ISO/IEC 29134:2017 pdf download – Information technology — Security techniques — Guidelines for privacy impact assessment
5.2 Objectives of PTA reporting
The PIA reporting objective is to communicate assessment results to stakeholders. Expectations from a PIA exist from multiple stakeholders.
The following are typical examples of stakeholders and their expectations.
— P11 principal – PIA is an instrument to enable subjects of P11 to have assurance that their privacy is being protected.
— Management — Several viewpoints apply with
— PIA as an instrument to manage privacy risks, create awareness and establish accountability; visibility over P11 processing within the organization, and possible risks and impacts of the same; inputs to business or product strategy;
— Building the PIA into the earliest stages of the project ensures the privacy requirements are included in the functional and non-functional requirements, are achievable, viable and traced through change and risk management and may result in the project not happening or being cancelled. The effort to classify and manage project P11 should be funded as a separate investment line item and amount in a project or programme budget, acceptable to all stakeholders;
— PIA as an opportunity to better understand privacy requirements and assess activities against these requirements; inputs for product or service design and delivery; reviewed and amended through the change management process after delivery;
— PIA as an instrument to understand the privacy risks at the function/project/unit level; consolidation of risks; input to privacy policy design and enforcement mechanisms; inputs for re-engineering privacy processes.
— Regulator — PIA is an instrument that contributes evidence supporting compliance with applicable legal requirements. It can provide evidence of due diligence taken by the organization in case of breach, non-compliance, complaint, etc.
— Customer — PIA is a means to assess how the P11 processor or P11 controller is handling P11 and provides evidence that it follows the contractual obligations.
PIA reporting should fulfil two basic functions. The first (Inventory) keeps the specific stakeholders informed of identified affected entities, affected environment and privacy risks about the life cycle of the affected entities, whether it is inherent or mitigated. The second (Action items) is a tracking mechanism on the actions/tasks that improve and/or resolve the identified privacy risks. Sensitivity to the distribution and release of the reporting information needs to be clearly assessed and classified (private, confidential, public, etc.).
5.3 Accountability to conduct a PIA
A PtA should be undertaken of processes or information systems by one of a number of different entities within the organization, but may also be carried out on a process, information system or programme by consumer organizations or non-governmental organizations.
Typically, the responsibility for ensuring that a PIA is undertaken should, in the first instance, lie with the person in charge of P11 protection, otherwise with the project manager developing the new technology, service or other initiative that may impact privacy.
5.4 Scale ofa PIA The scale of the PIA will depend on how significant the impacts are assumed to be. For example, if the impacts are assumed to affect only employees of the organization (e.g. the organization may wish to improve its access control by means of a biometric such as a thumbprint from each employee), then the PIA could engage only employee representatives and be relatively small scale. However, if a government department wishes to introduce a new identity management system for all citizens, it will need to conduct a much larger PIA involving a wide range of external stakeholders. Organizations should provide self-assessment on the required scale of the PIA, in compliance with laws and regulations. The amount and granularity of the Pll per person, the degree of sensitivity of PlI, the number of PII principals and the number of people who have access to the PII that will be processed are the critical factors in determining this scale. In the case of SMEs, non-profit or governmental organizations, the determination of the appropriate scale of the PIA can be jointly, but not bindingly, achieved by the person conducting a PIA (as per 5.3), the SME’s senior management and/or advice from external experts as appropriate.