1 / 12

Chester Soong

Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? . Chester Soong. What is PIA and why should we do it?.

calder
Télécharger la présentation

Chester Soong

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong

  2. What is PIA and why should we do it? • According to the PIA Guide by the Office of the Australian Information Commissioner, PIA is an assessment tool tells the story of a project from privacy perspective: • Describes how personal information flows in a project • Analyses the possible privacy impacts on individuals’ privacy. • Identifies and recommends options for managing, minimising or eradicating these impacts. • Analyses the project’s effect on individual privacy. • Helps find potential solutions and manage privacy impact through this analysis. • Can make a significant difference to the project’s privacy impact and still achieve or enhance the project’s goals. • Encourages good privacy practice and underpins good public policy in the project or, in the private sector, underpins good risk management. • In addition to the ICO of the UK, the PIA process should be much broader than an audit of compliance

  3. The General Situation in the Adoption of PIA • There are basically only the US and Canada are mandating the conduct of PIA on public agencies • Some other jurisdictions such as Hong Kong, Australia, and the UK encourage the use of PIA • Others such as Taiwan and Finland choose not to mention at all in their laws and official stance

  4. The Counter Forces of Allowing PIA to be Mandatory • Cost and resources issues • Cultural issues in organizations • Lack of privacy advocate groups

  5. Cost and resources issues • The available of PIA and privacy consultants are generally lacking in many jurisdictions • New legislations would have to be drafted especially when both government and industry are applied. Legislative process is expensive • Resources is needed to follow up and monitor the progress of addressing the results of the a PIA • In the public sector, the budget allocated for conducting PIA is often in direct proportion with the target project. So small projects cannot afford to conduct full PIA

  6. Cultural Issues in Organizations • While the senior management “may” fund PIA useful in helping them to identify privacy risks, It is the common culture for the project managers and working level staff to feel pressured and reject the use of PIA. • Audit is often perceived as a fault finding exercise. • The OAIC changed its OPC audit program to “Privacy Performance Assessment trying to dilute the “audit” perception felt by the government agencies • Roger Clerk talks about how the private sector in the US doesn’t like the idea of conducting PIA on private sector initiatives in his article “PIA: Its origins and development” • This could be the hardest hurdle of mandating PIA and it could well become a checklist review if it is forced down by the oversight body

  7. Lack of Advocate Group • Most general public would know Greenpeace but very few people know about Privacy International • The Chu Yi Wah v Director of Environmental Protection of HKSAR Government [2011] 5 HKLRD 469, [2011] HKEC 1275 • We are lacking privacy advocate groups such as the PI in Asia, and especially Hong Kong to act as policy watchdog for challenging both governments and private organizations • Advocate groups can also attract and concentrate like-minds of privacy advocates and experts to build a strong moving force in promoting PIA and enhance personal privacy protection

  8. The “Preferred” Approach of Adopting PIA • PIA v Compliance Audit • The protection principles checklists are not there to confuse between PIA and compliance audit • It is useful as a continuous assessment tool for a system that is already in use, and especially helpful for organizations and agencies without in-house privacy expertise • ICO commended that PIA takes on a much wider scope and perspective on privacy protection than compliance audit. It is an independent process that helps the project owner to assess whether there could be privacy risks and how big the privacy impact could be, and corresponding organizations can make changes to the design and business process of the new project before they are set in stone

  9. The “Preferred” Approach of Adopting PIA • A Risk-Sector Specific Approach • Not all men are created equal. So is personal information! • The sense of importance for each industry may vary due to several factors including the culture of the people in the jurisdiction, relevant privacy laws and regulations, and available of resources • Government agencies are the natural choice since they are always public facing and whatever they do and how they handle personal information will be under the public eyes

  10. The Critical Success Factors of Having Mandatory PIA • Awareness and Education on PIA • Mass communication for awareness • Promotion through professional bodies • Lead by example from the public and private organizations

  11. The Critical Success Factors of Having Mandatory PIA • The making available of PIA experts • Relying on tertiary education to produce legal professionals with expertise in privacy laws is one solution, but it takes a long time to produce a rather small quantity. • The other solution is to allow professional associations from the industry to develop PIA or privacy consultants by certifications. • Complementing certifications to PIA consultants could be infosec related one such as CISSP and CISA • The expertise should be available at not only the central government level, but also at territorial level and specific industry with the requirements of domain knowledge.

  12. Conclusion • PIA can benefit the protection of personal data and privacy • It is more a question of how it can be done at what cost: • The answer to “how” involves who should be required first • The culture of the people may be a crucial determining factor on “how much” resources should be allocated for this as the concern of personal privacy is sometimes subjective and cultural

More Related