Saturday, November 04, 2006

Surveillance Society

Whilst there has been much debate about living in a surveillance society (particularly as highlighted in the 28th International Conference on Data Potection Commissioners), and the strategies that could be adopted in regulating such surveillance, one of the interesting aspects that arose from the report (pdf) commissioned by the Information Commissioner is the idea of a privacy impact assessment test (PIA) and even a surveillance impact assessment test. There is quite a lot to digest from this report, but here is an excerpt on the PIA:

‘an assessment of any actual or potential effects that an activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated’;
• ‘a process. The fact of going through this process and examining the options will bring forth a host of alternatives which may not otherwise have been considered’;
• an approach and a philosophy that holds promise by instilling a more effective culture of understanding and practice within organisations that process personal data;
• a form of risk-assessment, which therefore cannot escape the uncertainties of identifying and estimating the severity and likelihood of the various risks that may appear, to privacy, life-chances, discrimination equality and so on;
• a tool for opening up the proposed technologies or applications to in-depth scrutiny, debate and precautionary action within the organisation(s) involved;
• like PETs, premised on the view that it is better to build safeguards in than to bolt them on;
• an early-warning technique for decision-makers and operators of systems that process personal information, enabling them to understand and resolve conflicts between their aims and practices, and the required protection of privacy above or the control of surveillance;
• ideally, a public document, leading to gains in transparency and in the elevation of public awareness of surveillance issues and dangers may be realised; in turn, it may assist regulatory bodies in carrying out their work effectively.

A further point that should be added and noted in the report is that a PIA is not a compliance audit.

PIA should not be confused with compliance audits and the like, which are usually ex post facto and legally-oriented; as with environmental impact assessment, PIA assesses the likely impact of technology applications or new systems in the future, and considers a wider range of criteria.

For further reading, see pages 89 onwards in the report. Some countries such as Canada and Australia already have PIAs, but it remains to be seen whether PIAs will be adopted in the UK. See also:

No comments: