Out-Law News 1 min. read
08 Jun 2009, 5:11 pm
After HM Revenue and Customs lost 25 million people's personal data on two CDs in 2007 the Government agreed that all departments would undertake privacy impact assessments before creating new systems or modifying the way they handle personal information.
The ICO has launched a guide to such assessments for organisations and has called on them to undertake assessments in the same way that Government departments now must do.
"The ICO encourages all organisations to incorporate data protection safeguards into any new project involving personal information," an ICO statement said.
Privacy impact assessments help organisations to discover at the outset of new systems design what effect changes will have on the personal information they store and process.
"It is essential that before introducing new systems and technologies, which could accelerate the growth of a surveillance society, full consideration is given to the impact on individuals and that safeguards are in place to minimise intrusion," said Jonathan Bamford, assistant commissioner at the ICO.
"For the public to have trust in an organisation, individuals must be confident that their information is held securely and processed in line with the Data Protection Principles," he said. "Each time someone gives away their personal information this not only puts the data at risk, they can leave a footprint creating a detailed picture of aspects of their daily lives."
The ICO has published an updated PIA [privacy impact assessment] handbook to guide organisations through the process of conducting an assessment.
"Government and corporate reputations can be fragile and easily undermined," says the handbook. "In order to maintain and enhance their reputations these organisations need to act responsibly in relation to key issues like privacy, and to be seen to be acting responsibly. Experience shows that once an organisation’s reputation is damaged and trust is lost it is then very hard to regain that trust."
"Privacy now poses risks which need to be professionally managed in a similar way to other categories of risk. Organisations that handle personal data need to monitor their ongoing operations, whether they are dealing with clients, employees, or the public in general," it says.
Bamford said that improvements to the handbook are designed to help organisations to make sure they conduct proper assessments.
"The new PIA handbook is more accessible and will aim to assist organisations in protecting people’s personal information and ensuring that privacy safeguards are built into systems at the outset rather than bolted on as an inadequate and expensive afterthought," he said.
