Privacy-impact-assessment

Other formats: See the video associated with this guide here. Access this guide in PDF here.

Privacy Impact Assessments

This guide will help you understand a Privacy Impact Assessment (PIA) and contains the PIA guidance and template used at Mercy Corps. The PIA template contains a series of questions that create a framework for identifying the potential privacy risks related to data collection and management that are part of implementing a new program or technology. A PIA is also important when the context of a program changes significantly and new risks or scenarios need to be considered.

A PIA is required anytime a new program, project, or technology involves the collection or use of personal or sensitive data.

Importance

A PIA allows you to analyze how a particular project or new technology will affect the privacy of the individuals involved. A PIA also helps to document mitigation strategies that protect participant's privacy and strengthen public confidence in our work. A PIA ensures that potential problems are identified early on, when addressing them will be simpler, less costly, and will not risk harming program participants or staff.

Principles

The principles behind a PIA are similar to those for any secure use of personal data. Below are some key principles that have been adapted from the Cash Learning Partnership (CaLP):

• Identify the privacy risks to individuals.
• Identify the privacy and data protection compliance liabilities for your organization.
• Demonstrate accountability and compliance with the policies that protect program participants, partners, and staff.
• Ensure that the organization is promoting the right to privacy in its humanitarian activities and acting as an ethical data steward.

Guidance

Mercy Corps' staff can find the PIA Guidance here in the Digital Library. The document contains answers to frequently asked questions related to PIA and links to the internal Mercy Corps archive of completed PIA for comparison. Mercy Corps' PIA Guidance is available to anyone in English, Arabic, Spanish, French, Russian, Polish, and Ukrainian.

Remember that:

• A PIA is a process used to identify and minimize the privacy risks. Completing a PIA form is not the end of the process! Revisit the form again after your project starts to make sure there are no new changes to a project that introduce new risks. If there are, go through the process of documenting mitigation strategies again to minimize any new risk.
• Conducting a PIA involves working with people at Mercy Corps, and sometimes with partner organizations and others to identify and reduce privacy risks. For example, if you are using a new technology, you may need to research whether the company you are working with has a privacy policy and what technological safeguards they use to ensure data is protected. You may also need to educate yourself about relevant privacy regulations in your country of operation. Three websites that you can use to monitor national-level data and privacy laws are:
  • Data Protection Laws of the World;
  • The U.N. Conference on Trade and Development database of Data Protection and Privacy Legislation Worldwide; and
  • One Trust Data Guidance database of Global Privacy Laws.
• It can be helpful to compare PIAs of similar programs. You can conduct this research on your own or reach out to the Data Protection and Privacy team for assistance.

Templates

Mercy Corps' staff can find the long-form PIA Template here in the Digital Library. The long-form PIA Template is available to anyone in English, Arabic, Spanish, French, Russian, Polish, and Ukrainian.

Each long-form PIA template includes five use-cases, which are explained below. Clicking the links below will take you to a screen where anyone can download English versions of the individual use cases in the .odt format (compatible with Microsoft Word and open source applications like OpenOffice and LibreOffice) by clicking View raw or the Download button.

• a new Policy
• a new Process or Procedure
• a new Software or Technology System
  • This is primarily for implementation of new global, country-wide or team-specific systems.
  • If you are selecting or using a new system as part of a larger project or program, use the project or program option instead.
• a new Vendor or Partner
  • This is primarily meant for validation of a vendor, partner, or third party’s activities as part of a unique or one-time activity.
  • If you are selecting or using a new vendor, partner or third party as part of a larger project or program, use the project or program option instead.
• a new Project or Program
  • This can be for any phase or aspect of a project or program.
  • This is the most comprehensive PIA option, and includes language for also selecting new software or tech systems, and/or a new vendor or partner.

Further Assistance

• The Electronic Cash Transfer Learning Action Network's Data Starter Kit provides a tip sheet for PIAs (see Tip sheet #1).
• The Information Commissioner's Office of the UK provides a detailed code of practice for conducing privacy impact assessments.
• The International Committee of the Red Cross' Handbook on Data Protection in Humanitarian Action is a detailed guide to almost every aspect of humanitarian data. Chapter 5 specifically deals with privacy impact assessments.