INTRODUCTION

Section 4(1)(c) of the regulations relating the protection of personal information create a legal obligation for responsible parties to perform personal information impact assessments. Further, section 57(1) of the Act specifies that when a high risk to the rights and freedoms of data subjects is likely, specifically in the cases expressly mentioned in Section 57(1), that is,
  • for a purpose other than the one for which the identifier was specifically intended at collection and with the aim of linking the information together with information processed by other responsible parties
  • for the purpose of processing information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
  • for the purpose of processing information for purposes of credit reporting; or
  • for the purpose of transferring special personal information (i.e. religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject) or personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information;

the responsibly party must obtain prior authorisation from the Information Regulator, in terms of section 58.

Since Regulation 4(1)(c) specifies that a personal information impact assessment is a mandatory requirement should responsible parties decide not to carry out a personal information impact assessment, it would be good practice to document this decision with the relevant considerations.

 

TARGET OF EVALUATION

The target of evaluation defines the scope of the personal information impact assessment. In order to evaluate whether a high risk is likely, the responsible party will require an overview of the data processing in question. A systematic description of the data processing and its purposes, as well as the legitimate interests of the responsible party according to Section 11(1)(d) has to be prepared. It is crucial that the responsible party is aware of the extent of the processing operations in order to determine how these may affect the rights of the individual. This includes, in particular:

  • the data and their formats for storage and transfer (protocols),
  • the information technology (IT) systems used and their interfaces, as well as
  • the processes, procedures, and functional roles.

The personal information impact assessment should not be limited to a single component or function, but must describe the predefined target of evaluation in its entirety, including its technical as well as the organisational implementation at the responsible party level. This could include any use cases (generic technical description) that are to be implemented and should pay particular regard to the purposes of the data processing. To accomplish this, a data flow diagram should be created that schematically depicts the subsystems / stakeholders, the interfaces and connections between them. In this manner, the:

  1. components
  2. data to be collected
  3. interfaces of the components and the data and any available security features, and
  4. the characteristics between the connections of the components.

Next, it is necessary to assess whether the specified procedure (i.e. the target of evaluation) is necessary and proportionate to the purpose of the processing (Section 10(1)). It is necessary to examine whether the processing operations are fit for purpose and are in fact necessary - whether there are no alternative practices which would interfere less with the rights of data subjects and whether the processing involved will be affected in proportion to the intended purpose. The purpose will usually be achieved through different procedures and within the respective procedures there are different implementation alternatives. From these alternatives, one has to choose the option that requires the least amount of personal information. In addition, certain processing operations may be disproportionate to the stated purpose. For example, the processing of customer data, which is necessary for the settlement of a purchase contract for both parties and which is based on Section 11(1)(b), requires different practices than the tracking of website activity - workers who are acting in the legitimate interest of the responsible party (to be justified in individual cases and to be weighed up with the interests or rights of the data subjects) in accordance with Section 19. The weighing of interests may therefore already necessitate changes to the planned processing procedure, such as a restriction of the data to be processed, a change in the actors involved or the technologies used.

Further, it is necessary to comply with data protection conditions such as purpose limitation (Section 13) and data minimisation (Section 10) and, where necessary, competing interests have to be balanced in order to ensure the protection of constitutional rights.

 

POTENTIAL ATTACKERS

While in IT security threats are usually assessed from an organisational point of view, in a personal information impact assessment the perspective is that of the data subjects. Consequently, attackers are not limited to third parties, but can also be rule-abiding internal users of the organisation itself, e.g. employees or contractors gaining access to personal information. The goal of a preliminary assessment is not the protection of business processes but of the rights and interests of an organisation’s customers, employees, etc. Thus, it has to be ascertained whether the following organisations pose a risk to the rights and interests of the data subject:

  • Public authorities:
    • Security services: Department of State, police, intelligence services, military, etc.
    • Public benefit administration, i.e. social security services
    • Statistics agencies
    • Failing authorities, which open spaces for illegal activities
  • Enterprises:
    • Technology companies, system integrators, IT providers (access, content, etc.)
    • Banks, insurance companies
    • Credit agencies, address and data trading companies
    • Advertising agencies
    • Advocacy groups and lobbyists
    • Employers
  • Health care:
    • Hospitals, doctors
    • Public and private health insurers
  • Research:
    • Medical, social research
    • Universities.

There is, of course, a conflict of interest when the organisation conducting the personal information impact assessment is also seen as a serious risk to data protection. In order to avoid any blind spots in the risk evaluation, there should at least be retroactive external supervision. Further, an organisation’s information officer is by definition expected to take the point of view of the data subjects affected by the processing.

 

EVALUATION OF RISK

At the core of the evaluation is the comparison of the responsible party’s envisaged measures or those determined in the course of the assessment with a catalogue of reference measures. Table 1 contains selected measures which – when implemented correctly – can ensure the safeguarding of the protection objectives as detailed above in Fig. 2. While this list is generic, the measures taken may have to be updated in line with advances in the state of the art. Additionally, due to its generic nature the list cannot be used as a mere checklist. The mere implementation of a listed measure does not satisfy the risk evaluation. For instance, a system, to ensure confidentiality, may implement a rights and roles concept. However, this alone cannot satisfy the requirement of confidentiality. If the rights are granted overly generous and roles are not clearly separated, the concept is not effective. Therefore, the responsible party will have to explain how the rights and roles concept of the specific system in question ensures confidentiality of the data processed.

In the course of the risk evaluation any deviance from the reference measures have to be assessed in the light of their gravity and in how far they compromise the protection objectives. Turning back to the example of the rights and roles concept, this means that if the responsible party did not even implement such a basic measure, it is prima facia doubtful whether the system can satisfy the requirement of confidentiality. Where the analysis demonstrates such failures to comply with protection objectives, such a finding – from the viewpoint of the Information Regulator – leads to an assumption of deficiencies in data protection and has to be redressed. The Information Regulator in its advisory role may provide advice on remedies. In practice it can easily be ascertained if criteria and benchmarks have not been satisfied through recourse to this model, as the envisaged measures and the quality of the implementation according to the protection standard will be missing. If different measures are chosen, the assessment may be more complex and a proof of appropriateness and at least equivalence to the reference measure will have to be provided.

Taking into account the proper measures identified at this stage, the necessity and proportionality of the data processing envisaged by the responsible can be assessed.