Business Transfor...
14.1K views | +8 today
Scooped by Karl Wabst
onto Business Transformation!

In praise of privacy impact assessments « Privacy and information law blog

In praise of privacy impact assessments « Privacy and information law blog | Business Transformation |

This may sound as an overstatement but privacy impact assessments (PIAs) are likely to become the most vital item in the privacy professionals’ toolkit. Welcome to privacy management for the 21st century!

Karl Wabst's insight:

PIAs are a good operational control to protect the privacy of confidential data.


Important: PIAs are not limited to information technology.


Some legislation, e.g. HIPAA / HITECH differentiates between privacy and security. You should too. The HIPAA Privacy Rule applies to any type of personal information covered by HIPAA. The Security Rule only applies to data in electronic format.


That's why I referred to PIAs as an operational control.


Relocation of filing cabinets or boxes of records may affect privacy impact for example.


Does everything require a PIA? No. Some environments use another type of assessment (PTA*) as the official determination for whether a system has privacy implications, and if additional privacy compliance documentation is required. *Privacy Threshold Analysis.


The PTA is built into departmental processes for technology investments and security. PTAs should expire and be reviewed and re-certified every few years or when there is a major change to the system.


An information system is a defined set of resources that may consist of personnel, equipment, funds, and information technology.


See NIST publication SP800-18, Guide for Developing Security Plans for Federal Information Systems for guidance on creating a system security plan.


No comment yet.
Business Transformation
Corporate & Business Strategy Planning / Execution in the Post Industrial, Digital Economy. Want to know more? Visit me on LinkedIn:
Curated by Karl Wabst