persona impact assessment training (ii): introduction to ... · ‘architecture’ framework:...
TRANSCRIPT
Simone CASIRAGHI, Dariusz KLOZA, Alessandra CALVI
Vrije Universiteit Brussel (VUB)
Research Group on Law, Science, Technology & Society (LSTS)
Brussels Laboratory for Data Protection & Privacy Impact Assessments (d.pia.lab)
20 May 2020
online
PERSONA impact assessment training (II):introduction to impact assessment
Agenda
▪ the concept of impact assessment▪ context
▪ rationale
▪ history
▪ structure
▪ the framework (conditions and principles)
▪ the method
▪ integration of impact assessment
▪ Q&A
The concept of impact assessment
(1)
Impact assessment
(Kloza et al. 2017: 1)
Evaluation techniques
impact assessment
▪ technology
▪ environment
▪ regulation
▪ health
▪ privacy
▪ personal data protection
▪ surveillance
▪ social
▪ …
▪ risk appraisal
▪ value sensitive design
▪ cost-benefit analysis
▪ SWOT analysis
▪ …
Context
▪ Why did these methods proliferate?
▪ Growing invasiveness of techs
▪ Increasing importance of processing of personal data
▪ Less trust in emerging techs by the public
▪ …
▪ Contributions to:
▪ Informed decision-making
▪ Enhance participation
▪ Balancing of competing interests
▪ Iterative process
▪ …
Critiques
▪ Unnecessary burden
▪ Lack of guidance
▪ Compliance exercise
▪ They happen too late
▪ insufficient participation
▪ Limited transparency
▪ …
Supporting the conduct of D/PIA
▪ frameworks, handbooks, guidelines, manuals, …
▪ templates, questionnaires
▪ awareness-raising, education, training, …
▪ academic & professional literature, policy documents, …
▪ bilaterals, word-of-mouth
▪ advice & feedback from DPAs (‘reference centres’)
▪ software for the automation of D/PIA process
▪ …
Legal requirements in the EU for D/PIA
▪ 1995 Art 20 Directive 95/46 (prior checking)
▪ 2009 RFID
▪ 2012 smart grids
▪ 2016 Arts 35-36 GDPR
▪ 2016 Art 27 Directive 2016/680
▪ 2018 Arts 39-40 & Art 42 Regulation 2018/1725
▪ 2019 Recital 53 re-use PSI Directive 2019/1024
▪ 2020 Art 6 ePrivacy Regulation (proposal)
▪ …
The framework for impact assessment
(2)
‘Architecture’
▪ framework: conditions and principles
▪ method: procedure for accomplishing the assessment process
▪ model/template: a document to fill-in to prepare a report from the assessment process
▪ benchmark: societal concern(s) against which an initiative is assessed▪ e.g. human rights, privacy, personal data, ethics, societal concerns, …
▪ guidelines (handbooks, manuals): practical support material
▪ …
The framework
1. systematic process
2. considers the relevant societal concerns
3. not everything needs it
4. uses the appropriate method
5. includes recommendations
6. a best efforts obligation
7. relies on sufficient knowledge and know-how
8. documented & transparent
9. deliberative
10. accountable
11. assessor is independent
12. simple
13. adaptive
14. inclusive
15. receptive
16. grows in supportive environment
1. Systematic process
▪ appropriate method
▪ prior (ex ante) & continuous → ‘living instrument’
2. Societal concerns
▪ relevant societal concerns (individual and collective, commensurate with its type)▪ natural & human environment
▪ technology development
▪ regulation
▪ privacy
▪ personal data
▪ …
▪ multiple types/processes vs. single, integrated one
3. Not everything requires it
▪ criteria▪ nature of the envisaged initiative
▪ scope
▪ context
▪ purpose
▪ number/types of affected individuals
▪ …
▪ rational compulsion▪ e.g. possible severe negative consequences
4. Appropriate method
▪ no ‘silver bullet’ method
▪ possible methods:▪ risk management
▪ qualitative
▪ quantitative
▪ scenario planning
▪ scientific foresight
▪ (legal/regulatory) compliance check
▪ SWOT analysis
▪ CBA
▪ …
5. Consequences & recommendations
▪ consequences (‘impacts’)
▪ in the future
▪ positive vs. negative (typically, risks)
▪ intended/unintended
▪ individual/collective
▪ …
▪ final goal: to recommend possible solutions to address possible consequences
6. ‘Best effort’ obligation
▪ absolute mitigation of negative impacts is impossible
▪ absolute maximization of positive impacts is impossible
▪ obligation of means vs. obligation of result
▪ limitations▪ state-of-the-art
▪ information
▪ available resources
▪ …
7. Competences & qualifications
▪ assessor(s) possess:▪ sufficient knowledge → multiple experts needed
▪ sufficient know-how
▪ appropriate qualifications
▪ …
8. Documentation
▪ reasonable transparency
▪ (free and unrestricted) public access▪ the mere fact of the assessment process in place
▪ terms of reference
▪ progress
▪ …
▪ yet: legitimate secrecy▪ state secrets
▪ trade secrets
▪ personal data
▪ otherwise privileged information
9. Deliberative process
▪ public (stakeholder) participation▪ internal/external
▪ individuals/organizations
▪ levels of involvement ▪ information
▪ consultation
▪ co-decision
▪ information given and sought is robust, accurate and inclusive
▪ effective means of challenge (contestability)
10. Accountability
▪ (formal) responsibility of decision-makers for:▪ choice of the method▪ choice of the assessors▪ …
▪ (substantive) responsibility of decision-makers for:▪ approval of the results▪ monitor implementation▪ nb. typically beyond the impact assessment process
▪ quality control▪ internal▪ external
▪ non-compliance and malpractice are sanctioned
11. Independence of the assessor
▪ assessor(s) do(es) not receive nor seek(s) any instruction
▪ sufficient resources at their disposal▪ time
▪ money
▪ workforce
▪ knowledge
▪ know-how
▪ premises
▪ infrastructure
12. Simplicity
▪ structured process
▪ coherent
▪ understandable
▪ avoidance of prescriptiveness
▪ avoidance of over-complication
▪ avoidance of the abuse of resources
▪ …
13. Adaptiveness
▪ no „one size fits all”
▪ criteria:▪ initiative under assessment
▪ sponsoring organization
▪ geographical differences
▪ cultural differences
▪ …
14. Inclusiveness
▪ stakeholders
▪ expert and layman knowledge
▪ relevant societal concerns
▪ relevant development phases▪ design
▪ development
▪ deployment
▪ …
15. Receptiveness
▪ previous experience
▪ parallel evaluation techniques
▪ knowledge from related disciplines
▪ …
16. Supportive environment
▪ support from policy-makers▪ e.g. guidance
▪ willingness of decision-makers
▪ cooperation of stakeholders
▪ …
The method for impact assessment
(3)
Generic method
❑ 10 steps grouped in 5 phases → Process
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 1. Screening – Threshold analysis
Initial description of an initiative
to determine if IA is warranted or necessary
❑ warranted (e.g. public pressure)
❑ necessary (e.g. required by law)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 2. Scoping
Initial description of an initiative
to identify:
❑ societal concerns touched by an initiative (e.g. data protection, ethics, privacy)
❑ stakeholders and their level of involvement (Step 7)
❑ appraisal techniques (i.e. methods) to be used in the process (Step 5) (e.g. risk analysis, n&p, CBA, scenario analysis)
❑ other evaluation techniques (e.g. eIA, PIA, DPIA, integrated impact assessments)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 3. Planning and Preparation
To identify:
❑ IA goals
❑ acceptability of negative impacts
❑ resources (time, money, workforce, knowledge, know-how, premises, infrastructure)
❑ procedures and time-frames
❑ assessors (in-house or outsourced), roles and responsibilities
❑ (business) continuity
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 4. Description
On the basis of the preliminary
❑ contextual (e.g. overview of initiative and organisation, need of initiative, context of deployment, interferences with societal concerns (see Step 2 Scoping))
❑ technical
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 5. Appraisal of impacts
To be performed according to the preselected techniques (Step 3):
❑ identification
❑ analysis
❑ evaluation
of impacts
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 6. Recommendations
To define:
❑ concrete measures to minimise negative impacts (and maximise positive ones), their addressees, priority and time-frames
❑ whether to proceed or not
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 7. Stakeholders involvement
❑ who is a stakeholder? someone who is/might be affecting/affected by an initiative, positively or negatively
❑ why involve stakeholder? (robustness and completeness of decision making process)
❑ which level of involvement? (e.g. information, consultation, co-decision)
❑ which techniques? (e.g. questionnaires, workshops, roundtables)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 8. Documentation
To demonstrate accountability and/or legal compliance
(e.g. registry of impacts, statement of non significant impact, final report)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 9. Quality control
to ensure adherence to standards of performance (internal or external, during the process or aftewards)
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
Step 10. Revisiting
To decide whether to conduct the process again or in part
Source: Dariusz Kloza, The concept of impact assessment in European privacy and personal data protection law, Brussels, 2019
From generic method to IAM PERSONA
❑ tailoring down
❑ integrating impact assessments
Tailoring down - method for DPIA (GDPR)
1. threshold▪ criterion 1: high risk YES▪ criterion 2: specific cases (3) YES▪ criterion 3: (national) exclusion list NO▪ criterion 4: (national) inclusion list YES▪ criterion 5: already carried out NO▪ criterion 6: professionals NO▪ *criterion 7: codes of conduct YES/NO
2. description▪ technical▪ contextual
3. appraisal▪ necessity & proportionality▪ risks to the rights & freedoms
of individuals (all relevant human rights)
4. stakeholder involvement
▪ when appropriate, data subjects or their representatives
▪ due respect for legitimate secrecy
▪ if appointed, consultation with a DPO
5. recommendations: measures envisaged to:
▪ address the risks
▪ ensure personal data protection
▪ ensure compliance with the GDPR
6. prior consultation
▪ high residual risk
▪ possible ban of processing
7. re-visiting
▪ when necessary
Tailoring down - method for DPIA (LED)
1. threshold
▪ criterion: high risk YES
2. description
▪ general
3. appraisal
▪ risks to the rights & freedoms of individuals (all relevant human rights)
4. stakeholder involvement
▪ if appointed, consultation with a DPO
5. recommendations: measures envisaged to:
▪ address the risks
▪ ensure personal data protection
▪ ensure compliance with the LED
6. prior consultation
▪ high residual risk
▪ national list
Tailoring down - IAM PERSONA
genericmethod
DPIA in GDPR
DPIA in LED
PIA
eIA
Social acceptance
Integration of impact assessment
(4)
benchmark
Integrated impact assessment
▪ “everything is inherently interconnected” -> comprehensive & integrated assessment
▪ cost-efficiency
▪ inclusion of benchmark(s) not required by law
yet:
▪ not merely the sum of societal concerns
▪ internal consistency
▪ internal coherence (not contradictory)
▪ possible subordination of assessment domains
Phase II
4) Description Systematic description of envisaged processing operations [Art 35(7)(a) GDPR & Art. 39(7)(a) EUDPR]
Or Generic description of envisaged processing operations (LED & Art. 89 EUDPR)
And Technical description of processing operation
Broader ‘big picture’ description of the initiative (relevant ethical, privacy and societal issues not covered by data protection)
5) Appraisal of impacts Necessity & Proportionality + Risk assessment (GDPR & Art. 39 EUDPR) Risk assessment (LED and Art. 89 EUDPR)
-Applied Ethics -Ethical Checklist approaches -Participatory methods -Stakeholders consultation -Scenario-based approaches
-Risk assessment -Cost-benefit analysis (CBA)
Phase III
6) Recommendations Measures envisaged to address the risks AND demonstrate compliance with data protection rules
Broader scope recommendations that do not fall under data protection recommendations
Phase IV (on going)
7) Stakeholder involvement Identify, define the level of involvement and Involve stakeholders at different phases of the process
8) Documentation Document the IA process
9) Quality control Check the quality of the IA process (internally or externally)
10) Revisiting Revise the IA process
Steps DPIA Ethical IA (including social acceptance)
PIA
Phase I
1) Screening -Legally binding -4 iterations: § GDPR: 6 criteria to
consider § LED: 1 criterion § EUDPR: 5 criteria to
consider § EUDPR: 1 criterion for
AFSJ
-Not legally binding -Threshold analysis questionnaire
-Not legally binding -Threshold analysis questionnaire
2) Scoping -Narrow down the benchmark to relevant legal statutes -Identify appraisal techniques for: § Risk to a right § Necessity and
proportionality test
-Narrow down the benchmark to relevant ethical principles -Identify appraisal techniques for ethical issues
-Narrow down the ethical benchmark to relevant privacy issues -Identify appraisal techniques for privacy issues
-Identify stakeholders -Identify stakeholders involvement techniques
3) Planning Determine scale, budget, composition of the team
Example
Integration
To sum up: Impact Assessment Architecture
1) Framework
2) Method
3) Template/Model
These are the steps you need to follow to carry out the process at your premises
Next session: focus on appraisal techniques and stakeholders’ involvement (May 25 2020)
[email protected]@[email protected]@[email protected]
LSTS.research.vub.be dpialab.org @dpialab
Thank you!