Guideline: Privacy Impact Assessment
To provide advice on when to undertake a Privacy Impact Assessment (PIA) and the content of a PIA.
Personal Information has the meaning given it in the Privacy Act 1998 (Cth).
Privacy Act 1988 (Cth) is the Commonwealth Act that applies to the ANU and other Commonwealth agencies.
When developing or reviewing a new or revised project or system, consider the need for a privacy impact assessment (PIA).
A PIA is an important component of the University’s protection of privacy and is to be implemented as part of the University’s privacy by design requirement under the Privacy Act.
A PIA identifies how a new or revised project or system can have an impact on an individual’s privacy, and makes recommendations for managing, minimising or eliminating those privacy impacts.
While all projects need to be assessed individually, the Privacy (Australian Government Agencies – Governance) APP Code 2017 requires Australian Government agencies subject to the Privacy Act, including the University, to conduct a PIA for all high privacy risk projects.
The PIA process should be included as part of the project and system planning processes, and recorded in the project plan and risk reporting. It should be revisited and updated when changes to a project or system are considered.
Determining whether a PIA is required
The first step is determining whether a PIA is required.
A PIA is beneficial for any project or system that involves new or changed ways of handling personal information. If the project or system will not handle any personal information or the project or system does not propose any changes to existing information handling practices (and where the privacy impacts of these practices have been assessed previously and found to be appropriate), no PIA is required.
A PIA is likely to be required if:
- personal information is collected in a new way;
- personal information is collected in a way that might be perceived as being intrusive;
- personal information will be disclosed to another agency, a contractor, the private sector or to the public; or
- there is a change in the way personal information is stored or secured.
The PIA threshold assessment tool available on the ANU website may assist in determining if a PIA is required.
The assessment should be documented in a PIA report. A PIA report template is available on the ANU website.
The need for a PIA report is to be reviewed by the Privacy Officer and where it meets the threshold the draft will be reviewed by the ANU Privacy Office.
A PIA must be approved by the ANU Privacy Officer and included on the ANU Privacy Impact Assessment Register.
Undertaking a PIA
The Project Manager or Business Owner of the new or revised project or system is responsible for the completion of the PIA.
The steps after identification that a PIA is required are:
- Plan: consider how detailed the PIA will be, who will conduct it, what is the timeframe, who will be consulted and how will the recommendations be implemented and monitored.
- Describe the project or system: the project description should be brief, but sufficiently detailed to allow all to understand the project. It should be written in plain English, avoiding overly technical language or jargon.
- Identify and consult with stakeholders: consultation should be on privacy risks and concerns, to understand known risks better, and develop strategies to mitigate all risks.
- Map personal information flows: describe and map the personal information flows in the project or system. The map should detail what information will be collected, used and disclosed, how it will be held and protected, and who will have access to it. It is not a statement of the stages of the project.
- Privacy impact analysis and compliance check: analyse how the project or system might impact upon privacy, both positively and negatively. Assessment should be made against relevant Australian Privacy Principles (APP’s).
- Privacy management — addressing risks: Consider options for removing, minimising or mitigating any privacy risks identified through the privacy impact analysis. Can be combined in the PIA report with the above item.
- Recommendations: Make recommendations that identify avoidable impacts or risks and how they can be removed or reduced. The recommendation should include timeframes for implementation. This will be completed in consultation with the ANU Privacy Office.
- Approval: the PIA must be submitted to the ANU Privacy Office for review and approval. Where the project or process will use a new system or software, security approval must also be provided by Information Technology Services.
- Respond and review: The document should be a living document regularly reviewed, perhaps as part of an annual system review process.
The Office of the Australian Information Commissioner has further guidance available on their website. Also refer to the appendix 10 Steps to undertaking a privacy impact assessment.