persona impact assessment training (ii): introduction to ... · ‘architecture’ framework:...

Simone CASIRAGHI, Dariusz KLOZA, Alessandra CALVI

Vrije Universiteit Brussel (VUB)

Research Group on Law, Science, Technology & Society (LSTS)

Brussels Laboratory for Data Protection & Privacy Impact Assessments (d.pia.lab)

20 May 2020

online

PERSONA impact assessment training (II):introduction to impact assessment

Agenda

▪ the concept of impact assessment▪ context

▪ rationale

▪ history

▪ structure

▪ the framework (conditions and principles)

▪ the method

▪ integration of impact assessment

▪ Q&A

The concept of impact assessment

(1)

Impact assessment

(Kloza et al. 2017: 1)

Evaluation techniques

impact assessment

▪ technology

▪ environment

▪ regulation

▪ health

▪ privacy

▪ personal data protection

▪ surveillance

▪ social

▪ …

▪ risk appraisal

▪ value sensitive design

▪ cost-benefit analysis

▪ SWOT analysis

▪ …

Context

▪ Why did these methods proliferate?

▪ Growing invasiveness of techs

▪ Increasing importance of processing of personal data

▪ Less trust in emerging techs by the public

▪ …

▪ Contributions to:

▪ Informed decision-making

▪ Enhance participation

▪ Balancing of competing interests

▪ Iterative process

▪ …

Critiques

▪ Unnecessary burden

▪ Lack of guidance

▪ Compliance exercise

▪ They happen too late

▪ insufficient participation

▪ Limited transparency

▪ …

Supporting the conduct of D/PIA

▪ frameworks, handbooks, guidelines, manuals, …

▪ templates, questionnaires

▪ awareness-raising, education, training, …

▪ academic & professional literature, policy documents, …

▪ bilaterals, word-of-mouth

▪ advice & feedback from DPAs (‘reference centres’)

▪ software for the automation of D/PIA process

▪ …

Legal requirements in the EU for D/PIA

▪ 1995 Art 20 Directive 95/46 (prior checking)

▪ 2009 RFID

▪ 2012 smart grids

▪ 2016 Arts 35-36 GDPR

▪ 2016 Art 27 Directive 2016/680

▪ 2018 Arts 39-40 & Art 42 Regulation 2018/1725

▪ 2019 Recital 53 re-use PSI Directive 2019/1024

▪ 2020 Art 6 ePrivacy Regulation (proposal)

▪ …

The framework for impact assessment

(2)

‘Architecture’

▪ framework: conditions and principles

▪ method: procedure for accomplishing the assessment process

▪ model/template: a document to fill-in to prepare a report from the assessment process

▪ benchmark: societal concern(s) against which an initiative is assessed▪ e.g. human rights, privacy, personal data, ethics, societal concerns, …

▪ guidelines (handbooks, manuals): practical support material

▪ …

The framework

1. systematic process

2. considers the relevant societal concerns

3. not everything needs it

4. uses the appropriate method

5. includes recommendations

6. a best efforts obligation

7. relies on sufficient knowledge and know-how

8. documented & transparent

9. deliberative

10. accountable

11. assessor is independent

12. simple

13. adaptive

14. inclusive

15. receptive

16. grows in supportive environment

1. Systematic process

▪ appropriate method

▪ prior (ex ante) & continuous → ‘living instrument’

2. Societal concerns

▪ relevant societal concerns (individual and collective, commensurate with its type)▪ natural & human environment

▪ technology development

▪ regulation

▪ privacy

▪ personal data

▪ …

▪ multiple types/processes vs. single, integrated one

3. Not everything requires it

▪ criteria▪ nature of the envisaged initiative

▪ scope

▪ context

▪ purpose

▪ number/types of affected individuals

▪ …

▪ rational compulsion▪ e.g. possible severe negative consequences

4. Appropriate method

▪ no ‘silver bullet’ method

▪ possible methods:▪ risk management

▪ qualitative

▪ quantitative

▪ scenario planning

▪ scientific foresight

▪ (legal/regulatory) compliance check

▪ SWOT analysis

▪ CBA

▪ …

5. Consequences & recommendations

▪ consequences (‘impacts’)

▪ in the future

▪ positive vs. negative (typically, risks)

▪ intended/unintended

▪ individual/collective

▪ …

▪ final goal: to recommend possible solutions to address possible consequences

6. ‘Best effort’ obligation

▪ absolute mitigation of negative impacts is impossible

▪ absolute maximization of positive impacts is impossible

▪ obligation of means vs. obligation of result

▪ limitations▪ state-of-the-art

▪ information

▪ available resources

▪ …

7. Competences & qualifications

▪ assessor(s) possess:▪ sufficient knowledge → multiple experts needed

▪ sufficient know-how

▪ appropriate qualifications

▪ …

8. Documentation

▪ reasonable transparency

▪ (free and unrestricted) public access▪ the mere fact of the assessment process in place

▪ terms of reference

▪ progress

▪ …

▪ yet: legitimate secrecy▪ state secrets

▪ trade secrets

▪ personal data

▪ otherwise privileged information

9. Deliberative process

▪ public (stakeholder) participation▪ internal/external

▪ individuals/organizations

▪ levels of involvement ▪ information

▪ consultation

▪ co-decision

▪ information given and sought is robust, accurate and inclusive

▪ effective means of challenge (contestability)

10. Accountability

▪ (formal) responsibility of decision-makers for:▪ choice of the method▪ choice of the assessors▪ …

▪ (substantive) responsibility of decision-makers for:▪ approval of the results▪ monitor implementation▪ nb. typically beyond the impact assessment process

▪ quality control▪ internal▪ external

▪ non-compliance and malpractice are sanctioned

11. Independence of the assessor

▪ assessor(s) do(es) not receive nor seek(s) any instruction

▪ sufficient resources at their disposal▪ time

▪ money

▪ workforce

▪ knowledge

▪ know-how

▪ premises

▪ infrastructure

12. Simplicity

▪ structured process

▪ coherent

▪ understandable

▪ avoidance of prescriptiveness

▪ avoidance of over-complication

▪ avoidance of the abuse of resources

▪ …

13. Adaptiveness

▪ no „one size fits all”

▪ criteria:▪ initiative under assessment

▪ sponsoring organization

▪ geographical differences

▪ cultural differences

▪ …

14. Inclusiveness

▪ stakeholders

▪ expert and layman knowledge

▪ relevant societal concerns

▪ relevant development phases▪ design

▪ development

▪ deployment

▪ …

15. Receptiveness

▪ previous experience

▪ parallel evaluation techniques

▪ knowledge from related disciplines

▪ …

16. Supportive environment

▪ support from policy-makers▪ e.g. guidance

▪ willingness of decision-makers

▪ cooperation of stakeholders

▪ …

The method for impact assessment

(3)

Generic method

❑ 10 steps grouped in 5 phases → Process

Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019

Step 1. Screening – Threshold analysis

Initial description of an initiative

to determine if IA is warranted or necessary

❑ warranted (e.g. public pressure)

❑ necessary (e.g. required by law)


Step 2. Scoping

Initial description of an initiative

to identify:

❑ societal concerns touched by an initiative (e.g. data protection, ethics, privacy)

❑ stakeholders and their level of involvement (Step 7)

❑ appraisal techniques (i.e. methods) to be used in the process (Step 5) (e.g. risk analysis, n&p, CBA, scenario analysis)

❑ other evaluation techniques (e.g. eIA, PIA, DPIA, integrated impact assessments)


Step 3. Planning and Preparation

To identify:

❑ IA goals

❑ acceptability of negative impacts

❑ resources (time, money, workforce, knowledge, know-how, premises, infrastructure)

❑ procedures and time-frames

❑ assessors (in-house or outsourced), roles and responsibilities

❑ (business) continuity


Step 4. Description

On the basis of the preliminary

❑ contextual (e.g. overview of initiative and organisation, need of initiative, context of deployment, interferences with societal concerns (see Step 2 Scoping))

❑ technical


Step 5. Appraisal of impacts

To be performed according to the preselected techniques (Step 3):

❑ identification

❑ analysis

❑ evaluation

of impacts


Step 6. Recommendations

To define:

❑ concrete measures to minimise negative impacts (and maximise positive ones), their addressees, priority and time-frames

❑ whether to proceed or not


Step 7. Stakeholders involvement

❑ who is a stakeholder? someone who is/might be affecting/affected by an initiative, positively or negatively

❑ why involve stakeholder? (robustness and completeness of decision making process)

❑ which level of involvement? (e.g. information, consultation, co-decision)

❑ which techniques? (e.g. questionnaires, workshops, roundtables)


Step 8. Documentation

To demonstrate accountability and/or legal compliance

(e.g. registry of impacts, statement of non significant impact, final report)


Step 9. Quality control

to ensure adherence to standards of performance (internal or external, during the process or aftewards)


Step 10. Revisiting

To decide whether to conduct the process again or in part


From generic method to IAM PERSONA

❑ tailoring down

❑ integrating impact assessments

Tailoring down - method for DPIA (GDPR)

1. threshold▪ criterion 1: high risk YES▪ criterion 2: specific cases (3) YES▪ criterion 3: (national) exclusion list NO▪ criterion 4: (national) inclusion list YES▪ criterion 5: already carried out NO▪ criterion 6: professionals NO▪ *criterion 7: codes of conduct YES/NO

2. description▪ technical▪ contextual

3. appraisal▪ necessity & proportionality▪ risks to the rights & freedoms

of individuals (all relevant human rights)

4. stakeholder involvement

▪ when appropriate, data subjects or their representatives

▪ due respect for legitimate secrecy

▪ if appointed, consultation with a DPO

5. recommendations: measures envisaged to:

▪ address the risks

▪ ensure personal data protection

▪ ensure compliance with the GDPR

6. prior consultation

▪ high residual risk

▪ possible ban of processing

7. re-visiting

▪ when necessary

Tailoring down - method for DPIA (LED)

1. threshold

▪ criterion: high risk YES

2. description

▪ general

3. appraisal

▪ risks to the rights & freedoms of individuals (all relevant human rights)

4. stakeholder involvement

▪ if appointed, consultation with a DPO

5. recommendations: measures envisaged to:

▪ address the risks

▪ ensure personal data protection

▪ ensure compliance with the LED

6. prior consultation

▪ high residual risk

▪ national list

Tailoring down - IAM PERSONA

genericmethod

DPIA in GDPR

DPIA in LED

PIA

eIA

Social acceptance

Integration of impact assessment

(4)

benchmark

Integrated impact assessment

▪ “everything is inherently interconnected” -> comprehensive & integrated assessment

▪ cost-efficiency

▪ inclusion of benchmark(s) not required by law

yet:

▪ not merely the sum of societal concerns

▪ internal consistency

▪ internal coherence (not contradictory)

▪ possible subordination of assessment domains

Phase II

4) Description Systematic description of envisaged processing operations [Art 35(7)(a) GDPR & Art. 39(7)(a) EUDPR]

Or Generic description of envisaged processing operations (LED & Art. 89 EUDPR)

And Technical description of processing operation

Broader ‘big picture’ description of the initiative (relevant ethical, privacy and societal issues not covered by data protection)

5) Appraisal of impacts Necessity & Proportionality + Risk assessment (GDPR & Art. 39 EUDPR) Risk assessment (LED and Art. 89 EUDPR)

-Applied Ethics -Ethical Checklist approaches -Participatory methods -Stakeholders consultation -Scenario-based approaches

-Risk assessment -Cost-benefit analysis (CBA)

Phase III

6) Recommendations Measures envisaged to address the risks AND demonstrate compliance with data protection rules

Broader scope recommendations that do not fall under data protection recommendations

Phase IV (on going)

7) Stakeholder involvement Identify, define the level of involvement and Involve stakeholders at different phases of the process

8) Documentation Document the IA process

9) Quality control Check the quality of the IA process (internally or externally)

10) Revisiting Revise the IA process

Steps DPIA Ethical IA (including social acceptance)

PIA

Phase I

1) Screening -Legally binding -4 iterations: § GDPR: 6 criteria to

consider § LED: 1 criterion § EUDPR: 5 criteria to

consider § EUDPR: 1 criterion for

AFSJ

-Not legally binding -Threshold analysis questionnaire

-Not legally binding -Threshold analysis questionnaire

2) Scoping -Narrow down the benchmark to relevant legal statutes -Identify appraisal techniques for: § Risk to a right § Necessity and

proportionality test

-Narrow down the benchmark to relevant ethical principles -Identify appraisal techniques for ethical issues

-Narrow down the ethical benchmark to relevant privacy issues -Identify appraisal techniques for privacy issues

-Identify stakeholders -Identify stakeholders involvement techniques

3) Planning Determine scale, budget, composition of the team

Example

Integration

To sum up: Impact Assessment Architecture

1) Framework

2) Method

3) Template/Model

These are the steps you need to follow to carry out the process at your premises

Next session: focus on appraisal techniques and stakeholders’ involvement (May 25 2020)

[email protected]@[email protected]@[email protected]

LSTS.research.vub.be dpialab.org @dpialab

Thank you!

mailto:[email protected]





persona impact assessment training (ii): introduction to ... · ‘architecture’ framework:...

Documents