Welcome back! This is where you left us. Not what you wanted?

Topic 8 Respond and review

5 minutes

Learning objectives

  • Understand what happens after you have completed your PIA report
  • Understand the benefits of seeking independent review of your PIA
  • Understand when you will need to update your PIA

Video transcript

[ON SCREEN] Privacy impact assessments: Respond and review

[VOICEOVER] Now that you have prepared your PIA report, you need to respond to all of its recommendations. This is one of the most important aspects of the PIA process.

Your organisation needs to make a decision about which recommendations it will implement and why. And you should always document your decisions and rationale.

It may be helpful to prepare an implementation plan. This will help to keep the project on track by setting specific timeframes and assigning staff to be responsible for each recommendation.

You may also consider having an independent third party review your PIA. This can ensure it has been completed properly and its recommendations have been implemented.

Remember that a PIA is an ongoing process, and does not end with the preparation of the PIA report. As the project progresses, your PIA should be revisited, updated and revised, as developments in the design or implementation may create new privacy impacts that were not previously identified.

If you have any questions about PIAs, please contact the OAIC — we are here to help.

[ON SCREEN] For more information, visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/xn-EmGuF2gI. If YouTube is blocked, try this video.

Step 10 Respond and review

The PIA process does not end after you have written (and published) your PIA report. It is important that actions are taken to respond to the recommendations made in your report, and to continue to review and update your PIA.

Responding to recommendations

Responding to recommendations in a PIA is one of the most important stages of the process. The project manager and your organisation should document:

  • Which recommendations they intend to implement (or have already implemented)
  • The recommendations they do not intend to implement, and the rationale for this decision

Your organisation’s response should be published together with your PIA report, where possible. If your PIA report is not published, your organisation should consider providing it to significant stakeholders to assist in effective implementation of recommendations.

You may wish to prepare a plan for implementing the recommendations, indicating a specific timeframe and identifying who is responsible for the implementation.

Ongoing risk management

You should consider the ongoing management of any privacy risks inherent in your project. This could be incorporated into your organisation’s overall risk management strategy.

Independent review/audit

There are significant benefits to seeking independent review (internally or externally) of a PIA. Independent review will:

  • Ensure that PIAs have been properly carried out
  • Ensure that the PIA recommendations have been implemented (or that there is a clear rationale for not implementing the recommendations)

Update the PIA if required

As your project progresses, you should revisit your PIA and update or revise it if developments in the design or implementation of your project create new privacy impacts that had not previously been considered.

Case study

You have completed and published your PIA report and We Sell Stuff’s response to your project team’s recommendations.

You and your colleagues are discussing the next steps in your project.

Click on your colleagues
to start the conversation.

Over to you Your PIA worksheet

Consider the timeframes for your project and the potential for changes to the project design or implementation.

In ‘Your PIA’ worksheet, indicate whether you think it is it likely that you will need to revisit your PIA to update or revise it.

  Previous Next