In Brief: A Privacy Impact Assessment (PIA) is a process that determines if a project meets privacy requirements. A PIA considers and analyses both technical compliance with privacy legislation and privacy principles of a project, product or proposal. If your organisation deals with private information, you should as best organisational practice conduct a PIA. Private information or data may include personal client information such as names, images, contact details, date of birth, demographic details and health information.

***

Privacy is multifaceted and often poorly defined – it changes meaning in different contexts. The prevalence of machine-processed data and technology projects have created an increased need for organisations to adopt a PIA. A PIA evaluates the potential effects on privacy that a project may present. A PIA is an internal compliance procedure that has become standard organisational practice and manages community expectations concerning privacy. In a world where privacy is a live issue, it’s important to understand the contexts in which your organisation needs to adopt their own internal PIA.

Why is a PIA Required?

A PIA is a voluntary task that includes introspection and analysis of internal organisational processes to ensure a business meets its obligations under the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles (APPs). Under Australian Privacy Principle 1, organisations are required to take reasonable steps to implement procedures and systems to ensure compliance with the APPs when handling personal information.  

PIA’s are often publicly available and show risk management procedures, building trust in the community and expressing a project’s intent when personal data is concerned. If you already have a privacy policy displayed on your website, you may be wondering why you need to conduct a PIA as well. In addition to a privacy policy, a PIA serves two key functions:

  1. Evaluating and identifying the potential effects that a project or proposal may have on data privacy;
  2. Exploring how to mitigate any adverse effects on privacy.

A privacy policy merely communicates how, and what your organisation will do with private information whereas a PIA focuses on internal compliance with Australian Privacy Law obligations. It is typically too costly for a business not to conduct an assessment.

PIA Threshold Assessment

Not all data collecting activities are created equal or will require a PIA. The first question to ask is whether you will collect, store or disclose any personal information during the project. If the Privacy Act 1988 binds your organisation, you will likely need a PIA on a project by project basis.

Mitigating Privacy Vulnerabilities and Threats

The PIA outlines how to reduce vulnerabilities and threats and protect an organisation’s assets. Assets are anything of value such as a business process or activity, information, hardware, software, network or personnel.

Vulnerabilities don’t cause harm in and of themselves but rather, can be exploited to expose weakness and system flaws, increasing the risk of a security event occurring. The table below sets out some common vulnerabilities that can influence management decisions and risk mitigation.

Vulnerability Weakness
Hardware Storage of personal data may be exposed and unprotected
Software User authentication and a lack of appropriate testing
Network Unprotected or exposed network communication or servers
Personnel Lack of procedural training and screening of new hires
Site Physical security (adequate locks/alarms/fire safety)
Organisation A lack of audits, internal procedures, operational practice, record systems

The PIA also identifies potential threats which harm and compromise project assets. Threats can be deliberate or accidental, natural or of human origin and be internal or external to the organisation, such as:

  • Physical or environmental threats: Natural disasters (flood, fire, earthquake) that result in a power failure or telecommunications equipment damage and which can severely compromise servers and networks that store personal data.
  • Intentional human threats: Interception of communication, spying, theft of equipment, software tampering or untrustworthy data sources.

Which Staff are Responsible for Performing the PIA?

The project manager or technology developer are responsible for conducting a PIA. He or she decide whether it is necessary as well as whether the threshold test applies. Typically, the PIA is drafted or prepared in-house. An external party (e.g. the legal team) then makes an independent assessment to maintain impartiality.

Involving Stakeholders in the Process

The Australian position is that consulting with major stakeholders is critical for the PIA process. Engaging the community broadens the business’ understanding of risks that they may otherwise not have considered.  

How to Undertake a PIA

Organisations may choose to incorporate a PIA into their standard risk assessment. It is common that a PIA will develop and evolve over a project’s life, consequently, it can also be a tool to assist with project management. The following table summarises each step of developing a PIA as described by the Office of the Australian Information Commissioner.

Stage PIA Process
1 Threshold Test
  • It is important to identify whether your organisation requires a PIA
  • Ask, will any personal information be collected, stored, used or disclosed in the project?
  • Does the Privacy Act apply to your business?
2 Plan the PIA Identify essential elements of the PIA assessment:

  • Who will conduct the PIA;
  • Timeframe to deliver the PIA (it should be performed as early as possible in the project);
  • When to engage external stakeholders;
  • Budget;
  • The implementation and management of the PIA.
3 Describe the Project
  • Identify the project – a big picture analysis is required to understand the scope of the project and identify key privacy concerns.
  • Is this project similar to an existing project?
4 Identify and Consult With Stakeholders The stakeholders involved in the project can be internal or external and include:

  • Employees
  • Regulatory body
  • Clients
  • Organisations.
5 Map Information Flows This step complements the project outline. Key areas to consider include:

  • The nature of the information collected (e.g. is the information de-identified or does it clearly identify individuals);
  • The collection process;
  • How the business intends to use the information;
  • Who is the information disclosed to;
  • The quality of the information;
  • Security of the data;
  • How is data retained and destroyed; and
  • Access and correction of information.
6 Privacy Impact Analysis and Compliance Check
  • This is an important assessment where the business evaluates risks (severe and minor) and strengths of internal processes.
  • The end goal is to determine whether the project offers acceptable privacy outcomes or if the private information is handled appropriately.
  • Consider APPs 1-13 to guide your judgment on acceptable privacy outcomes.
7 Privacy Management – Addressing risks You should have a mitigation strategy for each possible risk factor, for example:

  • Risk: Information to be collected does not have a clear or defined purpose.
  • Mitigation: Clearly identify and define the purpose for which the business is collecting data.
8 Recommendations Each identified risk factor should have a mitigation strategy, for example:

  • Risk – The information gathered does not have a clear or defined purpose.
  • Mitigation – Clearly identify and define the purpose for which the business is collecting data- ensuring both internal and external stakeholders understand its proposed use.
  • After conducting the PIA,  a number of changes or recommendations may present themselves. This will achieve better compliance for future projects. For instance, the project’s goals may need to be altered to reflect the interests of the affected individuals.
9 Report A PIA report should be collated to reflect the assessment setting out:

  • Executive Summary
  • PIA methodology
  • Project Description
  • Analysis
  • Conclusions
  • Detailed appendices
10 Respond and Review It is important to consider and reflect on the report to learn and correct behaviour based on results.

PIA in Practice

Not all personal information is created equal, and some data is more sensitive than others, such as genetic, health and medical information. You may have encountered Mobile Healthcare Apps that facilitate health care operations and share medical information. Businesses with Apps that store medical files, allow consultations with medical staff and share sensitive material should conduct a PIA and display an Application Privacy Policy. Key questions to raise include:

  • What type of personal data does the mobile health app process?
  • What method is used to collect personal data?
  • How do App users provide you with consent?
  • Have you spoken to Healthcare professionals about the App’s functionality?
  • Is the data pseudonymised or anonymised where possible?
  • Have independent system audits been performed?
  • Has the App been tested?
  • Do third parties have the appropriate contracts in place to ensure data security?

The PIA will address the answer to these questions, and reinforce the need to be diligent about a project’s privacy.

Key Takeaways

In new projects involving sensitive data, conducting a PIA can be beneficial for all stakeholders. From a commercial perspective, a PIA saves time and money by highlighting a clear privacy risk assessment before breach event occurs. A PIA is also a tool that builds trust within the community, showing you are not only meeting legal obligations, but your organisation is proactive about privacy.  If your business would like their PIA reviewed or if you have any questions about privacy, get in touch with our IT lawyers on 1300 544 755.

Sophie Glover

Ask Sophie a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.