Consumers are increasingly concerned about their personal data and what happens to their personal information. Therefore, businesses need to consider their privacy obligations. By regularly performing compliance checks, businesses ensure they understand the impact of their privacy practices and meet their legal obligations. One such compliance check is a privacy impact assessment. This article will explore what a privacy impact assessment is, when it is required and how it should be conducted.
What is a Privacy Impact Assessment?
A privacy impact assessment (PIA) is a voluntary task undertaken by a business to analyse its organisational processes. Importantly, the analysis should ensure the business meets its obligations under the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles (APPs). Under APP 1, when handling personal information, organisations must take reasonable steps to implement procedures and systems that comply with the APP.
Conducted on a project basis, a PIA involves an assessment to identify the impact that a particular project will have on the privacy of individuals. It will set out recommendations and actions for managing, minimising or eliminating that impact.
PIA vs Privacy Policy?
If you already have a privacy policy on your website, you may be wondering why you also need to conduct a PIA. In addition to a privacy policy, a PIA serves two key functions:
- It identifies and evaluates the potential effects that a project or proposal may have on data privacy; and
- It explores how to mitigate any adverse effects on privacy.
A privacy policy communicates how and what your organisation will do with private information, whereas a PIA focuses on internal compliance with Australian Privacy Law obligations.
Continue reading this article below the formHow to Undertake a PIA
Who?
The project manager responsible for the project should conduct the PIA, liaising with the relevant stakeholders, including customers and senior management.
When?
Ideally, you should conduct the PIA before the project commences. This ensures that the privacy risks in a project can be mitigated before they arise. Conducting a PIA early will ensure that you can stay on top of your obligations and potentially avoid a privacy breach from occurring.
How Often?
Your project will develop and evolve as it comes to fruition. Therefore, you may find that your PIA will also develop and evolve over the project’s life. You should revisit the PIA as the project progresses and update it when it changes. If there are substantial changes to the personal information that will be collected or handled during the project, it may be necessary to undertake a new PIA altogether.
Further Considerations
The following table summarises each step of developing a PIA as described by the Office of the Australian Information Commissioner.
Stage |
PIA Process |
|
1 |
Threshold Test |
|
2 |
Plan the PIA |
|
3 |
Describe the Project |
|
4 |
Identify and Consult with Stakeholders |
|
5 |
Map Information Flows |
This step complements the project outline and requires you to describe and map how personal information will flow for the purpose of the project. Key areas to consider include:
|
6 |
Privacy Impact Analysis and Compliance Check |
|
7 |
Privacy Management – Addressing Risks |
You should have a mitigation strategy for each possible risk factor. For example:
|
8 |
Recommendations |
|
9 |
Report |
A PIA report should be collated to reflect the results of the assessment, setting out:
|
10 |
Review and Respond |
It is important to consider and reflect on the report to learn and correct behaviour based on results. |
Key Takeaways
In new projects involving the collection and handling of personal information, privacy impact assessments can be key to ensuring that your business is meeting its privacy obligations and mitigating any potential privacy risks before they arise. Your privacy impact assessment can also help build community trust in your business, showing that you are meeting legal obligations and your organisation is proactive about privacy.
If you need help with your privacy policy, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
A privacy impact assessment is a compliance check that allows you to assess the privacy related risks when handling personal information as part of a particular project. It allows you to develop strategies to minimise risk, and to assess your current privacy practices to determine their suitability.
Whether a privacy impact assessment is necessary will depend on a number of factors, including whether personal information is being collected, what type of personal information is being collected, and whether you currently have privacy processes in place. Whether your business is subject to the Privacy Act will also be an important factor.
We appreciate your feedback – your submission has been successfully received.