Welcome back! This is where you left us. Not what you wanted?

Topic 5 Privacy impact analysis and compliance check

10 minutes

Learning objectives

  • Understand what a privacy impact analysis and compliance check is
  • Identify and assess the privacy impacts of your project
  • Ensure that your project complies with privacy law

Video transcript

[ON SCREEN] Privacy impact assessments: Privacy impact analysis and compliance check

[VOICEOVER] The privacy impact analysis and compliance check is one of the most important steps in the PIA process. Here you need to identify and critically analyse how the project affects privacy, both positively and negatively.

It’s not just about compliance with the Australian Privacy Principles. You also need to consider if the project is consistent with community values and attitudes about privacy. The results of your stakeholder consultation will help with this.

The main aim of the privacy impact analysis is to determine if the project’s privacy outcomes are acceptable.

Firstly, consider the possible privacy risks to the project as a whole. Do individuals have to give up control of their personal information? How valuable would the information be to unauthorised users? Is any privacy intrusion, such as surveillance, necessary and worthwhile for the project?

Secondly, check compliance with the Australian Privacy Principles and any other privacy-related legislation or information handling obligations. Document how your project complies with each APP, or why you’re not required to comply. You should also list any risks that you identify.

In the next step in the PIA process, we consider strategies to address negative impacts you have identified in your impact analysis and compliance check.

[ON SCREEN] For more information, visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/-yZL8__v2kU. If YouTube is blocked, try this video.

Step 6 What is a privacy impact analysis?

A privacy impact analysis is one of the most important steps in the PIA process.

Your privacy impact analysis will identify and critically analyse how your project impacts upon privacy, both positively and negatively. Does your project have acceptable privacy outcomes or unacceptable privacy outcomes? Can any negative privacy outcomes be improved?

Conducting a privacy impact analysis will assist you to improve the privacy impacts of your project and will be beneficial to the overall success of your project.

What should I consider in my privacy impact analysis?

Your analysis should consider questions like:

  • Will individuals be required to give up control of their personal information or change the way they interact with your organisation, for example through more frequent identity checks or increased costs?
  • Will decisions that have consequences for individuals be made as a result of the way personal information is handled in the project (such as decisions about services or benefits)?
  • Does the project recognise the risk of function creep? (For example, is there an interest in using the personal information collected for the project for other purposes that might occur in the future?)
  • Is there a complaint handling mechanism? Is it visible, comprehensive and effective?
  • How will you handle privacy breaches?
  • Are there audit and oversight measures in place in case a system fails?
  • How valuable would the information be to unauthorised users?
  • Are any negative privacy impacts, including any intrusion or surveillance, fully justified and in proportion to your project’s anticipated benefits? Is it the only way of achieving the aims of your project, and done in the least privacy intrusive manner?
  • Does the use of personal information in your project align with community expectations?

Your analysis should include any stakeholder or public consultation results that may assist you to work out how to improve the project’s privacy outcomes.

Ultimately, your privacy impact analysis should consider:

  • Are the privacy impacts of your project necessary or avoidable?
  • How will the privacy impacts affect your project’s broad goals?

The above list is not exhaustive. The nature and scope of your project will determine the issues that you need to investigate as part of your privacy impact analysis.

True or false?

A privacy impact could be positive or negative.
Correct! A privacy impact can be positive (privacy enhancing) or negative (privacy invasive)
Incorrect. A privacy impact can be positive (privacy enhancing) or negative (privacy invasive).

What is a compliance check?

While a PIA is more than a compliance check, it is essential that you consider compliance with privacy law.

Consider whether your project complies with each of the Australian Privacy Principles (APPs). For each APP, ask yourself:

  • Is the APP relevant to the project? If not, why not? Will it become relevant to the project at a later stage?
  • Does my project comply with the APP?
  • Are there any risks to compliance?

You should document and provide specific details about how your project complies with the APP, or why you are not required to comply, and any considerations you took into account.

Australian Government agencies should also be aware that there may be other privacy-related legislation and rules that apply to your agency, such as secrecy provisions or information handling obligations in other legislation.

The OAIC’s Guide to Undertaking Privacy Impact Assessments provides example questions for each APP to assist you to complete your compliance check.

You may also find the APP Guidelines a useful resource to assist you to interpret and apply the APPs.

Case study
Your information flow diagram has helped you and your colleagues to identify the potential privacy impacts of the project.

Select whether the following privacy impacts are positive or negative.
We Sell Stuff’s IT team has developed an encryption tool that will ensure the security of the existing customer database when it is sent to HelpingU
We Sell Stuff will de-identify customer information before disclosing it to the data analytics company
We Sell Stuff’s legal team has included a clause in the contract to ensure that the data analytics company does not re-identify the de-identified customer information it receives
We Sell Stuff’s customers have not been informed that their personal information is being collected by HelpingU, and that HelpingU will have access to We Sell Stuff’s customer database
HelpingU has a policy of refusing to deal with anonymous callers
HelpingU has not provided details to We Sell Stuff about how customer information will be secured
Complete

Positive privacy impacts

  • We Sell Stuff’s IT team has developed an encryption tool that will ensure the security of the existing customer database when it is sent to HelpingU
  • We Sell Stuff will de-identify customer information before disclosing it to the data analytics company
  • We Sell Stuff’s legal team has included a clause in the contract to ensure that the data analytics company does not re-identify the de-identified customer information it receives

Negative privacy impacts

  • We Sell Stuff’s customers have not been informed that their personal information is being collected by HelpingU, and that HelpingU will have access to We Sell Stuff’s customer database
  • HelpingU has a policy of refusing to deal with anonymous callers
  • HelpingU has not provided details to We Sell Stuff about how customer information will be secured

Over to you Your PIA worksheet

In ‘Your PIA’ worksheet, list some of the negative and positive privacy impacts of your project. Assess whether your project complies with the APPs.

You will refer back to any negative privacy impacts that you identify in Step 7 of the PIA process: addressing privacy risks.

  Previous Next