Privacy impact assessment: an instrument for transparency and building trust in e-government services David Wright Managing Partner Trilateral Research & Consulting Brussels, 19 Feb 2013 1 Outline • • • • • Introduction: The promises of e-government A right to know and assess privacy impacts What is a privacy impact assessment? Benefits of PIAs Recommendations for MEPs 2 The promise of e-government • • • • better service delivery to citizens empowerment of the people access to information and participation in public policy decision-making But the reality is • cost savings for government • fewer administrative burdens • reduced work-process time 3 Governments are interested in e-government • … and have been spending accordingly • But the promises of e-government have not been fulfilled as quickly as expected • The adoption and take-up of e-government has been rather slow • Why? 4 Factors affecting the uptake of e-government • National culture (some people are more risk averse than • • • • • others) User friendliness of services Perceived advantages to citizens (not that great) Inadequate infrastructure Poor understanding of people’s needs Government agencies do not engage citizens in the development of e-government services • Lack of trust • Citizens’ growing awareness that these technologies can intrude upon their privacy 5 A right to know and assess privacy impacts • People have a right to know if new technologies or services will intrude upon their privacy • just as they have a right to know about the quality of the water they drink • or the impact upon the environment of a new chemical production factory. 6 PIA gives practical force to the right to know • “PIA remains the most comprehensive model in place to assess the effects of federal initiatives on an individual’s privacy” – Jennifer Stoddart • PIA is a way of engaging citizens in the assessment of new services potentially impacting privacy. • It is a way of improving transparency. • PIA is mandatory (like food product labelling) in Canada, US,UK • Other countries strongly encourage use of PIA 7 What is PIA? • a process for assessing the impacts on privacy of a project, technology, service, policy or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise the negative impacts. • A PIA is about identifying risks and finding solutions, not simply producing a report that demonstrates compliance. 8 Various PIA methodologies and policies • PIAF project aimed to develop an “optimised” PIA for Europe • Reviewed methodologies in Australia, Canada, New Zealand, HK, Ireland, US,UK • Surveyed EU DPAs • Workshops, final report with recommendations 9 PIA benefits • The costs of fixing a project at the planning stage will be a • • • • • fraction of those incurred later on. PIA helps an organisation to avoid costly or embarrassing privacy mistakes. PIA can help to reduce or even eliminate any liability, negative publicity and loss of reputation. PIA enhances informed decision-making. PIA is a way to gain the public’s trust and confidence that privacy has been built into the design of e-government services. Trust is built on transparency, and a PIA is a disciplined process that promotes open communications, common understanding and transparency. 10 Article 33 is quite good • It is risk-based, cites examples of risk. • It makes data protection impact assessment (DPIA) mandatory. • It specifies what the DPIA report shall contain. • Art. 33 (4) obliges the data controller to seek the views of data subjects. • It holds out the prospect of audits of PIAs. • But it could be improved… 11 Recommendations for MEPs • PIA should be “required for such processing operations even on a small scale”. • PIA vs DPIA – DPIA sends the wrong message. • Cite benefits of PIA in the recitals. • Encourage publication of the PIA report (if necessary, redacted). • Oblige audit of the PIA. • Oblige organisations to keep a public, easily discovered registry of their PIA reports. 12 That’s all! david.wright@trilateralresearch.com www.trilateralresearch.com 13