ABSTRACT
A core task of privacy impact assessment is to analyze how personal information is being processed. This task has always been difficult and becomes even more complicated with a further growth of digitally networked technologies and easily reproducible information. The dynamics inherent to digital information stimulate the boundaries between personal and non-personal information to increasingly blur. This facilitates the expansion of identifiability. Consequently, it becomes ever more difficult to determine what personal data, or more precisely personally identifiable information, exactly is. This chapter discusses this problem and proposes a general framework for privacy impact assessment comprising identifiability as the initial condition of a privacy impact. As identifiability enables the emergence of other privacy risks, it is thus the primary risk to consider when assessing privacy impacts. At its core, the framework comprises a basic typology of identifiable information. This typology differs between personally and technically identifiable information along four basic dimensions. It enables a more systematic analysis of identifiable information flows which may contribute to improving the theoretical understanding of privacy impacts and the quality of privacy protection. The chapter also outlines how to carry out a privacy impact assessment process based on the proposed framework.
