legitimate Aim （Second PIA Element） 49

2.7 The Technology Should Not Violate the Core Aspects of the Privacy Right （Third PIA Element） 51

2.8 The Technology Should Be Necessary in a Democratic Society （Fourth PIA Element） 54

2.8.1 Necessity, Evidence and Politics 56

2.9 The Technology Should Not Have or Give Unfettered Discretion （Fifth PIA Element） 59

2.10 The Technology Should Be Appropriate, Least Intrusive and Proportionate （Sixth PIA Element） 61

2.10.1 Appropriateness and the Least Intrusive Method 63

2.10.2 The Fair Balance Requirement, Evidence and Precaution 66

2.10.3 The Fair Balance Requirement, Stakeholder Participation and Impact Assessments 70

2.11 The Technology Should Not Only Respect Privacy Requirements But Also Be Consistent with Other Human Rights （Seventh PIA Element） 72

2.12 Conclusion 74

3 （Regulatory） Impact Assessment and Better Regulation&David Parker 77

3.1 The Development of （Regulatory） Impact Assessment 79

3.2 Use of RIA/IA in the UK 81

3.3 RIA/IAs and the European Commission 92

3.4 Conclusions 95

4 Prior Checking, a Forerunner to Privacy Impact Assessments&Gwendal Le Grand and Emilie Barrau 97

4.1 Introduction 97

4.2 How Prior Checking Has Been Implemented 98

4.2.1 Prior Checking Has Been Transposed in the National Legislation of Most Member States and Is Used by Most Member States 98

4.2.2 Prior Checking Is Limited to Operations Likely to Present Specific Risks in Most Countries 99

4.2.3 Categories of Processing Operations, When They Are Defined, Are Not Homogeneous 100

4.2.4 Exemptions Are Foreseen in Half of the Countries 102

4.2.5 Prior Checking in the Context of National Legislative Measures and Regulations is Carried Out in Half of the Countries 103

4.3 How Prior Checking Has Worked in Practice 105

4.3.1 Prior Checking Takes Different Forms at National Level； Data Protection Authorities Use Several Tools 105

4.3.2 The Format and Publicity of the Data Protection Authorities’ Decisions Are Not Harmonised Across Europe 106

4.3.3 Data Protection Authorities Usually Set a Time Limit to Complete Prior Checking 107

4.3.4 In the Context of Prior Checking,Notifications by the Controller Usually Do Not Include More Information than Notifications for Other Types of Processing 108

4.3.5 Data Protection Authorities Have Developed Specific Instruments or Procedures for Processing Operations Subject to Prior Checking 109

4.3.6 Decisions of the Data Protection Authorities Can Generally Be Appealed Before an Administrative Court 110

4.3.7 Data Controllers Who Start Processing Operations Without Notifying the Data Protection Authority Most Likely Get Fined 110

4.4 Lessons Learned from Prior Checking 111

4.4.1 Assessment of the Current Prior Checking System and Potential Evolutions 111

4.4.2 Data Protection Authorities Use Tools to Complement Prior Checking 112

4.4.3 What Role for Privacy Impact Assessments? 112

4.5 Conclusion 115

Part Ⅱ Five Countries Lead the Way 119

5 PIAs in Australia: A Work-In-Progress Report&Roger Clarke 119

5.1 Introduction 119

5.2 The Nature of PIAs 120

5.3 The History and Status of PIAs in Australia 120

5.3.1 Pre-2000 122

5.3.2 Post-2000 123

5.3.3 The 10 Contexts 124

5.4 PIA Guidance Documents 137

5.4.1 Evaluation Criteria 137

5.4.2 The Victorian Privacy Commissioner’s Guide 138

5.4.3 The Australian Privacy Commissioner’s Guide 139

5.5 Future Developments 142

5.5.1 The States and Territories 142

5.5.2 The OAPC/ICO 144

5.5.3 The ALRC’s Recommendations 144

5.5.4 The Government’s Response 146

5.6 Conclusions 147

6 Privacy Impact Assessment - Great Potential Not Often Realised&Nigel Waters 149

6.1 Introduction 149

6.2 A Useful Analogy‘? 150

6.3 What Is PIA? 150

6.4 PIA and Privacy by Design 150

6.5 PIA and Privacy Auditing 151

6.6 Who Should Be the Client? 152

6.7 In an Ideal World&? 153

6.8 Using PIA Findings to Effect Change 153

6.9 Some Examples of PIA 155

6.9.1 Online Authentication for e-Government in New Zealand 155

6.9.2 Retention and Linkage of Australian Census Data 156

6.9.3 The Australian Financial Reporting Regime 156

6.9.4 Individual Identifiers for e-Health in Australia 157

6.9.5 Hong Kong Smart Identity Card 158

6.10 Conclusion 160

7 Privacy Impact Assessments in Canada &Robin M.Bayley and Colin J.Bennett 161

7.1 Introduction 161

7.1.1 The Canadian Privacy Legislative Framework 162

7.2 The Conduct of PIAs in Canada 164

7.2.1 The Legal Basis for Privacy Impact Assessments 164

7.2.2 Who Conducts PIAs? 166

7.2.3 Private Sector PIAs 168

7.2.4 When PIAs Are Required 169

7.2.5 PIAs Involving State Security, Law Enforcement and International Projects and Agreements 171

7.2.6 PIA Characteristics and Methodology 172

7.2.7 The Audit and Review of PIAs 175

7.2.8 The Publication of PIAs 180

7.3 Conclusions 182

8 Privacy Impact Assessment in New Zealand -A Practitioner’s Perspective&John Edwards 187

8.1 Introduction 187

8.2 Background 188

8.3 A Short History of Privacy Impact Assessment in New Zealand 188

8.4 Undertaking Privacy Impact Assessments 193

8.5 Timing 194

8.6 The Cost of Privacy Impact Assessment 195

8.7 For Whom Is the Report Prepared? 196

8.8 Problems with Privacy 196

8.9 Independence 199

8.10 Givens 199

8.11 Scope Constraints 200

8.12 Legal Professional Privilege Applies 201

8.13 After the Assessment? 202

8.14 Conclusion 203

9 Privacy Impact Assessment in the UK&Adam Warren and Andrew Charlesworth 205

9.1 Introduction 205

9.2 Legislative and Policy Framework 207

9.2.1 Legislation 208

9.2.2 Policy 210

9.3 The UK PIA Process 211

9.4 Case Study: Office for National Statistics （ONS）, 2011 Census 214

9.5 Lessons Learnt 216

9.6 Future Developments 221

9.7 Conclusion 223

10 PIA Requirements and Privacy Decision-Making in US Government Agencies&Kenneth A.Bamberger and Deirdre K.Mulligan 225

10.1 Introduction 225

10.2 The US PIA Requirement and Its Implementation 228

10.3 Challenges Inherent in the PIA Model 230

10.3.1 Limits of Process 230

10.3.2 Substantive Barriers to Oversight 231

10.4 Seeking Ways to Overcome Barriers to PIA Success:Learning from the US Experience 235

10.4.1 Lessons from NEPA 236

10.5 Suggestions from the US PIA Experience: The RFID Cases 237

10.5.1 The Cases in Brief 238

10.5.2 Possible Elements of Variance 240

10.6 Status and Independence of Embedded Privacy Experts 241

10.7 Expert Personnel, Integrated Structure and the PIA Tool 245

10.7.1 Creating Accountability in the Absence of Oversight: The Privacy and Integrity Advisory Committee 248

10.8 Directions for Further Inquiry 249

Part Ⅲ PIA in the Private Sector: Three Examples 253

11 PIA: Cornerstone of Privacy Compliance in Nokia&Tobias Brautigam 253

11.1 Introduction 253

11.2 Definitions 255

11.2.1 Privacy 255

11.2.2 Personal Data 256

11.2.3 PCI DSS 256

11.2.4 PIA, PISA 256

11.2.5 Nokia 256

11.3 Nokia’s Approach to Privacy 256

11.3.1 Governance Model 257

11.3.2 Other Measures in Support of Privacy 259

11.3.3 Reasons for Conducting Privacy Assessments 260

11.4 The Process, or How Privacy Assessments Are Conducted 261

11.4.1 Two Kinds of Privacy Assessments 261

11.4.2 Undertaking a PISA 261

11.4.3 The PIA Process - Deviations from PISA 263

11.5 The Content of Privacy Assessments 264

11.5.1 The PISA Template 264

11.5.2 The PIA Template 267

11.6 Areas for Improvement 269

11.6.1 Quality of the Requirements That Are Assessed 269

11.6.2 Resources 270

11.6.3 Awareness 270

11.6.4 Evaluating Findings 271

11.6.5 Information Not Available 271

11.6.6 Corrective Actions 271

11.6.7 Speed of Execution 271

11.7 Conclusion and Summary: 10 Recommendations 271

11.7.1 Start Small, But Start 272

11.7.2 Awareness 272

11.7.3 Privacy Assessments Need to Be Supported by a Governance Model 272

11.7.4 Definitions of Requirements Must be as Self-Explanatory as Possible 273

11.7.5 Include Open Questions in the Assessments 273

11.7.6 Specialisation 273

11.7.7 Cultivate a Culture of Continuous Improvement and Open Communication 273

11.7.8 Prioritisation 274

11.7.9 Effective Resource Management 274

11.7.10 Inclusion of PIA and PISA When Managing Projects 274

12 How Siemens Assesses Privacy Impacts&Florian Thoma 275

12.1 Siemens at a Glance 275

12.2 Terminology 276

12.3 Some Challenges 276

12.4 The Data Protection Officer’s Tasks 277

12.5 Prior Checking 278

12.6 Processor Audits 279

12.7 Group IT System Assessment: Inter-company Agreements 280

12.8 Assessment of Offshoring and Outsourcing Projects 281

12.9 Advantages of Privacy Impact Assessments 282

12.10 Involvement of Data Protection Authorities 283

12.11 Moving Forward 283

13 Vodafone’s Approach to Privacy Impact Assessments&Stephen Deadman and Amanda Chandler 285

13.1 Introduction 285

13.2 Vodafone’s Core Business Operations 286

13.3 The External and Industry Environment 287

13.4 Vodafone’s Policy and Approach to Privacy Risk Management 287

13.4.1 Governance and Accountability 288

13.4.2 Principles 288

13.5 Privacy Impact Assessments 289

13.6 Vodafone’s Privacy Programme 289

13.7 The Role of the PIA in the Vodafone Privacy Programme 290

13.7.1 Strategic Privacy Impact Assessment 290

13.7.2 Case Study - Location Services 291

13.8 PIA and the Privacy Risk Management System （PRMS） 295

13.8.1 Strategic Aims and Objectives of the PRMS 295

13.8.2 Key Operational Controls in the PRMS 296

13.9 The Role of the Privacy Officer 301

13.10 The Role of Privacy Impact Assessment in the PRMS 302

13.11 Conclusion - The Value of Privacy Impact Assessments 303

Part Ⅳ Specialised PIA: The Cases of the Financial Services Industry and the RFID PIA Framework 307

14 The ISO PIA Standard for Financial Services&John Martin Ferris 307

14.1 Introduction 307

14.2 Overview of the ISO 22307:2008 Voluntary Consensus Standard 308

14.2.1 A PIA Is Useful During Any Phase of a System’s Life Cycle 308

14.2.2 A PIA Requires a Process Including a Plan 309

14.2.3 A PIA Needs an Adequate Description of the System 310

14.2.4 A PIA Standard Should Be Neutral on Frameworks That Support a PIA Development 310

14.2.5 A PIA Is Not a Privacy Audit 313

14.3 History of ISO 22307:2008 313

14.4 Voluntary Consensus Standards 315

14.4.1 ISO TC 68 316

14.4.2 Business Challenges of ISO TC 68 and Voluntary Consensus Standards 316

14.4.3 ISO TC 68 Security and Privacy Work 319

14.4.4 Choosing Voluntary Consensus Standards 319

14.5 Summary 321

15 The RFID PIA - Developed by Industry, Endorsed by Regulators&Sarah Spiekermann 323

15.1 Introduction - The History of the RFID PIA 323

15.2 Preliminary Considerations Before Engaging in a PIA 327

15.3 Initial Analysis to Determine the Scope of PIA 329

15.4 PIA Risk Assessment Process 333

15.4.1 How Is the Risk Assessment Done Step By Step? 334

15.5 PIA Reporting 344

15.6 Conclusion 344

16 Double-Take: Getting to the RFID PIA Framework&Laurent Beslay and Anne-Christine Lacoste 347

16.1 An Introduction to the RFID Recommendation 347

16.2 Conditions of Involvement of the Art.29 WP 348

16.3 The Different Actors Involved in the Recommendation 349

16.3.1 The European Data Protection Supervisor 349

16.3.2 The European Network and Information Security Agency 349

16.3.3 Industry 350

16.3.4 National Authorities and Agencies 350

16.4 From a Negative Opinion of the WP29 to a Positive One 350

16.4.1 The July 2010 Opinion of the Art&29 WP and the Issue of Risk Analysis 350

16.5 Endorsement of the Art&29 WP: Consequences and Further Steps 354

16.6 PIA in Perspective 356

16.6.1 PIA for RFID Applications and Impact Assessments in a Regulatory Process 356

16.6.2 The Issue of Representativeness of the Industry Group 356

16.6.3 PIA Procedure: A Voluntary Action 357

16.6.4 The PIA Framework for RFID: An Example for Other Technological Fields? 358

16.7 Conclusion: Efficiency of PIA and Residual Risk:A Difficult Compromise 358

Part Ⅴ Specific Issues 363

17 Surveillance: Extending the Limits of Privacy Impact Assessment&Charles Raab and David Wright 363

17.1 Introduction 363

17.2 Objections to Subjecting Surveillance to PIA 364

17.2.1 A Brake on Technical Progress 364

17.2.2 Some Surveillance Involves Central Functions of the State 365

17.2.3 Some Surveillance Involves Commercial Sensitivity 366

17.2.4 Some Surveillance Involves More Than One Country 367

17.2.5 Ineffectiveness Would Be Revealed by a PIA 368

17.2.6 PIA Is Too Narrowly Focused 369

17.3 Types of Surveillance 369

17.3.1 Watching 370

17.3.2 Listening 370

17.3.3 Locating 370

17.3.4 Detecting 371

17.3.5 Dataveillance 372

17.3.6 Assemblages 372

17.3.7 Surveillance: Causes of Concern 373

17.4 Who Are the Surveillants, and Why Do They Use Surveillance? 374

17.4.1 Public Sector 374

17.4.2 Private Sector 375

17.4.3 Society 375

17.5 Assessing Surveillance Effects: Privacy and Beyond 376

17.6 Conclusion 382

18 The Madrid Resolution and Prospects for Transnational PIAs&Artemi Rallo Lombarte 385

18.1 The Madrid Resolution 385

18.1.1 Origin of the Document 385

18.1.2 The Contents of the Madrid Resolution 387

18.2 Privacy Impact Assessments in the Madrid Resolution 390

18.3 Reception of the Madrid Resolution 392

18.3.1 Towards a Binding International Instrument 392

18.3.2 Mexico: First Country to Incorporate the Resolution into Its Legal System 394

18.3.3 Europe: Influence of the Madrid Resolution on the “Future of Privacy” 394

18.4 Conclusions 395

19 Privacy and Ethical Impact Assessment &David Wright and Emilio Mordini 397

19.1 Introduction 397

19.2 Governance Issues in the Practice of an Ethical Impact Assessment 401

19.2.1 The Role of Ethics 401

19.2.2 Consulting and Engaging Stakeholders 402

19.2.3 Accountability 404

19.2.4 Providing More Information, Responding to Complaints and Third Party Ethical Review 405

19.2.5 Good Practice 406

19.3 Ethical Principles 406

19.3.1 Respect for Autonomy 407

19.3.2 Dignity 407

19.3.3 Informed Consent 408

19.3.4 Justice 409

19.4 Social Cohesion 410

19.4.1 Nonmaleficence （Avoiding Harm） 410

19.4.2 Beneficence 412

19.4.3 Social Solidarity, Inclusion and Exclusion 415

19.4.4 Sustainability 415

19.5 Conclusions 416

20 Auditing Privacy Impact Assessments: The Canadian Experience&Jennifer Stodda 419

20.1 Introduction 419

20.2 Supporting the Performance of PIAs 421

20.2.1 PIAs Are Only as Good as the Processes That Support Them 422

20.2.2 Frameworks Lacking Critical Control Elements Are More Likely to Fail 425

20.3 Improving PIA Processes 429

20.3.1 PIAs Should Be Integrated with Other Risk Management Processes 430

20.3.2 PIA Requirements Need To Be Streamlined 430

20.4 Need for Strategic Privacy Impact Assessment 432

20.5 Enhancing Public Reporting Requirements to Improve PIAs 433

20.6 Conclusion: Evaluating the Effects of Our Audit 434

21 Privacy Impact Assessment: Optimising the Regulator’s Role&Blair Stewart 437

21.1 Introduction 437

21.2 Approach 438

21.3 Part A: Getting Started 440

21.4 Part B: Getting Through 441

21.5 Part C: Getting Results 441

21.6 Part D: Getting Value 443

21.7 Closing Comments 444

22 Findings and Recommendations&David Wright and Paul De Hert 445

22.1 PIA Policy Issues: Recommendations for a Better Framework on PIA 446

22.1.1 PIAs Should Be Conducted by Any Organisation Impacting Privacy 446

22.1.2 PIA Needs Champions, High Level Support and an Embedded Privacy Culture 446

22.1.3 A PIA Should Be “Signed Off’ by a High-Level Official and Tied to Funding Submissions 448

22.1.4 Risk Management Should Be a Part of PIA,and PIA Should Be Part of Risk Management 448

22.1.5 Privacy Commissioners Should Play a Key Role in PIA 449

22.1.6 Prior Checking and PIA Should Be Complementary, But Their Mutual Relationship Needs More Study 450

22.1.7 Transparency Contributes to the Success of a PIA 452

22.1.8 Publish the Results of the PIA and Communicate with Stakeholders, Including the Public 453

22.1.9 Guard Against Conflicts of Interest 454

22.1.10 Ensure Third-Party Review and Audit of PIAs 455

22.1.11 Common Standards and Good Practice Need To Be Better Identified 456

22.1.12 Create a Central Registry of PIAs 457

22.1.13 Multi-agency and Transnational Projects Should Be Subject to PIA 458

22.1.14 Should PIAs Be Mandatory? 459

22.2 PIA Practice: Guidance for Individual PIAs 462

22.2.1 When Is a PIA Necessary? 462

22.2.2 Determine the Objectives, Scale and Scope of the PIA 463

22.2.3 Initiate a PIA Early, When It Is Possible to Influence Decision-Making 465

22.2.4 Who Should Initiate and Conduct the PIA? 465

22.2.5 Describe the Proposed Project and Map the Information Flows 466

22.2.6 Identify and Engage Stakeholders 466

22.2.7 A Compliance Check Is Only Part of a PIA 470

22.2.8 A PIA Should Address All Types of Privacy 471

22.2.9 &and Other Values Too 472

22.2.10 With Stakeholders, Identify the Risks and Impacts of the Project 473

22.2.11 Questions 473

22.2.12 Identify Options （Controls） for Avoiding or Mitigating Negative Privacy Impacts 474

22.2.13 Justify the Business Case for the Residual Risk and Maintain a Risk Register 474

22.2.14 Review and Update the PIA as the Project Progresses 475

22.2.15 Prepare the PIA Report and Implement the Recommendations 476

22.2.16 Training and Raising Awareness 476

22.2.17 PIA Has Value - Get It！ 477

22.3 Room for Improvement and Concluding Remarks 478

About the Authors 483

References 493

Index 519