PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Information Book
 

E-Privacy:
A Policy Approach to Building Trust and Confidence
In E-Business

Stage 2: E -Privacy Strategic Planning and privacy Impact Assessment

8.1

The formulation of specific functional or process strategies forms a central part of Stage 2 of the E-Privacy Policy framework. These strategies need to be tailored to the specific needs of the provider, and the market segments targeted. This will reflect in systems architecture design, the service mix, value and supply chain management, target customer needs etc. Customised strategies should be anchored to the provider's E-Privacy drivers and the direction set in
Stage 1 of the process.

8.2

The fulfillment of the provider's vision, and related privacy objectives, will make the following type of demands upon the provider.

  • Irrespective of approach, the provider will need to put in place a strategic planning process that links the key activities of analysis, planning, implementation and control.
  • The planning process should be preceded by a situational analysis of the strengths and weaknesses of the provider in relation to the opportunities and threats in the E-Business environment. The purpose of this exercise is to identify, evaluate, select and prioritize tenable opportunities that are attractive given prescribed performance criteria. The preferred options will invariably generate organisational imperatives and key results areas ("KRA").
  • An output of the planning process should be the formulation of specific functional or process objectives, and related strategies, that are consistent with corporate objectives and E-Privacy goals.
  • The next task is to break the strategy down into manageable action plans that will identify particular responsibilities and targets for individuals or teams to attain. It may also indicate the tactical approach to be deployed in the short-term.
  • The execution of action plans and strategies needs to be policed by a rigorous compliance regimen. This should establish operational performance protocols that address network attacks, counter-measures to be taken, damage control procedures, performance pledges, operational checklists etc. (The reader may wish to refer to the Privacy. SAFE assessment and compliance kit, copies of which are available from the PCPD).

8.3

The E-Privacy Strategic Planning process
needs to operate in parallel with a Privacy Impact Assessment ("PIA"). In the absence of a common definition, a PIA may be described as a systematic process that evaluates proposed initiatives or strategic options in terms of their impact upon privacy. To be effective a PIA needs to be an integral part of the project planning process rather than an afterthought. The purpose of this assessment is twofold.

  • To identify the potential effects that a project or proposal may have upon personal data privacy e.g. the introduction of a multi-purpose smart card.
  • Secondly, to examine how any detrimental effects upon privacy might be mitigated.

8.4

PIA is a process that may be applied to a wide range of E-Business proposals that may be intrusive in terms of reasonable expectations of privacy, or the privacy rights enshrined in the Ordinance. It has equal validity applied to a public policy initiative e.g. electronic road pricing, as it has to a corporate initiative e.g. online customer profiling for prospecting purposes.

8.5

A PIA needs to commence at the outset of any planning initiative, strategy or policy proposal. Although the approach taken to PIA may vary with the context in which it is undertaken that approach should be methodical. Experience indicates that it should begin with definition of the problem or statement of issues. There are distinct advantages in outsourcing a PIA study not the least of which is that it lends impartiality to the process. This may be critical in influencing consumer or public opinion. For example, in the public sector the findings of a PIA study might be incorporated in a public consultation exercise, or policy position statement. This suggests that PIA is not an end in itself.

8.6
The outcome of any PIA should be measured against the influence it exerts upon proposals and strategic decision making. Ultimately the purpose is
to ensure that decision-makers are cognizant of the privacy dimension and work towards decisions that are privacy enhancing.

8.7
PIA has been referred to by a leading figure in the privacy community as an "early warning system". Approached correctly a PIA should ensure that organisations avoid the pitfalls that are implicit in a less disciplined approach to privacy issues. More significantly, as E-Business volumes grow, PIAs will contribute to protecting the image, goodwill and public confidence in those organisations that offer their services online.



Previous PageimageNext Page

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer