Guideline: Privacy Impact Assessment

Purpose

To provide advice on when to undertake a Privacy Impact Assessment (PIA) and the content of a PIA.

Definitions

Personal Information has the meaning given it in the Privacy Act 1998 (Cth).

Privacy Act 1988 (Cth) is the Commonwealth Act that applies to the ANU and other Commonwealth agencies.

Guideline

When developing or reviewing a new or revised project or system, consider the need for a privacy impact assessment (PIA).

A PIA is an important component of the University’s protection of privacy and is to be implemented as part of the University’s privacy by design requirement under the Privacy Act.

A PIA identifies how a new or revised project or system can have an impact on an individual’s privacy, and makes recommendations for managing, minimising or eliminating those privacy impacts.

While all projects need to be assessed individually, the Privacy (Australian Government Agencies – Governance) APP Code 2017 requires Australian Government agencies subject to the Privacy Act, including the University, to conduct a PIA for all high privacy risk projects.

The PIA process should be included as part of the project and system planning processes, and recorded in the project plan and risk reporting. It should be revisited and updated when changes to a project or system are considered.

Determining whether a PIA is required

The first step is determining whether a PIA is required.

A PIA is beneficial for any project or system that involves new or changed ways of handling personal information. If the project or system will not handle any personal information or the project or system does not propose any changes to existing information handling practices (and where the privacy impacts of these practices have been assessed previously and found to be appropriate), no PIA is required.

A PIA is likely to be required if:

personal information is collected in a new way;
personal information is collected in a way that might be perceived as being intrusive;
personal information will be disclosed to another agency, a contractor, the private sector or to the public; or
there is a change in the way personal information is stored or secured.

The PIA threshold assessment tool available on the ANU website may assist in determining if a PIA is required.

PIA report

The assessment should be documented in a PIA report. A PIA report template is available on the ANU website.

The need for a PIA report is to be reviewed by the Privacy Officer and where it meets the threshold the draft will be reviewed by the ANU Privacy Office.

A PIA must be approved by the ANU Privacy Officer and included on the ANU Privacy Impact Assessment Register.

Undertaking a PIA

The Project Manager or Business Owner of the new or revised project or system is responsible for the completion of the PIA.

The steps after identification that a PIA is required are:

Plan: consider how detailed the PIA will be, who will conduct it, what is the timeframe, who will be consulted and how will the recommendations be implemented and monitored.
Describe the project or system: the project description should be brief, but sufficiently detailed to allow all to understand the project. It should be written in plain English, avoiding overly technical language or jargon.
Identify and consult with stakeholders: consultation should be on privacy risks and concerns, to understand known risks better, and develop strategies to mitigate all risks.
Map personal information flows: describe and map the personal information flows in the project or system. The map should detail what information will be collected, used and disclosed, how it will be held and protected, and who will have access to it. It is not a statement of the stages of the project.
Privacy impact analysis and compliance check: analyse how the project or system might impact upon privacy, both positively and negatively. Assessment should be made against relevant Australian Privacy Principles (APP’s).
Privacy management — addressing risks: Consider options for removing, minimising or mitigating any privacy risks identified through the privacy impact analysis. Can be combined in the PIA report with the above item.
Recommendations: Make recommendations that identify avoidable impacts or risks and how they can be removed or reduced. The recommendation should include timeframes for implementation. This will be completed in consultation with the ANU Privacy Office.
Approval: the PIA must be submitted to the ANU Privacy Office for review and approval. Where the project or process will use a new system or software, security approval must also be provided by Information Technology Services.
Respond and review: The document should be a living document regularly reviewed, perhaps as part of an annual system review process.

The Office of the Australian Information Commissioner has further guidance available on their website. Also refer to the appendix 10 Steps to undertaking a privacy impact assessment.

Information	Printable version (PDF)
Title	Privacy Impact Assessment Guideline
Document Type	Guideline
Document Number	ANUP_019407
Version
Purpose	The Guidelines on Privacy Impact Assessment provide an essential tool to assist projects and services ensure they comply with the Privacy Act 1988 and they assist with the implementation of good privacy practise.
Audience	Staff-Academic, Students, Alumni, Staff
Category	Administrative
Topic/ SubTopic	Information Management - Privacy

Effective Date	7 Aug 2023
Next Review Date	6 Aug 2028

Responsible Officer:	University Librarian and Director, Scholarly Information Services
Approved By:	Chief Operating Officer
Contact Area	Library, Archives and University Records
Authority:	Privacy Act 1988 Archives Act 1983
Delegations	0
Information generated and received by ANU staff in the course of conducting business on behalf of ANU is a record and should be captured by an authorised recordkeeping system. To learn more about University records and recordkeeping practice at ANU, see ANU recordkeeping and Policy: Records and archives management.

Policy Library