What is a privacy impact assessment?
A PIA is a systematic assessment of a project that:
- identifies the impact that the project might have on the privacy of individuals
- sets out recommendations for managing, minimising or eliminating that impact.
Welcome back! This is where you left us. Not what you wanted?
[ON SCREEN] Privacy impact assessments: An introduction
[VOICEOVER] If you are designing a new product or service, or changing a process that involves personal information, you need to think about privacy. Issues around privacy can determine the success or failure of your project. Any project that involves personal information can be risky. If you ignore privacy, you could:
A privacy impact assessment or PIA is an essential tool to help manage, minimise and eliminate privacy risks. If your project involves personal information, it’s likely you will need to conduct a PIA. By doing this at the beginning of your project, you’ll be able to adjust its design if needed, to ensure all personal data is safely handled. Depending on the size and complexity of the project, you may even need to conduct more than one.
A PIA can help to ensure that any personal information used is respected and protected. Using PIAs is a great way to improve your organisation’s privacy practices and the Office of the Australian Information Commissioner is here to help. Make PIAs part of your business-as-usual thinking and build privacy in from the start. For more information, visit www.oaic.gov.au.
A PIA is a systematic assessment of a project that:
A PIA should ‘tell the story’ of a project from a privacy perspective. It’s an opportunity to make sure your project complies with privacy laws, but also to go beyond compliance, and consider the project’s broader privacy implications and risks. It can help you to identify whether the community will accept the planned uses of personal information or sensitive information in the project.
Personal information is defined in the Privacy Act as:
information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in a material form or not.
Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances. The OAIC’s What is personal information? resource contains more information about when an individual may be ‘reasonably identifiable’.
Sensitive information is a subset of personal information, and is generally given a higher level of protection under the Privacy Act than other personal information. It includes an individual’s health, genetic and biometric information, and information about an individual’s race or ethnicity, political opinions or associations, religious or philosophical beliefs, sexual orientation or criminal record.
If your project involves the handling of personal information, the OAIC recommends that you conduct a PIA and publish the report. Demonstrating that your organisation has properly considered privacy can help to create stakeholder trust and willingness to adopt a new product or service.
Incorporating PIAs into your organisation’s risk management framework can also help to demonstrate that your organisation has robust and effective privacy practices, procedures and systems.
The Privacy Commissioner can direct an Australian Government agency to conduct a PIA in some circumstances.
The first step in this process is to conduct a threshold assessment (more about this in the next topic) that will tell you whether you need to complete a full PIA. The greater the project’s complexity and privacy scope, the more likely it is that you will require a comprehensive PIA, to determine and manage your project’s privacy impacts.
You should consider undertaking a PIA for any project that handles personal information, including designing new products, service delivery or legislation. Some situations where a PIA would be necessary include:
To be effective, a PIA should be an integral part of the project planning process, not an afterthought. Build a PIA into your project planning timeline from the beginning. You should undertake the PIA early in the development of a project, so that it is still possible to influence the project design, or if there are significant negative privacy impacts, reconsider proceeding with the project. This will also help you to avoid potential unnecessary costs in addressing privacy concerns after a project has concluded.
You are a project manager working for We Sell Stuff — a business that is about to partner with HelpingU to manage its customer helpline. It is your job to identify the privacy impacts of this partnership.
It’s expected that HelpingU will receive phone calls from customers asking about We Sell Stuff’s products, following up on orders, and making complaints. HelpingU will use its own customer records management system to record and manage these calls. HelpingU will also record the outcome of these calls in We Sell Stuff’s customer database.
In the future, We Sell Stuff hopes to work with a data analytics company to analyse the data HelpingU collects, so that they can learn how to market popular products more effectively, and identify any common complaints.
Your colleagues are excited about the new partnership and eager to ask questions!
This is an exploratory activity — don't worry about getting it right or wrong, just explore the options and have fun!