A Privacy Impact Assessment (PIA) is a scalable tool agencies can use to:
This guideline2 sets out the key steps involved in a PIA and what each of those steps involves. A PIA report template is also available for agencies and health agencies to tailor as necessary to meet the needs of the project and the agency. A one page summary3 of the key steps is also available.
The PIA process can be easily integrated with an agency’s approach to project management – for example, by:
An agency that undertakes a PIA will:
It is not mandatory under the IP Act to conduct a PIA. However, the Office of the Information Commissioner (OIC) strongly encourages PIAs as part of taking a ‘privacy by design’ approach and making privacy a key consideration in the early stages of a project and throughout its lifecycle.
OIC does not have a role in endorsing or approving a PIA. We can give you advice on conducting a PIA or provide feedback on a draft PIA report4, however we recommend that you consult with your agency’s privacy officer in the first instance.
A PIA should be undertaken early enough in the development of a project so that its findings can influence the design of the project. This will prevent unnecessary effort being expended on design options that are not compliant with the IP Act.
Projects are rarely static – specifications become further defined or changes are needed to address identified issues. Build one or more PIA checkpoints into the project plan as a trigger to check whether anything significant has changed since you did the PIA. If it has, slot that information into a new version of the PIA, and repeat the process to check whether there are new impacts that need to be addressed.
A PIA process generally involves the following steps:
Each step is explained in more detail below.
A PIA will be beneficial for any project that involves new or changed ways of handling personal information. However, not every project will need a PIA. For example, a PIA will not be necessary if the project will not handle any personal information or the project does not propose any changes to existing information handling practices (and where the privacy impacts of these practices have been assessed previously and found to be appropriate).
Ask yourself: ‘Will any personal information be collected, stored, used or disclosed in the project?’ If the answer is ‘yes’ then you will generally need to complete some form of PIA.
Regardless of whether you proceed to a PIA, you should keep a record of the threshold assessment to document your decision.
After you have completed your threshold assessment, you can start planning how you are going to undertake your PIA. When planning your PIA, you should consider:
How detailed a PIA needs to be will depend on the scale and complexity of the project. For simple projects, the PIA process can be quick and the PIA report may end up being only a couple of pages. Complex projects will be a more formal and intensive exercise. The level of detail will be influenced by:
You don’t need to be a privacy specialist to conduct a PIA. However, it is helpful to seek input from someone who is familiar with the IP Act, such as your agency’s privacy contact officer or legal services area. Further guidance on who else might provide input to the PIA process is set out in Step 4: Identify and consult with stakeholders.
Having a clear understanding of what the project intends to achieve provides context for the rest of the PIA process. There is often more than one way of designing a project to deliver the intended aim – a PIA will help identify the most privacy respectful way of achieving that aim.
This information could include:
This information can typically be sourced from the project’s management documentation, such as the Project Brief or Business Case.
Consultation with stakeholders who will be affected by the project, or who have an interest in the project, is essential to the PIA process as it allows people to identify privacy impacts and solutions based on their experience or expertise. Who you should consult will depend on the nature of the project, but may include:
Consultation is not necessarily a separate step - it can be useful to consult throughout the PIA process.
Involving internal stakeholders in the PIA process is critical as these are the people who can answer questions about likely information flows, governance structures, technical architecture, legislation under which the agency operates and recordkeeping requirements. They may also be able to suggest potential actions to address the identified privacy issues or provide advice on what option is the most appropriate.
External consultation often involves seeking the views of the people whose personal information will be affected by the project. There are two main aims: it enables the agency to understand the concerns of those individuals and improves transparency by making people aware of how their personal information will be used.
Factors that will influence how extensive the consultation needs to be are whether there is:
Even if a broad public consultation is not warranted, it may be that some form of targeted consultation should be undertaken, such as with relevant government independent statutory bodies, advocacy groups or professional associations.
Effective consultations should follow these principles:
The next step is to describe what personal information is involved in the project and how it will flow through the agency’s systems and processes as a result of the output or deliverable to be produced by the project.
Clearly mapped information flows will assist you to identify privacy impacts in the next step of the PIA process.
The ‘map’ of personal information flows should include:
Keep in mind that personal information includes any information or opinion about a living individual who is or can reasonably be identified7.
There is no ‘one size fits all’ approach to documenting the flow of information. For example, you could use tables to set out the key information for different types of personal information to be used in the project. A diagram or business process map can be effective, especially if you wish to show the current process or system and how the project will change those systems or processes. The method you decide to use will depend on the complexity of the information flows in your project.
It can also be helpful to create two information maps – one to describe the current personal information environment and another showing the changes to be delivered by the project.
A privacy impact can be negative (a risk) or positive (an opportunity). While this section focuses on identifying and mitigating risks, you could use a similar analysis to identify and maximise opportunities.
To identify privacy risks, you need to check the project’s handling of personal information against the privacy principles:
In addition to compliance with the IP Act, you should also consider:
Even where an act or practice does not contravene the privacy principles, individuals may be uncomfortable with the collection or use of their information for particular purposes. For example, an individual may expect that information about them is collected directly from them rather than a third party, or an individual may not agree that the act or practice is ‘reasonable’.11 Consultation with the community is a key way to find out whether the project is seen as privacy-intrusive.
The PIA report template includes questions to help you identity potential privacy impacts. Not all questions will be relevant to every project. Equally, you may need to consider additional questions to reflect the nature of your project and your agency
Recording privacy risks in the project risk register/log helps ensure accurate reporting to the Project Executive/Steering Committee/senior management. It will also help ensure that actions needed to address the risk can be tracked and prioritised appropriately.
You now need to consider what action can be taken to address the identified privacy risks. Where there are multiple options for addressing a privacy issue, you may need to evaluate the costs, risks and benefits of each option to identify which option is the most appropriate.
Options for addressing privacy issues include:
Using a risk matrix12 helps prioritise risks according to how likely it is that the risk will materialise and the severity of its potential consequence. It is important to note that while identifying and mitigating privacy risks is a critical component of good privacy practice, risk mitigation does not provide an alternative to compliance with the privacy principles. Privacy needs to be incorporated with other project goals such as functionality; not balanced against them.
If it is not possible to mitigate a privacy risk, you could seek a waiver or modification of the agency’s obligation to comply with the privacy principles13. Approval is only granted where the public interest in non-compliance is stronger than the public interest in compliance.
The next step is to prepare a report for approval by the Project Executive/Steering Committee/senior management. The report should at a minimum:
A PIA report template is available – one for agencies other than health agency and another specific to health agencies – for you to use as a starting point and edit as necessary.
It is important that actions are taken to implement the recommendations made in the report, and to continue to review and update the PIA, even after the project’s completion.
The first step is to document what the Project Executive/Steering Committee/senior management agreed to, that is:
It can often be helpful to prepare a plan for implementing the recommendations to record what actions need to be taken, timeframes and responsibilities. Alternatively, you could integrate the agreed recommendations into a revised project plan as this will help ensure that the activities necessary to implement the recommendations are managed and reported.
Publishing a PIA report and the agency’s response to the recommendations demonstrates a commitment to openness and transparency and that the project has been designed with privacy in mind. If detailed information about the project cannot be published due to security or commercial concerns, consider publishing a summary or redacted version of the PIA report.
A PIA report is a living document. It should be revisited and updated if changes to the design of the project create new privacy impacts that were not previously considered.
Similarly, a PIA does not end on delivery of the project. Reassessing the privacy impacts of the system or process after it is in operation, for example when updates are deployed or new features are released, will help ensure that the agency continues to approach privacy as a ‘design feature’ of its processes and activities.
Current as at: March 7, 2022