Guideline: Privacy Impact Assessment
To provide advice on when to undertake a Privacy Impact Assessment (PIA) and the content of a PIA.
Personal Information has the meaning given it in the Privacy Act 1998 (Cth).
Privacy Act 1998 (Cth) is the Commonwealth Act that applies to the ANU and other Commonwealth agencies.
When developing or reviewing a new or revised project or system, you must consider the need for a privacy impact assessment (PIA).
A PIA is an important component of the University’s protection of privacy and is to be implemented as part of the University’s privacy by design requirement under the Privacy Act.
A PIA identifies how a new or revised project or system can have an impact on an individual’s privacy, and makes recommendations for managing, minimising or eliminating those privacy impacts.
The PIA process should be included as part of the project and system planning processes, and recorded in the project plan and risk reporting. It should be revisited and updated when changes to a project or system are considered.
Determining whether a PIA is required
The first step is determining whether a PIA is required.
A PIA is beneficial for any project or system that involves new or changed ways of handling personal information. If the project or system will not handle any personal information or the project or system does not propose any changes to existing information handling practices (and where the privacy impacts of these practices have been assessed previously and found to be appropriate), no PIA is required.
A PIA is likely to be required if:
- personal information is collected in a new way;
- personal information is collected in a way that might be perceived as being intrusive;
- personal information will be disclosed to another agency, a contractor, the private sector or to the public; or
- there is a change in the way personal information is stored or secured.
Undertaking a PIA
The Project Manager or Business Owner of the new or revised project or system is responsible for the completion of the PIA.
The steps after identification that a PIA is required are:
- Plan: Consider: how detailed the PIA will be, who will conduct it, what is the timeframe, what is the budget, who will be consulted and how will the recommendations be implemented and monitored.
- Describe the project or system. To be included in the PIA report. The project description should be brief, but sufficiently detailed to allow all to understand the project. It should be written in plain English, avoiding overly technical language or jargon.
- Identify and consult with stakeholders. To be included in the report. Consultation should be on privacy risks and concerns, to understand known risks better, and develop strategies to mitigate all risks.
- Map personal information flows. To be included in the PIA report. Describe and map the personal information flows in the project or system. The map should detail what information will be collected, used and disclosed, how it will be held and protected, and who will have access to it. It is not a statement of the stages of the project.
- Privacy impact analysis and compliance check. To be included in the PIA report. Analyse how the project or system might impact upon privacy, both positively and negatively. Assessment should be made against relevant Australian Privacy Principles (APP’s)
- Privacy management — addressing risks. Consider options for removing, minimising or mitigating any privacy risks identified through the privacy impact analysis. Can be combined in the PIA report with the above item.
- Recommendations. Make recommendations that identify avoidable impacts or risks and how they can be removed or reduced. The recommendation should include timeframes for implementation.
- Prepare the PIA report. A report template is Attachment 2. Prepare a PIA report that sets out all the information gathered.
- Respond and review. The document should be a living document regularly reviewed, perhaps as part of an annual system review process.
After the assessment is completed it should be documented in a PIA report. A PIA report template is attached (Attachment 2).
The need for a PIA report is to be reviewed by the Privacy Officer and where it meets the threshold the draft will be reviewed by the Data Governance Committee.
The Office of the Australian Information Commission has guidance at https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments.
Attachment 1. Office of the Australian Information Commissioner
Attachment 2. Template for PIA
Project or System name
Approach taken to undertaking the PIA, including any stakeholder consultation.
Includes description and map of information flows.
Insert model of information flows
Project manager/System Executive
Privacy Officer/Data Governance Committee
|Printable version (PDF)|
|Title||Privacy Impact Assessment Guideline|
|Purpose||The Guidelines on Privacy Impact Assessment provide an essential tool to assist projects and services ensure they comply with the Privacy Act 1988 and they assist with the implementation of good privacy practise.|
|Audience||Staff-Academic, Students, Alumni, Staff|
|Topic/ SubTopic||Information Management - Privacy|
|Effective Date||1 Jan 2019|
|Review Date||16 Jan 2022|
|Responsible Officer||University Librarian and Director, Scholarly Information Services|
|Approved By:||Chief Operating Officer|
|Contact Area||Scholarly Information Services|
Privacy Act 1998
Archives Act 1983