If you’re running a business that uses people’s personal information, you should know about the Privacy Impact Assessment (PIA). Recommended by the Office of the Australian Information Commission (OAIC), undertaking a PIA can help your organisation anticipate, plan for and minimise privacy risks. Here, we’ll set out what a PIA is and how your organisation can undertake one.
What is a Privacy Impact Assessment?
The PIA provides organisations with a systematic method for assessing the privacy impact of projects that deal with people’s personal information. The purpose is to allow organisations to recognise and mitigate privacy risks.The PIA also aligns with the Australian Privacy Principles (APP), which require organisations to “manage personal information in an open and transparent way”. For example, APP1 obligates organisations to “take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs…and is able to deal with related inquiries and complaints”. Therefore, the PIA provides a way for organisations to comply with these standards, by allowing entities to assess whether they are complying with privacy laws and identify better practice.
Does my business need to conduct a PIA?
Undertaking a PIA is not required by law. Additionally, the PIA is intended for an ‘APP entity’, which is defined in the Privacy Act as “an individual, body corporate, partnership, any other unincorporated association or a trust”. Notably, this does not include “a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State”.
However, if you operate an ‘APP entity’, the OIAC strongly recommends your organisation to conduct a PIA for projects that pass the ‘threshold assessment’. Explained further below, the project will pass the threshold assessment if it involves the collection, storage, use or disclosure of personal information. This can include basic information such as email addresses to more intimate details such as people’s health information.
There are important benefits for conducting a PIA at the start of a project which involves privacy risks. The OAIC notes that a PIA can:
- Ensure compliance with privacy laws
- Enhance public perception by aligning with community values and expectations regarding the handling of personal information
- Reduce potential management and legal costs by dealing with and minimising privacy issues at the beginning of a project
Some risks of not conducting a PIA include:
- Not complying with privacy laws, potentially leading to legal penalties
- Being perceived as not transparent and unreceptive to the public’s privacy concerns, resulting in negative publicity
- Discovering privacy issues long after a project has progressed, leading to unnecessary costs and inadequate attempts to rectify the privacy issues
Therefore, while conducting a PIA is not mandatory, it will be in your organisation’s interest to conduct PIAs for projects that involve privacy issues.
How to conduct a PIA
The OIAC’s Guide for undertaking a PIA sets out 10 steps for conducting a PIA. Here, we have summarised these steps.
1. Threshold assessment
As noted above, this step helps organisations to consider if there are any privacy issues with a project they’re undertaking. Organisations may consider whether the project involves the use or disclosure of personal information, and the nature of that information (name, address, date of birth, health etc).
2. Plan the PIA
Organisations may consider who will conduct the PIA, how in-depth it should be and how long it will take. Furthermore, the organisation may consider how it will follow through and implement the recommendations arising out of the PIA.
3. Describe the project
This should address the project’s aims and scope, and why personal information is being collected.
4. Identify and consult with stakeholders
Your organisation should engage with stakeholders, such as clients, regulatory authorities, service providers and industry experts. This can allow the organisation to identify further privacy issues and strategies to mitigate risks.
5. Map information flows
The organisation should clearly set out what happens to individuals’ personal information as the project progresses. It should also explain how privacy and security concerns will be addressed at each stage. For example, this can include the method of initial collection and how the information will be dealt with after it is used.
6. Privacy impact analysis and compliance check
The organisation should consider whether the privacy impacts comply with privacy laws and the APPs. For example, according to the APPs, only information that is reasonably necessary should be collected. Furthermore, individuals must have the option of providing anonymous responses, unless the law authorises the disclosure of their identity. Accordingly, any risk of non-compliance should be identified.
7. Privacy management
The organisation should consider strategies for minimising and removing the privacy risks. For example, this can include restricting the collection of information to strictly what is necessary. Another strategy is providing adequate and transparent collection notices to individuals before the organisation collects their information.
8. Recommendations
Recommendations for how the project should proceed may emerge. For example, the organisation may easily mitigate these risks by improving cybersecurity. Alternatively, the risks may be so high that the project should not proceed.
9. Report
The PIA should be distilled into a report form, which includes an executive summary, PIA methodology, project description, analysis, conclusion and any appendices.
10. Respond and review
The organisation should implement any suitable recommendations that arise from the PIA. The OAIC also suggests seeking an independent review of the PIA by a third party, which can assess whether the PIA has been properly conducted.
Conclusion
While not mandatory, conducting a Privacy Impact Assessment is good for publicity and can help your organisation identify privacy risks early on in a project. You don’t want to be near the end of a project and deal with a major data breach or public backlash, which could have been identified as a risk through a PIA. Make sure your organisation also implements any suitable PIA recommendations and continues to monitor for privacy issues.
