Summary and implications

On 25 February the UK Information Commissioner's Office (ICO) published a new Code of Practice for conducting Privacy Impact Assessments (the Code).

The Code is essential reading for all real estate businesses that process personal data in the UK such as names, addresses, CCTV film and access code data.

In brief, the Code sets out the data protection and wider privacy issues that should be considered when planning new projects that will process personal data. As real estate companies become increasingly involved in developing "smart buildings" and embracing new technologies such as access cards, cloud and e-archiving, the Code will become ever more relevant.

What are Privacy Impact Assessments?

Privacy Impact Assessments (PIAs), as their name suggests, are a risk management tool for identifying and minimising privacy risks. By "privacy", the ICO means both individuals' physical privacy and data privacy.

Used properly, PIAs can help businesses and other organisations to identify and manage privacy risks at an early stage – helping to support brand and reputation management. The Code builds on and formalises earlier guidance issued by the ICO.

Are PIAs legally required?

Conducting a PIA is not currently a legal requirement under the UK Data Protection Act 1998 (DPA). However, the Code states:

"The ICO may ask an organisation whether it has carried out a PIA as this is often the most effective way for an organisation to demonstrate to the ICO how their personal data processing complies with the DPA".

Real estate companies should also be aware that, at the European Union level, there are moves to make PIAs mandatory. The draft General Data Protection Regulation which is expected to replace the current Data Protection Directive (95/46/EC) contains mandatory PIA provisions.

When does the Code recommend that a PIA be conducted?

The Code recommends that a PIA should be undertaken for any project that will either involve the use of personal data or otherwise impact on the privacy of individuals.

For real estate companies this would, typically, include the following types of projects:

  • introducing a new surveillance system such as a CCTV system or introducing a new technology to an existing CCTV system;
  • introducing a new technology such as an access card system that can monitor individuals;
  • introducing a new IT system or database for storing or accessing personal data. For example, this could be the introduction of systems that can store and interrogate individuals' movements through buildings via swipe card systems or store employee information;
  • introducing apps that individuals can use which will then store information that may range from location data to purchase data (this is a newly emerging trend for shopping centres);
  • introducing or changing cloud technology systems;
  • introducing tablet roll-out or Bring Your Own Device programmes for real estate staff;
  • introduction of new e-archiving systems for documents containing personal data and/or emails;
  • introducing a new data centre operation for back-up of data (for example for data such as email archives and employee databases); and
  • any other project that might involve using personal data for a new purpose or sharing personal data with a third party.

How to conduct a PIA?

The Code identifies the following key steps that should be taken to conduct a PIA:

  • identifying the need for a PIA;
  • describing the information flows;
  • identifying the privacy risks;
  • identifying privacy solutions;
  • signing off and recording of PIA outcomes;
  • integrating the outcomes into the project plan; and
  • consulting with internal and external stakeholders as needed throughout the process.

Where a business or other organisation has a data protection officer (DPO), the Code states that the DPO will be "naturally well-placed" to have a significant role in conducting the PIA. However, the Code recognises that not all organisations have their own DPO and that other approaches may be required. Nabarro can support real estate companies who don't have a DPO and/or who need specialist IT and data protection support.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.