14 September 2020

The Office of the Australian Information Commissioner (OAIC) has released a privacy resource to assist Australian Government agencies to determine when they need to conduct a privacy impact assessment.

The Privacy (Australian Government Agencies – Governance) APP Code 2017 requires Australian Government agencies to conduct a privacy impact assessment for all “high privacy risk projects”. A project may be a high privacy risk if it involves new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.

The new resource, When do agencies need to conduct a privacy impact assessment?:

  • provides guidance on how to screen for potentially high privacy risk projects by completing a threshold assessment to determine whether a PIA is required
  • sets out the benefits of conducting a PIA, even when a project does not meet the high privacy risk threshold, and
  • includes a template to assist agencies to complete a threshold assessment.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said, “Privacy impact assessments are an important tool to ensure projects meet legislative privacy requirements and community privacy expectations. The process of undertaking a privacy impact assessment provides an opportunity for Australian Government agencies to consult and engage with stakeholders, and demonstrate their commitment to, and respect of, individuals’ privacy. Agencies are also required to publish a register of privacy impact assessments they conduct, which provides important transparency.”

“Effective privacy practice requires ongoing commitment and effort. This new resource complements the existing resources we have developed to assist government agencies to understand and meet the obligations of the code. These include the Privacy Officer Toolkit, the Interactive Privacy Management Plan, a Privacy Impact Assessment Tool and the Privacy Impact Assessment eLearning Program,” said the Commissioner.

The resource, which has been developed in consultation with several Australian Government agencies, is available at oaic.gov.au/privacy/guidance-and-advice/when-do-agencies-need-to-conduct-a-privacy-impact-assessment.