Welcome back! This is where you left us. Not what you wanted?

Topic 3 Plan, describe and consult

10 minutes

Learning objectives

  • Understand the key factors to consider when planning a PIA
  • Describe your project
  • Identify stakeholders that you need to consult with

Video transcript

[ON SCREEN] Privacy impact assessments: Plan, describe and consult

[VOICEOVER] Proper planning will ensure that your privacy impact assessment is effective and efficient. Let’s look at the next three steps in the PIA process.

When planning your PIA, you’ll need to consider several factors, including:

  • the scope of the PIA and its level of detail
  • if it will be conducted internally or outsourced
  • the timeframe
  • the budget required
  • who needs to be consulted, and
  • what steps will be taken after its completion.

You also need to give your project some context by including a big-picture description in your PIA that stakeholders can understand. Are there stakeholders you need to speak with about your project, including the public? Remember, a PIA should always consider community attitudes to privacy. Plan for internal and external consultation early in the PIA process. You should consult as widely as possible to help build understanding and acceptance of your project. This will also identify privacy risks and concerns you may not have considered.

[ON SCREEN] For more information, visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/f-H8jmCCbqA. If YouTube is blocked, try this video.

Step 2 Plan your PIA

After you have completed your threshold assessment, you can start planning how you are going to undertake your PIA. When planning your PIA, you should consider:

  • how detailed the PIA needs to be, based on an assessment of the project and its privacy scope
  • the timing of the PIA
  • who will conduct the PIA
  • the budget and other resources available to conduct the PIA
  • the extent and timing of stakeholder and public consultations
  • the steps that will need to be taken after the PIA, such as implementation of recommendations and arrangements for ongoing monitoring.

How detailed should your PIA be?

The nature and stage of development of your project will help you to determine how detailed the PIA process needs to be.

When assessing your project’s privacy scope, consider:

  • the quantity of personal information that will be handled
  • whether sensitive information is involved
  • the size or complexity of the project
  • whether the project will involve cross-organisation or cross-sector information sharing
  • the likely community and/or media interest in the privacy aspects of the project.

You may wish to refer to the OAIC’s Guide to undertaking privacy impact assessments for examples of PIA processes for different types of projects, including projects with minimal or low risk personal information handling.

Activity time Choose the factors

Which of the following factors will likely increase the privacy impacts of your project and the amount of detail required in your PIA?
Start
Select a tile

The project will outsource the handling of personal information

The project will involve the collection of new types of personal information

The project’s budget

Your project involves data matching with personal information

New legislation or new technology will be needed for handling or storing the personal information

The provision of personal information will be mandatory

The project involves a minor adjustment to an existing program that collects a limited amount of personal information

Who will conduct the PIA?

Generally, whoever is managing the project would be responsible for ensuring a PIA is carried out. However, a PIA is unlikely to be effective if done by a staff member working in isolation. You could make use of ‘in-house’ experts, such as the privacy officer or equivalent, or draw on outside expertise as necessary. You may require a range of expertise, including:

  • information security
  • technology
  • risk management
  • law
  • ethics
  • operational procedures
  • industry-specific knowledge

If your project will have a substantial privacy impact, you may prefer to engage an external assessor to conduct an independent PIA, or to review an internal PIA. This independent assessment may help to develop community trust in the PIA findings and the project’s intent.

What resources could you use to conduct the PIA?

It’s likely that your organisation already holds a lot of information that will help you to complete your PIA. Consider what resources are available to you that would assist you to complete a PIA for your project. These could include:

  • Any published information
  • Business case documents
  • Any existing analysis or legal advice about your project, or about privacy in your organisation more generally
  • Current or draft technical specifications or system designs
  • Stakeholder lists and contact details
  • Research on community attitudes towards privacy
Did you know?

The OAIC periodically runs a Community Attitudes to Privacy research project to gauge privacy trends and developments, and changes in community attitudes. The survey was most recently run in 2017 and 2013.

Step 3 Describe the project

Your PIA should include a brief, ‘big picture’ description of your project. This provides context for the rest of the PIA, and could include:

  • The project’s overall aims
  • How these aims fit within the organisation’s broader objectives
  • The project’s scope
  • Some key privacy elements, for example, the extent and type of information that will be collected, how security and information quality are to be addressed, and how the information will be used and disclosed (these will be explored in more detail in subsequent stages of the PIA).

You should keep the project description fairly brief and avoid jargon so that external stakeholders can understand the project.

You could include information about the project that you prepared for the threshold assessment at this stage.

Step 4 Identify and consult with stakeholders

The next step in the process is to identify the stakeholders that you will need to consult with. This is a fundamental part of the PIA process. Consultation is a key factor in building community support for a project. Consultation can address community concerns, provide confidence to stakeholders that their privacy has been considered and improve a project’s privacy practices. Consultation with stakeholders may also assist in identifying privacy risks and mitigation strategies that may otherwise have been missed.

Did you know?

Consulting early in a PIA process can help to identify issues before it is too difficult, or costly, to make changes to your project.

Who are the stakeholders that may be interested in a PIA process?

Stakeholders for your project are likely to be internal and external, and could include:

  • other operational units within your organisation
  • regulatory authorities
  • clients
  • advocacy organisations
  • service providers
  • industry experts
  • academics
  • the public

It may be necessary to add to the stakeholder list as the project progresses.

How to consult?

For consultation to be effective, you should make sure that stakeholders:

  • are sufficiently informed about the project
  • are given an opportunity to provide their perspectives and raise any concerns
  • have confidence that their input will be taken into account in designing the project

It may not be necessary to consult with all identified stakeholders, depending on the scale and likely privacy impacts of the project. You may decide that targeted consultation is the most appropriate type of consultation for your project, however consultation with the public is particularly important where your project affects members of the public. Public consultation also adds to community awareness about a project and can increase confidence in the way the project is handling personal information.

You could run focus groups, one-on-one interviews or seek comments through public submissions or online surveys.

Consultation also need not be a separate step. It can be useful to consult throughout the PIA process.

Case study

You’ve completed your threshold assessment and concluded that it will be necessary to conduct a PIA for the new arrangement between We Sell Stuff and HelpingU.

You’ve decided the PIA should begin straight away, so that you can build any recommendations to reduce privacy risks into the contract between We Sell Stuff and HelpingU. The PIA will be quite detailed.

You were previously We Sell Stuff’s privacy contact officer, so you have the relevant experience to complete the PIA.

You’ve just told your colleagues the news.

Click on your colleagues
to start the conversation.
Complete

Over to you Your PIA worksheet

Ready to get started with your PIA? In ‘Your PIA’ worksheet:

  • Plan your PIA, including timeframes, who will conduct it, budget and resources.
  • Outline your project description.
  • Make a list of stakeholders and detail what consultation is appropriate for your project.
  Previous Next