What do we mean by ‘privacy risks’?
The enormous increases in the collection, storage, use and disclosure of personal data, and the imposition of many intrusive technologies, have caused increased concern about individual privacy.
Privacy risks fall into two categories.
i. Risks to the individual as a result of contravention of their rights in relation to privacy, or loss, damage, misuse or abuse of their personal information.
ii. Risks to the organisation as a result of:
- perceived harm to privacy;
- a failure to meet public expectations on the protection of personal information;
- retrospective imposition of regulatory conditions;
- low adoption rates or poor participation in the scheme from both the public and partner organisations;
- the costs of redesigning the system or retro-fitting solutions;
- collapse of a project or completed system;
- withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
- failure to comply with the law, leading to:
- enforcement action from the regulator; or
- compensation claims from individuals.
Recognising privacy risks
It is important to note that any collection, use or disclosure of personal information has the potential to have a risk to personal privacy. Sometimes those risks are not obvious and as a result it can be easy to overlook or not adequately address them.
If the project design has reflected a strong understanding of privacy issues, it is possible that the participants in the consultation processes may agree to the design.
However, because of project complexities and the diversity of interests among stakeholders, the consultation processes may sometimes create the need for parts of the project and its design to be re-considered.
This section provides some guidance on the type of risks, impacts and vulnerabilities you might look for when designing a project or conducting a PIA.
Broad personal information issues, including:
- The nature of the personal information. This could include “sensitive personal data” as defined by the Data Protection Act 1998, but also personal financial information, family structures, home and personal email addresses, information about persons considered “at risk”, travel plans etc.
- The quality of personal information. This includes characteristics of the information itself, such as accuracy, relevance and adequacy. The further personal information moves from its original context, the greater the likelihood it can be misinterpreted. The quality of information also raises questions about data matching and mining, whether you are matching like with like and the number of false matches which may be produced.
- The meaning behind terms used in personal information. This takes into account that terms used can be context or sector specific. Variations in meaning of apparently similar terms may give rise to misunderstandings or error which in turn could result in harm or disadvantage to the individual. This area would also include examining metadata attached to personal information.
- The retention, deletion and destruction of personal information. How long do your business needs require retention of information? Are there legal obligations to dispose of or retain data? Do you need to keep information to counter legal claims or for audit and inspection purposes? Can your organisation make better use of ‘soft deletion’, where after the original purpose has been met, access to the information is much more tightly controlled until the organisation can permanently delete it?
- The protection of personal information. This includes the effectiveness of privacy protections. An effective privacy protection regime requires all of the following to be in place:
- clear specifications of privacy protections;
- clear prohibitions against breaches of protections;
- clear sanctions or penalties for breaches of protections;
- mechanisms in place to detect and report breaches; and
- resources for investigating breaches and applying sanctions.
Issues around identification of the individual, including:
- the multiple use of different identifiers;
- the denial of anonymity, identifying individuals where it is only necessary to authenticate rights to benefits, access and services;
- identifiers that directly disclose personal data, for example embedded date-of-birth;
- identifiers linked with authenticators, such as credit card number plus additional details, because that creates the risk of identity fraud and in extreme cases even identity theft; and
- the use of biometric identifiers.
Function creep, beyond the original context of use, in relation to the use of personal information or the use of identifiers.
Registration and authentication processes, including the burden such processes
impose, their intrusiveness, and the exercise of power by government over individuals.
Surveillance, whether audio, visual, by means of data, whether electronically supported or not, and whether the observations are recorded or not.
Location and tracking, whether within geographical space or on networks, even where it is performed incidentally, and especially where it gives rise to a record. From the perspective of privacy protection, there are considerable privacy benefits in decentralisation rather than centralisation. The benefits include:
- reducing the risk of function creep;
- enabling the application of access controls;
- encouraging a focus on relevancy;
- reducing the misinterpretation of data due to a loss of context; and
- increasing the likelihood of prompt data destruction when it is no longer required.
Where a project involves centralising information, it is important that there is clear justification. Further, those who want to use information in a more speculative manner (such as ‘statistical analysis’, ‘management reporting’ and ‘data mining’) need to be challenged for greater detail, and to show that benefits will be achievable. Once a case for centralisation has been established, it is necessary to identify, assess and balance the disadvantages.
Intrusions into the privacy of the person, especially compulsory or pseudo-voluntary (such as in employment relationships) yielding of tissue and body-fluid samples, and biometric measurement. It is highly advisable to document the issues which are identified.
Persons at risk, and vulnerable populations
Some people, in some circumstances, face particularly serious risks if their personal data is disclosed. This applies especially to their physical location or data that may result in disclosure of their physical location. It may also apply to, for example, health care or financial data. Useful generic terms for people to whom this applies are ‘persons at risk’ and ‘vulnerable populations’.
Categories of persons whose physical safety is at risk include:
- people who are under the direct threat of violence, including:
- people concealing themselves from previous criminal associates;
- victims of domestic violence;
- protected witnesses;
- people who have been the subject of threats to their safety.
- celebrities, notorieties and VIPs, including:
- entertainers and sportspeople;
- people ‘in the public eye’, such as lottery winners; or
- those who publicly promote controversial views.
- people in security-sensitive roles, such as:
- national security operatives;
- undercover police;
- prison warders;
- staff in psychiatric institutions.
Even where physical safety is not under threat, care may still be needed in respect of ‘vulnerable populations’, some of whom may find it difficult to exercise control over their personal data. Examples might include younger children or adults who lack capacity to provide consent. Your organisation might also want to consider the difficulties faced by individuals who are homeless, those who are or have been recently been in prison or refugees. Certain health conditions might also put individuals at risk if inappropriately disclosed.
Issues around the exercise of rights by individuals, such as whether personal information can be quickly and expediently identified, accessed, corrected or deleted. You should also consider whether an individual is disadvantaged in any way if they choose to assert their rights.
Future economic and social developments can also be considered.
Relevant legal considerations need to be taken into account, including liabilities that may arise and changes to regulatory impositions which may be necessitated by the project or by the public reaction to your project.
The conclusions regarding design features should be documented in the ‘issues register’, and provided to the project team as a whole. This is described in the later activities of the consultation and analysis phase.