The Office of the Australian Information Commissioner Issues a Summary of 10 Steps to Undertaking a Privacy Impact Assessment
The Office of the Australian Information Commissioner has issued a poster containing a summary of 10 steps which need to be taken in order to conduct a successful PIA. The poster can be accessed here (the link is to a page containing the poster in PDF).
This was a good opportunity to summarize these 10 steps in more detail by using the Guide to undertaking privacy impact assessments available here – the guide explains the process of conducting PIAs, contains useful examples and it references to the Australian Privacy Principles.
1. Threshold assessment
The first step is to determine whether a PIA is necessary. If any personal information will be collected, stored, used or disclosed in the project then the PIA is usually necessary.
If the project does not involve processing of personal information the PIA might be used to demonstrate how anonymization occurs and how future re-identification of individuals will be made impossible.
The PIA should contain:
• Brief description of the project
• Consideration of whether the project involves the collection, storage, use or disclosure of personal information (description of personal data flow, purposes of processing, categories of personal data etc).
• Whether a PIA will be conducted based on the threshold assessment
• Details of the person or team responsible for completing the threshold assessment
2. Plan the PIA
Planning the PIA is an important stage of the PIA process. Planning should consider a range of elements, including:
• how detailed the PIA needs to be, based on a broad assessment of the project and its privacy scope
• who will conduct the PIA
• the timeframe for the PIA
• the budget and other resources available for the PIA
• the extent and timing of stakeholder and public consultations
• steps that will need to be taken after the PIA, including implementation of recommendations and ongoing monitoring.
3. Describe the project
A PIA needs a broad, ‘big picture’ description of the project, including:
• the project’s overall aims
• how these aims fit with the organisation or agency’s broader objectives
• the project’s scope and extent
• any links with existing programs or other projects
• who is responsible for the project
• timeframe for decision-making that will affect the project’s design
• some of the key privacy elements — for example, the extent and type of information that will be collected, how security and information quality are to be addressed, and how the information will be used and disclosed (these will be explored in more detail in subsequent stages of the PIA).
4. Identify and consult with stakeholders
The assessment should identify all stakeholders involved in the project. It does not mean that every stakeholder needs to be consulted, but a list is useful as those stakeholders may assist in identifying privacy risks and concerns that have not been identified by the team undertaking the PIA, and possible strategies to mitigate these risks.
The stakeholder should be informed enough about the project so that they can provide meaningful inputs.
5. Map information flows
Data flows are essential for every PIA to be carried out effectively. The mapping exercise should include:
• whether identity verification will be necessary
• what personal information will be collected and how it will be collected
• its use and disclosure
• the processes for ensuring information quality
• security safeguards that are (or will be) in place
• the ability individuals have to access and correct their personal information.
Mapping should also describe the current personal information environment and how the project will affect it.
6. Privacy impact analysis and compliance check
After the data flows are described and identified, the next step is to analyse how is the project going to impact privacy.
Privacy impact analysis investigates:
• the risk of privacy impacts on individuals (both serious and more minor) as a result of how personal information is handled
• whether privacy impacts are necessary or avoidable
• whether there are any existing factors that have the capacity to mitigate any negative privacy impacts
• how the privacy impacts may affect the project’s broad goals
• the project’s effect on an individual’s choices about who has access to their personal information
• compliance with privacy law
• how the use of personal information in the project aligns with community expectations.
Ultimately, the privacy impact analysis should attempt to determine whether the project has acceptable privacy outcomes, or unacceptable privacy impacts.
7. Privacy management — addressing risks
At this stage negative impacts to privacy should be removed, minimised or mitigated. A number of factors should be taken into account when considering strategies for dealing with negative privacy impacts identified in the privacy impact analysis stage, including:
• necessity — minimising the collection of personal information to what is strictly necessary
• proportionality — any negative privacy impact should be in proportion to, or balanced with, any benefits to be achieved from the project
• transparency and accountability — privacy measures should be transparent to individuals, through adequate collection notices and privacy policies
• implementation of privacy protections — consider how organisational/agency policies and procedures can support privacy, as well as practical elements such as staff training
• flexibility — take into account the diversity of individuals affected by the project, and whether they may respond or be affected differently to the sharing of their personal information
• privacy by design — privacy protections should be included in law or other binding obligations, and built into new technologies
• privacy enhancing technologies — consider whether any privacy enhancing technologies can be used in the project, and the impact of privacy invasive technologies.
Outcome of the PIA should be the recommendations to remove, minimise or mitigate the risks identified through the privacy impact analysis. These recommendations should identify avoidable impacts or risks and how they can be removed or reduced to a more acceptable level. It should be clear who the recommendations are addressed to, for example to different areas of the organisation or agency, particular members of the project team, or those in positions of authority within the organisation or agency.
After the assessment is completed, recommendations made, a report containing all relevant information about the project and the PIA should be issued. Key elements for inclusion in a PIA report include:
• project description
• PIA methodology
• description of information flows
• outcome of privacy impact analysis and compliance checks, including positive privacy impacts and privacy risks that have been identified, and strategies already in place to protect privacy
• recommendations to avoid or mitigate privacy risks
• description of any privacy risks that cannot be mitigated, the likely community response to these risks, and whether these risks are outweighed by the public benefit that will be delivered by the project
• if necessary, more detailed information (for example about consultation processes and outcomes) can be provided in appendices.
10. Respond and review
The responsible stakeholder, e.g., project manager, should document which recommendations they are going to implement, as well as those which they do not intend to implement and the rationale for such decisions.
Also, the entity should consider whether employing external audit is a reasonable thing to do. The audit can assist in ensuring that PIAs have been properly carried out and the recommendations implemented.
Many projects undergo changes before they are finally implemented. As the project progresses, the PIA should be revisited, and updated or revised if developments in the design or implementation of the project create new privacy impacts that were not previously considered.
The Commissioner’s summary of 10 steps is available on the Commissioner’s website and can be accessed here.
Also, the Office has prepared an amazing e-learning course on how to conduct a PIA with a short test in the end. It can be accessed here.
The Commissioner has also made it easier for organizations and provided a PIA toolkit (questionnaire with a risk assessment template). It can be accessed here (the link is to a downloadable word document).
Photo by Athena from Pexels.
The content herein is taken from the Australian Information Commissioner and Privacy Commissioner website and the links mentioned in the article. Ideas expressed in this article are personal views of the author and do not constitute legal advice.