Publication - Advice and guidance

Scotland's Digital Future: Scottish public sector cloud computing guidance

Published: 1 Apr 2015

Guidance and principles on cloud computing in the Scottish public sector.

Scotland's Digital Future: Scottish public sector cloud computing guidance
Annex 3 - Privacy impact assessments (PIAs)

Annex 3 - Privacy impact assessments ( PIAs)

The information commissioner's office has published guidance on assessing the impact of moving information into the cloud.

They have published a Conducting privacy impact assessments code of practice which explains what PIAs are and how you can use them in your organisation.

The code contains annexes which can be used as the basis for your PIA. These include questions to guide the process and templates for recording the assessment. You do not have to use these if you would prefer to follow your own process, but the annexes are included in an editable format.

An assessment of the impact of the risk to sensitive and personal information should be undertaken prior to moving data into any location and particularly the cloud.

Privacy impact assessments ( PIAs) are a tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.

You can integrate the core principles of the PIA process with your existing project and risk management policies. This will reduce the resources necessary to conduct the assessment and spreads awareness of privacy throughout your organisation.

As part of their work in this area, they ICO commissioned a report into the use of PIAs and the potential for further integration with project and risk management. The report was provided by Trilateral Research and Consulting.

You can access the report and an executive summary here.


Email: Philip Whitley