Welcome back! This is where you left us. Not what you wanted?

Topic 2 The 10 steps

10 minutes

Learning objectives

  • Understand the 10 steps to completing a PIA
  • Assess whether you need to complete a PIA

Video transcript

[ON SCREEN] Privacy impact assessments: The 10 steps.

[VOICEOVER] If your project involves personal information, then you will most likely need to do a privacy impact assessment.

A PIA is a flexible process that should be tailored to your project and circumstances. The amount of effort involved will vary according to the nature, size and complexity of the project. Follow these 10 steps when completing your PIA.

1. Threshold assessment. Use this initial step to determine if you need to do a PIA.

2. Plan your PIA. You need to decide how detailed it will be, who will conduct it, how long it will take, who will be consulted and how recommendations will be implemented.

3. Describe the project. This information is important as it provides context for the rest of the PIA.

4. Identify and consult with stakeholders. Consulting with stakeholders can help you identify new privacy risks or concerns you may not have originally considered.

5. Map the information flows. You need to know what information will be collected, how it is used and disclosed, how it will be stored and protected, and who will have access to it.

6. Privacy impact analysis and compliance check. Analyse how the project impacts on privacy, both positively and negatively. Consider any privacy impacts and community expectations. A compliance check against the Australian Privacy Principles will identify if a project could interfere with an individual’s privacy.

7. Managing privacy impacts. This is the time to develop strategies to remove, minimise or mitigate privacy impacts.

8. Make recommendations. Pinpoint strategies to avoid or minimise risks.

9. Prepare a report. This needs to be practical and easy to read. And the final step in the PIA process, is 10. Respond and review. Make sure the recommendations are adopted and monitor their progress.

[ON SCREEN] For more information visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/ZLvH-71wLoQ. If YouTube is blocked, try this video.

Undertaking a PIA

Let’s look now at the 10 steps you will go through to do a PIA.
Click on each step for more information.

  1. Threshold assessment

    This will help you determine whether you need to do a full PIA or not.

  2. Plan

    Good planning will ensure your PIA is effective and efficient.

  3. Describe

    This provides context to the project that all stakeholders understand.

  4. Identify and consult with stakeholders

    Who is interested in or affected by the project?

  5. Map information flows

    What information will be collected, used and disclosed, how will it be held and protected, and who will have access to it?

  6. Privacy impact analysis and compliance check

    How does the project impact on privacy and is it compliant with the Australian Privacy Principles?

  7. Privacy management — addressing risks

    What options do you have to remove, minimise or mitigate any negative privacy impacts?

  8. Recommendations

    Make recommendations about how avoidable risks can be removed or reduced to a more acceptable level.

  9. Report

    A report that summarises your findings and recommendations.

  10. Respond and review

    Implementation of recommendations and ongoing monitoring.

Now let’s look at the first step in more detail.

Step 1 Threshold assessment

The first step in the PIA process is to assess whether a PIA is necessary for your project. Not every project will need one. You should also consider your organisation’s risk management processes.

Ask yourself: ‘Will any personal information be collected, stored, used or disclosed in the project?’

If the answer is ‘yes’ then you will generally need to complete some form of PIA.

Remember to consider the risk of de-identified information becoming personal information if it is able to be matched with another dataset (or publicly available information) that would enable individuals to be identified.

Depending on how personal information is handled in your project, the PIA process might be quite brief. Topic 3 provides more information on completing a PIA for projects with minimal or low-risk handling of personal information.

Did you know?

To de-identify information, it may not be enough to remove names and other identifying details. To reduce the risk of re-identification, you may also need to consider environmental solutions, for example, using non-disclosure agreements.

What if a PIA is not necessary?

A PIA may not be necessary if:

  • personal information is not involved in the project
  • the project does not propose any changes to existing information handling practices, the privacy implications of these practices have been assessed previously and controls are current and working well.

If you answered ‘no’ to the threshold assessment question, you should still keep a record of your decision.

This could include information like:

  • A brief description of your project
  • An analysis of how the project deals with personal information, if at all. For example:
    • the purposes for which the personal information will be collected, used or disclosed
    • any authority under which personal information is collected
    • whether the information is sensitive
    • a description of the changes, if any, to the way personal information will be handled
    • the views of any stakeholders about the impact of the project on information privacy
    • a description of how any privacy risks have previously been assessed and are being managed (if relevant).

More details on what to include in your threshold assessment report can be found in the OAIC’s Guide to undertaking privacy impact assessments.

Did you know?

If your project uses de-identified information, you should still consider conducting a PIA to explain how and why this information will be used and how your organisation will prevent future re-identification of the information.

True or false?

“As part of my project, I will just be collecting and storing people’s names. This is information that can be found on publicly available databases (like telephone books), so I don’t need to conduct a PIA.”
Incorrect. Personal information is any information that can identify an individual. As your project involves handling personal information, you may need to conduct some form of PIA. Topic 3 provides more information on completing a PIA for projects with minimal or low-risk handling of personal information.
Correct! As your project involves handling personal information, you may need to conduct some form of PIA, even if it is quite brief. Topic 3 provides more information on completing a PIA for projects with minimal or low-risk handling of personal information.

Over to you Your PIA worksheet

Is a PIA necessary for your project? Record your answer to the threshold assessment in ‘Your PIA’ worksheet.

  Previous Next