Objective:

PIA process includes a DATA FLOW ANALYSIS, to identify and

analyse the information flow occurring through the System Under
Review (SUR) in order to ultimately identify the best privacy
safeguarding design.
Specific objectives of the data flow analysis are
To identify all personal information associated with the SUR,To
develop a detailed description and analysis of data flow,
To identify and analyse the design alternatives, selected in
proposed design for the SUR,
To identify the best privacy safeguarding system architecture for
SUR.
In order to document the data flow, the following activities are
carried out:
Description and analysis of the SUR system architecture through a
diagram,
. Description of the information flow involved in the SUR through:
o Identifying a data inventory of the clusters of personal
information/data involved in SUR,
o Developing data flow diagrams of the key design use cases
associated with the primary processing purposes planned for the
personal information by the SUR.
Provision of an ad hoc data design questionnaire, developed to
allow engineer to compare the privacy impact of possible design
alternatives that allows for ranking the alternatives based on
standard criteria involving privacy, information content and
technical complexity.
basis of a set of three essential criteria: privacy, information
content, and technical complexity (feasibility).
Each option of an alternative is given a composite score, based on
the sum of three dimensions. All scores ranged 0-5 (not applicable
to very high level).
The score on privacy is based on three separate criteria:
identifiability, linkability and observability.
Identifiability is intended to be a measure of the degree to which
information is personally identifiable. The identity measurement
has been considered as taking place on a continuum, from full
anonymity (the state of being without name) to full verinymity
(being truly named).
The goal to be pursued is to decrease as much as possible the
amount of identity elements in the SUR. The minimalist design
approach is consistent with Privacy by Design principles. The PT
should set a threshold design principle for the level of identity data
required for an efficient running of the SUR, so that identification
above the threshold can be highlighted for possible removal from
the design of the SUR. Many tools employing reversible and non-
reversible pseudonymity are actually available for this purpose.
Linkability was conceived as a measure of the degree to which data
elements are linkable to the true name of the data subject, where
unlinkability meant that different records cannot be linked
together and related to a specific personal identity. In this regard,
complex interrelations have been taken into account, considering
that record linkage can be subtle, as it may be organized and/or
made possible in different ways.
Observability was defined as a measure of the degree to which
identity or linkability are affected by the use of a system. It
considers, in fact, any other factor relative to data processing
(time, location, data contents) that can potentially affect the
degree of identity and/or linkability: an effect modifiers.
The overall privacy score for each questionnaire item is agreed by
PT members to be obtained as the average of the three privacy
dimensions. Score for the Information content criterion is based on
a single score providing a value for the level of information
provided by the specific scenario/option in terms of relevance and
level of affinity with the intended feature of the SUR requiring the
Desc of Personal Data Personal Info PII Classification Source
/ Data Cluster Category
Collected By Collection Method Type of Format Used By
 Transfer to: De- Security Control
Purpose of Collection Security Classification During
Identification Data Transfer
Data Repository Storage or Data Disclosed To Retention Policy
Format Retention Site
Deletion Policy
Data flow diagram for XYZ

1) 3rd party
Process 1) 3rd
3rd party
party ABC
Process account
account
specific service ABC Service
Service
setup connector
setup done
done

External
External 3)
3rd 3) XYZ
XYZ First
First
interactor
interactor 3rd Party
Party Service
Service Use
Use
Setup
Setup Experice
Experice
3rd Party Done
Done
Service interface

User
interaction

New Service
Service Use
Data user Case
Case 1
Use
1
store /
system

XYZ DB
interface or
connector
3)
3) XYZ
XYZ First
First
Use
Use
Experice
Experice
Done
Done

2)
2) XYZ
XYZ
Service
Service
Account
Account
Setup
Setup Done
Done

XYZ Account Service

Inteface
3rd
3rd Party
Party
Account
Account
Mgmt
Mgmt
Provider
Provider

XYZ Account DB
 Privacy
Option
Identifiability Linkability Observability
Design alternative A
Design altenrative B
 Content Complexity
Overall Overall Overall