I am a huge proponent of privacy impact assessments (PIAs); basically risk assessments for privacy. PIAs can reveal gaps in privacy practices, along with the information security practices used to protect privacy. They are important and effective exercises for all organizations that handle personally identifiable information (PII).
Yesterday a Government Computer News (GCN) article, “DHS bares upgrades to immigration, travel databases” reported that the U.S. Department of Homeland Security (DHS) has made available 14 PIAs for projects that “collectively contain tens of millions of personal records concerning immigration and travel.”
These PIAs reportedly go beyond the IT issues; they address the privacy impacts related to paper, spoken and other non-IT PII.
I have not yet reviewed the PIAs, but I plan to. Reviewing PIAs not only give you important information about the actions being done to preserve privacy and how to perform PIAs, they also help to demonstrate good privacy practices, reveal poor privacy practices, and demonstrate due diligence.
These DHS PIAs could serve as great case studies for your information security and privacy awareness and training programs.
Tags: awareness and training, Department of Homeland Security, DHS, Information Security, IT compliance, personally identifiable information, PIA, PII, policies and procedures, privacy, privacy impact assessment, risk management