Privacy Impact Assessment

Assignment of 7905ICT
Privacy Impact Assessment for PenCS
PenCS was established in 1993. Its full name is PEN Computer Systems PTY. Limited. It aims
to improve the health of Australian’s through the delivery of leading eHealth informatics
and data solutions. Nowadays, it becomes the Austrlia’s leading provider of health analytics
software for national population health analysis and reporting, in primary care.
As claimed in its homepage, PenCS [5] puts the patients at the heart of its services, which
enables its clients to leverage data insights and health informatics software to:
• Share Data to Improve Care
• Drive Quality Improvement
• Inform Health Care Policy and Reform
• Access Eligible Patients for Clinical Trials
• Connect with Doctors and Their Patients
• Drive Evidence-based Research Programs
Therefore, it collects data, stores data, analyses data, shares data to provide different
service for various stakeholders. In order to make sure all usage of these data comply with
the APP (Australian Privacy Principles [3]), a Privacy Impact Assessment (PIA) must be done.
As stated in PenCS’s website [5], there are 7 products listed. All of them together can be
regarded as a whole project. They each can also be regarded as a small project. Some of
them were developed for General Practice, such as CAT4, CAT Plus. Some of the products
are supporting systems, such as Topbar as APPs to support clinical decision making, PAT BI
as the database to serve for PAT CAT, PIP QI as supplementary software with compliance.
There are also some projects developed for research study, such as “Consent Management
Portal” and some collaborated projects with universities.
Among all of them, please undertake the PIA on CAT4. If you are interested, you may
undertake the PIA for the whole range of products.
Please note in “QUICK LINKS”, there is the information about its Privacy Policy.
The following text (black colour) contains the introduction on What is the PIA, Why doing a
PIA, and how to do it. The contents are copied from “Guide-to-undertaking-privacy-impactassessments.pdf” (simplified by the name “Guide”). The full Guide is given in Griffith Course
Content. The texts in blue are about what you need to do for this assignment, which is not
from the Guide. In the step 6 of undertaking a PIA, “Privacy impact analysis and compliance
check”, you need to understand the full text of APPs. For each item listed in APPs, please
consider whether PenCS complies and identifies any risks to compliance. Instead of reading
the original document about APP [3] and [4], you may read page 19-27 of the Guide when
you read the red-colour text in this document.
Assignment of 7905ICT
When you read “Undertaking a PIA” part, there are 10 steps suggested to do for the PIA of
PenCS.
1. Threshold assessment
2. Plan the PIA
3. Describe the project
4. Identify and consult with stakeholders
5. Map information flows
6. Privacy impact analysis and compliance check
7. Privacy management — addressing risks
8. Recommendations
9. Report
10. Respond and review.
Among all these steps, you need to finish Steps 3, 5, 6, 7, 8, 9. The suggested report form
has also been given in the last step “Report”. Please note, the PIA report will be your
assignment report. You will be marked based on the report you generated. You may follow
the report advice in the step 7-9, or use any other templates available online. No matter
which format you use, your report should include the following parts. You may use the
following tables to write the parts of impact analysis and recommendations.
1. Include the project description.
2. Include the information flows in your report, where the diagrams should be used. If
you have difficulty in drawing in computer, you may include hand-drawn diagram,
but it needs to be clear.
3. Outcome of privacy impact analysis and compliance checks (please follow APP and
refer to the relevant privacy laws wherever applicable), including positive privacy
impacts and privacy risks that have been identified, and strategies already in place to
protect privacy. Not every APP principle need to be addressed if they are not
relevant to the personal information that is used in CAT4. APP2 and 11 are given as
an example on how this principle has been considered in current project and what
the possible risks are.