Welcome back! This is where you left us. Not what you wanted?

Topic 6 Addressing risks

10 minutes

Learning objectives

  • Understand what factors to take into account when developing strategies to deal with negative privacy impacts
  • Identify strategies to reduce or mitigate any privacy risks

Video transcript

[ON SCREEN] Privacy impact assessments: Addressing risks

[VOICEOVER] Your privacy impact analysis and compliance check may have identified privacy risks in your project’s design. These may be compliance risks or perhaps a negative community perception.

Consider your options to remove, minimise or mitigate these risks.

This doesn’t mean your project will be compromised. Changes you make may manage the risks, and even enhance privacy, while still achieving the project’s goals.

There are several strategies you can use to reduce privacy risks, including:

  • Technical controls such as encryption or design changes
  • Operational controls such as increased staff training or changes in policies or procedures
  • Increased communication to customers, by updating privacy notices and privacy policies

It’s best to implement a variety of measures, so they can work together to address the risks.

If the level of privacy risk is high, you may require a more complex technical solution or stricter accountability measures.

If the risk is low, staff training or a simple change in procedure may be more appropriate.

[ON SCREEN] For more information, visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/CYKcCMcAfas. If YouTube is blocked, try this video.

Step 7 Addressing privacy risks

After completing your privacy impact analysis and compliance check, you may have identified risks to privacy in your project’s current design.

Risks may be to individual privacy, to your organisation’s compliance and reputation, or both. Risks could include:

  • Collecting more information than is needed
  • Using intrusive means of collection
  • Disclosing personal information more widely than is justified or necessary

The next step in the PIA process is to consider options to remove, minimise or mitigate these privacy risks.

Strategies to reduce or mitigate privacy risks

Strategies to consider include:

  • Technical controls — for example, access control mechanisms, encryption, design changes
  • More operational controls — for example, organisational/agency policies or procedures, staff training, oversight and accountability measures
  • Communication strategies — for example, privacy notices

When developing strategies for dealing with negative privacy impacts, you should consider a number of factors, including:

Click on each factor for more information

  • Necessity

    Minimise the collection of personal information to what is strictly necessary

  • Proportionality

    Any negative privacy impact should be in proportion to, or balanced with, any benefits to be achieved from your project

  • Transparency and accountability

    Privacy measures should be transparent to individuals, through adequate collection notices and privacy policies

  • Implementation of privacy protections

    Consider how organisational policies and procedures can support privacy, as well as practical elements such as staff training

  • Flexibility

    Take into account the diversity of individuals affected by the project, and whether they may respond or be affected differently to the sharing of their personal information

  • Privacy by design

    Privacy protections should be included in legislation or other binding obligations and built into new technologies from the beginning

  • Privacy enhancing technologies

    Consider whether any privacy enhancing technologies can be used in the project, and the impact of privacy invasive technologies

Activity time Dealing with risk

Match each risk with a possible mitigation strategy.
Click on a risk, then click on its mitigation strategy.
Possible risks Suggested mitigation strategies Correct
Case study

You have identified some privacy risks in the project design. Now you can develop strategies to remove, minimise or mitigate these privacy risks.

Discuss the strategies you can use to reduce or mitigate each privacy risk. Remember, at this stage you should consider every option that may help. In the next stage of the PIA process, you will make recommendations about which strategy We Sell Stuff should adopt.

Click on your colleagues
to start the conversation.

Over to you Your PIA worksheet

Refer back to the negative privacy impacts that you identified in Step 6 of the PIA process.

In ‘Your PIA’ worksheet, list each privacy risk, along with three options to remove, minimise or mitigate the risk.

You will refer to these strategies in the next stage of the PIA process, when you will make recommendations about which course of action to take.

  Previous Next