The Law School congratulates David Tancock (EPSRC CASE Studentship with Hewlett Packard Labs, Filton) who has been awarded the degree of Doctor of Philosophy. David's thesis "Design and Implementation of a Privacy Impact Assessment Tool" was supervised by Andrew Charlesworth, Reader in IT Law (Law/CompSci); Dr. Siani Pearson, Principal Research Scientist, Hewlett-Packard Laboratories; and Dr Ian Holyer, Senior Lecturer in Computer Science (CompSci).

David is the second recent successful PhD from the cross-disciplinary centre for IT and Law (CITL), following Dr Mireille Caruana's successful defence of her thesis "Privacy and ICTs in a Changing World: differing European approaches to uses of personal data in the criminal justice sector."

David's research examined the extent to which an automated tool might assist in the process of carrying out Privacy Impact Assessments (PIAs) in the UK, and thereby improve PIA uptake by organisations.

David's examiners were Dr Theo Tryfonas, Senior Lecturer in Systems Engineering (Engineeering, Bristol) and Professor Philip Leith (Law, Queen's University of Belfast).

A Privacy Impact Assessment (PIA) is a systematic process for evaluating the possible future effects that a particular activity or proposal may have on an individual’s privacy. It focuses on understanding the system, initiative or scheme, identifying and mitigating adverse privacy impacts and informing decision makers who must decide whether the project should proceed and in what form.

In most of the major jurisdictions (i.e. Canada, United States (US) etc.) that conduct PIAs, PIA tools and document templates are used by organisations for project compliance/analysis in relation to their own national, state or sector-specific requirements. However, in the UK, organisations typically use manual documents in one form or another (ranging from un-systematised documentation sets to organised Microsoft Templates) to undertake PIAs, usually based upon the advice given by the Information Commissioner’s Office (ICO) and its UK PIA Handbook, or upon their own organisational rules and procedures.

The type of PIA tool envisaged in David's research would help UK organisations carry out PIAs more easily, facilitate comparison and improve standardisation. the tool takes the form of a software prototype based upon a Decision Support System (DSS) that addresses the complexity of privacy compliance requirements for organisations. It can help decision makers within organisations decide whether a new project should go ahead and if so, in what form. the research included a stakeholder analysis with stakeholders selected to provide requirements for the PIA tool, and also to participate in the PIA tool's validation process.