The term “privacy impact assessment” or PIA is commonly used by public sector entities to refer to an assessment of the privacy implications or risks associated with a new program or information technology system. According to the Government of Canada, a PIA is “a process used to determine how a program or service could affect the privacy of an individual. It can also help to avoid or lessen possible negative effects on privacy that might result from a program or service.” Private sector entities need to do the same work and take a ‘privacy by design’ approach to remain accountable for their information-handling practices, but more often refer to an overarching ‘privacy audit’ or review.
PRIVATECH works with public and private sector entities on such proactive privacy projects that seek to identify, rank and provide recommended remediation plans to address privacy compliance and best practice risks. For the purposes of this article let’s call them PIAs. A PIA is extremely valuable because it identifies personal information handling considerations which may drive project development, and the assessment findings can be used to standardize an auditable approach to privacy.
Traditional PIAs that have been conducted by PRIVATECH in the past have comprised of the following three key phases:
- Plan intake questions for various departments;
- Gather responses and conduct in-depth interviews; and
- Perform a risk assessment of controls in place to determine the probability of personal information being compromised and the impact such a privacy breach or concern would have on individuals and the organization.
Extensive privacy recommendations are thus provided for a system or process based on a certain point in time. Such a PIA is not always useful for today’s rapidly evolving information management frameworks. The traditional PIA report can end up becoming outdated quickly as new decisions are made and risks change, resulting in wasted time and resources.
Certainly what is often called a ‘conceptual PIA’ undertaken during the design phase of a project can identify risks before they arise and enable the seamless integration of privacy best practices into design. But in an information technology context, a comprehensive or ‘logical PIA’ mirrors the ‘waterfall method’ of software development, with a systematic and gated approach involving five stages: 1) defining requirements; 2) design; 3) implementation; 4) testing/verification; and 5) maintenance.
The waterfall method is now less popular because its deliberate step-by-step approach usually results in projects that are behind schedule and over budget.
A PIA for the Agile IT Environment
In the agile method to software development, developers create a program prototype, set up the software interface, and develop and release features over time. This more flexible approach not only allows for quicker release, but also makes it easier to offer features that can be independently reviewed and tweaked, rather than struggling with overwhelming development cycles to rework the whole program.
I have worked with many privacy officer who have made efforts to adapt PIAs to an agile IT environment, typically refreshing the PIA with each major redesign or new feature, but this is often resource-intensive, so smaller features changes are released by IT without any evaluation from a privacy standpoint. These numerous small changes can nonetheless pose significant privacy risks, substantially altering data flows. Because of the constantly evolving program design (each feature is developed in a development “sprint”), privacy officers find it difficult to keep track of new developments and to discern what needs to be re-assessed from a privacy perspective. This challenge very often results in tensions between software developers racing to release a new feature and privacy officers/stakeholders arguing for checkpoints for compliance evaluation.
Sprint to the Finish
What is needed is continuous assessment based on an identification of risk, and rapid advice on an as-needed basis. It is critical that privacy professionals stay agile as industries continue to undergo digital transformation.
This is doable! Privacy officers or their consultants/representatives should ensure that each sprint addresses privacy and security in user stories and back-end data flows. Privacy and security features must be tested and validated at the end of each sprint. While challenging for privacy specialists, agile offers new opportunities to engage in the development process. So its important to embrace agile as this will serve to improve the privacy position of information systems and lead to reducing the risk of privacy breaches. Technology teams would be wise to bring their privacy professional to the design and decision-making tables throughout the product development lifecycle.
PRIVATECH has moved to providing threshold privacy assessments for many clients, focusing on providing continuous feedback and privacy advice. For more information, contact PRIVATECH.