Privacy Awareness Week blog series: Privacy impact assessments
So, you have an exciting new project that’s about to begin. There are so many things to think about, so much planning to do, things to organise… time to write a list!
One thing that should be on the top of that list? A privacy impact assessment (PIA).
What is a PIA?
A PIA is a tool that can help organisations evaluate compliance with their privacy obligations. A PIA can assist you to identify potential privacy risks and develop risk mitigation strategies to manage, minimise or eliminate privacy impacts. A PIA is essentially a self-auditing assessment, and it is a tool that is used around the world when organisations are putting together new projects or policies.
Using PIAs helps to build good practices by:
• highlighting privacy elements that need to be considered in every project;
• helping to avoid potential breaches down the track;
• embedding a positive privacy culture within the organisation by encouraging privacy to be considered before a project commences; and
• promoting privacy awareness across organisations.
Privacy by Design
Privacy should be considered at the outset, as well as throughout, the development and implementation of any project that involves the collection and handling of personal information. The concept of ‘Privacy by Design’ enables privacy to be a key element, one that is built into projects at the start and continues to be a ‘design feature’ throughout. A PIA is one way that organisations can embed Privacy by Design into their initiatives.
When should a PIA be conducted?
Best practice would be to conduct a PIA during the preliminary or conceptual phase of a project. This will allow you to identify any potential privacy risks or barriers at a time when these risks can easily be addressed. You can then revisit the PIA at a later stage, prior to implementation of the project, to ensure that these issues have been addressed and that the program adheres with relevant privacy obligations. A PIA should be a living document, one that can continue to change in line with the project as it develops.
Is your project large in scope? No need to worry – PIAs can be conducted for different aspects of a project, or at different stages. For very large projects, you might undertake multiple PIAs that cover different elements. This approach allows for a focused review of a specific part of the project, rather than tackling a somewhat daunting overall privacy assessment of a large project.
What does a PIA cover?
The PIA template prepared by OVIC (available here) assesses information privacy only. It asks respondents to assess their initiative against the Information Privacy Principles (IPPs) contained in the Privacy and Data Protection Act 2014. Complex initiatives may require an additional assessment of other privacy risks (such as bodily, territorial or locational privacy) and broader privacy considerations required by the Charter of Human Rights and Responsibilities Act 2006 (The Charter). Other rights and responsibilities under the Charter should also be considered separately from the PIA process to ensure that your project does not interfere with other human rights.
Who should do a PIA?
Organisations can undertake the PIA process themselves, using either OVIC’s template or their own. Our template has been designed for anybody to use, even those who don’t already have a privacy background. Your organisation’s Privacy Officer will be able to assist if you have any questions.
In some cases, organisations may choose to engage a consultant to complete the PIA for them. Using an external party can be a good option if your project is particularly large or complex, or where it is important to show that the assessment has been done by an independent person who is not affiliated with your organisation. Some projects can be contentious if they suggest a new way of using personal information, and it might be beneficial to have an independent view inform the initiative.
Am I doing this right?
When conducting a PIA, there are many privacy elements to consider. If you are unsure or have any questions about PIAs, or OVIC’s PIA template, please contact the OVIC enquiries line on 1300 008 642, or by email at firstname.lastname@example.org. Though we are unable to endorse any project or privacy protections in place, we are happy to provide guidance on PIAs and suggest ways to further improve privacy protection. If you have questions about the application of the IPPs, please see the Guidelines to the Information Privacy Principles.
This blog post was written by Amy Leon, Policy Analyst, Office of the Victorian Information Commissioner.