Guideline: Privacy Impact Assessment
Determining whether a PIA is required
- personal information is collected in a new way;
- personal information is collected in a way that might be perceived as being intrusive;
- personal information will be disclosed to another agency, a contractor, the private sector or to the public; or
- there is a change in the way personal information is stored or secured.
Undertaking a PIA
- Plan: Consider: how detailed the PIA will be, who will conduct it, what is the timeframe, what is the budget, who will be consulted and how will the recommendations be implemented and monitored.
- Describe the project or system. To be included in the PIA report. The project description should be brief, but sufficiently detailed to allow all to understand the project. It should be written in plain English, avoiding overly technical language or jargon.
- Identify and consult with stakeholders. To be included in the report. Consultation should be on privacy risks and concerns, to understand known risks better, and develop strategies to mitigate all risks.
- Map personal information flows. To be included in the PIA report. Describe and map the personal information flows in the project or system. The map should detail what information will be collected, used and disclosed, how it will be held and protected, and who will have access to it. It is not a statement of the stages of the project.
- Privacy impact analysis and compliance check. To be included in the PIA report. Analyse how the project or system might impact upon privacy, both positively and negatively. Assessment should be made against relevant Australian Privacy Principles (APP’s)
- Privacy management — addressing risks. Consider options for removing, minimising or mitigating any privacy risks identified through the privacy impact analysis. Can be combined in the PIA report with the above item.
- Recommendations. Make recommendations that identify avoidable impacts or risks and how they can be removed or reduced. The recommendation should include timeframes for implementation.
- Prepare the PIA report. A report template is Attachment 2. Prepare a PIA report that sets out all the information gathered.
- Respond and review. The document should be a living document regularly reviewed, perhaps as part of an annual system review process.
Project or System name
Approach taken to undertaking the PIA, including any stakeholder consultation.
Includes description and map of information flows.
Insert model of information flows
|Printable version (PDF)|
|Title||Privacy Impact Assessment Guideline|
|Purpose||The Guidelines on Privacy Impact Assessment provide an essential tool to assist projects and services ensure they comply with the Privacy Act 1988 and they assist with the implementation of good privacy practise.|
|Audience||Staff-Academic, Students, Alumni, Staff|
|Topic/ SubTopic||Information Management - Privacy|
|Effective Date||1 Jan 2019|
|Review Date||16 Jan 2022|
|Responsible Officer:||University Librarian and Director, Scholarly Information Services|
|Approved By:||Chief Operating Officer|
|Contact Area||ANU Advancement|
Privacy Act 1998
Archives Act 1983