In Brief: A Privacy Impact Assessment (PIA) is a process that determines if a project meets privacy requirements. A PIA considers and analyses both technical compliance with privacy legislation and privacy principles of a project, product or proposal. If your organisation deals with private information, you should as best organisational practice conduct a PIA. Private information or data may include personal client information such as names, images, contact details, date of birth, demographic details and health information.
Privacy is multifaceted and often poorly defined – it changes meaning in different contexts. The prevalence of machine-processed data and technology projects have created an increased need for organisations to adopt a PIA. A PIA evaluates the potential effects on privacy that a project may present. A PIA is an internal compliance procedure that has become standard organisational practice and manages community expectations concerning privacy. In a world where privacy is a live issue, it’s important to understand the contexts in which your organisation needs to adopt their own internal PIA.
Why is a PIA Required?
A PIA is a voluntary task that includes introspection and analysis of internal organisational processes to ensure a business meets its obligations under the Privacy Act 1988 (Cth) (Privacy Act) and Australian Privacy Principles (APPs). Under Australian Privacy Principle 1, organisations are required to take reasonable steps to implement procedures and systems to ensure compliance with the APPs when handling personal information.
- Evaluating and identifying the potential effects that a project or proposal may have on data privacy;
- Exploring how to mitigate any adverse effects on privacy.
PIA Threshold Assessment
Not all data collecting activities are created equal or will require a PIA. The first question to ask is whether you will collect, store or disclose any personal information during the project. If the Privacy Act 1988 binds your organisation, you will likely need a PIA on a project by project basis.
Mitigating Privacy Vulnerabilities and Threats
The PIA outlines how to reduce vulnerabilities and threats and protect an organisation’s assets. Assets are anything of value such as a business process or activity, information, hardware, software, network or personnel.
Vulnerabilities don’t cause harm in and of themselves but rather, can be exploited to expose weakness and system flaws, increasing the risk of a security event occurring. The table below sets out some common vulnerabilities that can influence management decisions and risk mitigation.
|Hardware||Storage of personal data may be exposed and unprotected|
|Software||User authentication and a lack of appropriate testing|
|Network||Unprotected or exposed network communication or servers|
|Personnel||Lack of procedural training and screening of new hires|
|Site||Physical security (adequate locks/alarms/fire safety)|
|Organisation||A lack of audits, internal procedures, operational practice, record systems|
The PIA also identifies potential threats which harm and compromise project assets. Threats can be deliberate or accidental, natural or of human origin and be internal or external to the organisation, such as:
- Physical or environmental threats: Natural disasters (flood, fire, earthquake) that result in a power failure or telecommunications equipment damage and which can severely compromise servers and networks that store personal data.
- Intentional human threats: Interception of communication, spying, theft of equipment, software tampering or untrustworthy data sources.
Which Staff are Responsible for Performing the PIA?
The project manager or technology developer are responsible for conducting a PIA. He or she decide whether it is necessary as well as whether the threshold test applies. Typically, the PIA is drafted or prepared in-house. An external party (e.g. the legal team) then makes an independent assessment to maintain impartiality.
Involving Stakeholders in the Process
The Australian position is that consulting with major stakeholders is critical for the PIA process. Engaging the community broadens the business’ understanding of risks that they may otherwise not have considered.
How to Undertake a PIA
Organisations may choose to incorporate a PIA into their standard risk assessment. It is common that a PIA will develop and evolve over a project’s life, consequently, it can also be a tool to assist with project management. The following table summarises each step of developing a PIA as described by the Office of the Australian Information Commissioner.
|2||Plan the PIA||Identify essential elements of the PIA assessment:
|3||Describe the Project||
|4||Identify and Consult With Stakeholders||The stakeholders involved in the project can be internal or external and include:
|5||Map Information Flows||This step complements the project outline. Key areas to consider include:
|6||Privacy Impact Analysis and Compliance Check||
|7||Privacy Management – Addressing risks||You should have a mitigation strategy for each possible risk factor, for example:
|8||Recommendations||Each identified risk factor should have a mitigation strategy, for example:
|9||Report||A PIA report should be collated to reflect the assessment setting out:
|10||Respond and Review||It is important to consider and reflect on the report to learn and correct behaviour based on results.|
PIA in Practice
- What type of personal data does the mobile health app process?
- What method is used to collect personal data?
- How do App users provide you with consent?
- Have you spoken to Healthcare professionals about the App’s functionality?
- Is the data pseudonymised or anonymised where possible?
- Have independent system audits been performed?
- Has the App been tested?
- Do third parties have the appropriate contracts in place to ensure data security?
The PIA will address the answer to these questions, and reinforce the need to be diligent about a project’s privacy.
In new projects involving sensitive data, conducting a PIA can be beneficial for all stakeholders. From a commercial perspective, a PIA saves time and money by highlighting a clear privacy risk assessment before breach event occurs. A PIA is also a tool that builds trust within the community, showing you are not only meeting legal obligations, but your organisation is proactive about privacy. If your business would like their PIA reviewed or if you have any questions about privacy, get in touch with our IT lawyers on 1300 544 755.