Privacy impact assessments - consultation

This is a companion to, and intended to be read in conjunction with, the Undertaking a Privacy Impact Assessment (PIA) guideline.

Identify the individuals or groups affected by the project

Internal stakeholders

Internal stakeholders and their information responsibilities may include:1

  • Project managers – for information about the business case and business requirements for the project and to explain likely data flows, accountability and governance structures, stakeholder relations.
  • IT personnel – to explain and answer questions about data security, technical architecture, network security, online applications, backup procedures and for help in mapping the flow of personal information.
  • Procurement – to ensure that privacy is addressed in tender documentation and considered when evaluating tender responses.
  • Records and facilities management – for advice on how information is stored and disposed of and for information about how the agency manages physical security.
  • Human resources – for information about employee records.
  • Legal – to assess the legislative and regulatory framework applying to the project and for advice about dealing with secrecy, confidentiality or other restrictions on dealing with the personal information.
  • Privacy Officer – for assistance related to privacy matters generally and for advice in identifying, prioritising, avoiding and minimising privacy risk.
  • Staff who will be operationally affected by the project – for information about how personal information is currently dealt with, any privacy issues concerning those dealings and how those staff perceive the operational change affecting their activities.

External stakeholders

External stakeholders may include:

  • partner agencies or organisations
  • suppliers
  • contractors
  • clients or customers
  • non-government organisations representing clients
  • advocacy groups; and
  • the general public.

Determine the degree of consultation warranted by the project

Any consultation must be appropriate to the scale and scope of the project.

For example, for a small project with limited privacy impacts it may be sufficient to consult informally with specific business units that are affected by it. In contrast, a high profile project having significant privacy impacts may require broad and detailed consultation.

When deciding upon the degree of engagement and feedback that is necessary for a project, consider whether:2

  • there is likely to be public concern about actual or perceived impact on privacy
  • there are a large number of people whose privacy is affected, or a particularly vulnerable group
  • there is already a formal consultation process into which the privacy aspects can be incorporated; and
  • there is a need to build trust in a new practice or technology.

Public consultation

Not all projects will require public consultation. However, if public consultation is necessary, it may be undertaken in different ways.

Choose a consultation method appropriate to the scale, scope and profile of the project, for example:

  • widespread consultation
  • targeted consultation – by approaching groups that represent the affected customer base, the wider public interest or that have expertise in privacy, human rights and civil liberties
  • reviewing what has worked and not worked in similar projects and organisations; or
  • using existing research about community attitudes towards privacy that apply to your project.

Manage the consultation process

Encourage meaningful engagement

To gain the most value from consultation, implement strategies that support meaningful stakeholder engagement and which encourage feedback.

The aim is to take reasonable steps to facilitate as much communication about the project as possible so that its privacy impacts and risks can be identified and discussed.

Suggestions to encourage stakeholder engagement include:3

  • contacting stakeholders early to notify them of the nature of the project and that its privacy impacts are being considered
  • providing information about the project to stakeholders
  • putting a process in place so stakeholders can clarify questions and communicate their views
  • developing a process to manage interactions among stakeholders; and
  • communicating a summary of outcomes from the privacy assessment to the persons or groups who where consulted.

At the end of the consultation period and if warranted, the agency should make its PIA publicly available.

Manage any issues about the distribution of project information

Sometimes there may be legitimate resistance to giving certain project information to stakeholders, perhaps for commercial or security reasons.

If so, consider alternatives so that the process of stakeholder engagement remains as open as possible. For example, it may be possible to:

  • distribute project information in instalments
  • limit its distribution to certain stakeholder groups
  • make the distribution of information subject to confidentiality agreements; or
  • allow the information to be viewed but not copied or supply summaries of information.
  • [1] Office of the Victorian Privacy Commissioner: Privacy Impact Assessments, A Guide for the Victorian Public Sector, Edition 2, April 2009 at page 12
  • [1] Office of the Victorian Privacy Commissioner: Privacy Impact Assessments, A Guide for the Victorian Public Sector, Edition 2, April 2009 at page 14.
  • [1] Roger Clarke, An Evaluation of Privacy Impact Assessment Guidance Documents, November 2010, section 7 ‘Stakeholder Engagement’, available at http://www.rogerclarke.com.

Current as at: July 1, 2025