undertaking privacy impact assessments

Guide to undertaking
privacy impact assessments
May 2014
Table of Contents
Introduction to privacy impact assessments ………………………………………………. 1
About this Guide ……………………………………………………………………………………………………. 1
What is a privacy impact assessment? ……………………………………………………………………… 1
Why do a PIA?……………………………………………………………………………………………………….. 2
Is a PIA necessary? …………………………………………………………………………………………………. 3
When to do a PIA …………………………………………………………………………………………………… 3
Role of the OAIC…………………………………………………………………………………………………….. 4
Undertaking a PIA………………………………………………………………………………….. 6
1. Threshold assessment…………………………………………………………………………………… 6
2. Plan the PIA…………………………………………………………………………………………………. 8
3. Describe the project……………………………………………………………………………………. 11
4. Identify and consult with stakeholders …………………………………………………………. 11
5. Map information flows ……………………………………………………………………………….. 12
6. Privacy impact analysis and compliance check ………………………………………………. 17
7. Privacy management — addressing risks ………………………………………………………. 27
8. Recommendations ……………………………………………………………………………………… 29
9. Report ………………………………………………………………………………………………………. 30
10. Respond and review …………………………………………………………………………………… 33
Respond to recommendations…………………………………………………………………………….. 33
Independent review/audit ………………………………………………………………………………….. 33
Update the PIA if required ………………………………………………………………………………….. 34
Glossary……………………………………………………………………………………………… 35
Appendix A — Acknowledgments and resources……………………………………….. 38
Guide to undertaking privacy impact assessments
Introduction to privacy impact assessments
About this Guide
The Guide to undertaking privacy impact assessments (PIA Guide) has been prepared by
the Office of the Australian Information Commissioner (OAIC) to describe a process for
undertaking a privacy impact assessment (PIA). The PIA Guide is intended to provide
guidance to all Australian Privacy Principle (APP) entities.1
APP 1 requires APP entities to take reasonable steps to implement practices, procedures
and systems that will ensure compliance with the APPs and enable them to deal with
enquiries or complaints about privacy compliance. In this way, the APPs require ‘privacy
by design’, an approach whereby privacy compliance is designed into projects dealing
with personal information right from the start, rather than being bolted on afterwards.
Conducting PIAs helps entities to ensure privacy compliance and identify better practice.
The PIA Guide sets out a suggested ten step process for undertaking a PIA (see
‘Undertaking a PIA’, below). It can be used alongside existing project management and
risk management methodologies or as a process in its own right. When considering the
PIA process both government agencies and private sector organisations could consider
whether the process set out in this Guide could be adapted to suit specific business needs
or functions of the entity. While different entities might use different processes when
they undertake PIAs, ideally these processes will address each of these steps in some
way.
This Guide refers to PIAs being undertaken for ‘projects’. This term is used loosely and is
intended to cover the full range of activities and initiatives that may have privacy
implications, including:
• policy proposals
• new or amended legislation
• new or amended programs, activities, systems or databases
• new methods or procedures for service delivery or information handling
• changes to how information is stored.
What is a privacy impact assessment?
A privacy impact assessment is a systematic assessment of a project that identifies the
impact that the project might have on the privacy of individuals, and sets out
recommendations for managing, minimising or eliminating that impact.
PIAs are an important component in the protection of privacy, and should be part of the
overall risk management and planning processes of APP entities.
1
‘APP entities’ include private sector organisations and Australian government agencies. Refer to the
Glossary for full definitions of ‘agency’ and ‘organisation’ under the Privacy Act 1988.
Office of the Australian Information Commissioner 1
Guide to undertaking privacy impact assessments
Undertaking a PIA can assist entities to:
• describe how personal information flows in a project
• analyse the possible impacts on individuals’ privacy
• identify and recommend options for avoiding, minimising or mitigating negative
privacy impacts
• build privacy considerations into the design of a project
• achieve the project’s goals while minimising the negative and enhancing the
positive privacy impacts.
While PIAs assess a project’s risk of non-compliance with privacy legislation and identify
controls to mitigate the risk, a PIA is much more than a simple compliance check. It
should ‘tell the full story’ of a project from a privacy perspective, going beyond
compliance to also consider the broader privacy implications and risks, including whether
the planned uses of personal information in the project will be acceptable to the
community.
Why do a PIA?
A large part of a project’s success will depend on whether it meets legislative privacy
requirements and community privacy expectations. Privacy issues that are not properly
addressed can impact on the community’s trust in an entity and undermine the project’s
success. It is in your entity’s interest to consider undertaking a PIA for any projects that
handle personal information.
Risks of not undertaking a PIA include:
• non-compliance with the letter or the spirit of relevant privacy laws, potentially
leading to a privacy breach and/or negative publicity
• loss of credibility by the entity through lack of transparency in response to public
concern about handling personal information
• damage to an entity’s reputation if the project fails to meet expectations about
how personal information will be protected
• identification of privacy risks at a late stage in the project development or
implementation, resulting in unnecessary costs or inadequate solutions.
Potential benefits of undertaking a PIA include:
• ensuring that the project is compliant with privacy laws
• reflecting community values around privacy and personal information in the
project design
• reducing future costs in management time, legal expenses and potential negative
publicity, by considering privacy issues early in a project
• identifying strategies to achieve the project’s goals without impacting on privacy
Office of the Australian Information Commissioner 2
Guide to undertaking privacy impact assessments
• demonstrating to stakeholders that the project has been designed with privacy in
mind
• promoting awareness and understanding of privacy issues inside the organisation
or agency
• contributing to broader organisational or agency risk management processes
• building community awareness and acceptance of the project through public
consultation.
A PIA may also assist an entity to demonstrate its compliance with its privacy obligations
and its approach to managing privacy risk in the case of a future complaint, privacy
assessment or investigation relating to the privacy aspects of a project. APP 1.2 requires
APP entities to take reasonable steps to implement practices, procedures or systems that
will ensure that the entity complies with the APPs. A PIA can assist in identifying the
practices, procedures or systems that will be reasonable to ensure that new projects are
compliant with the APPs.
Is a PIA necessary?
For any project that will involve the handling of personal information, you should
consider undertaking a threshold assessment (discussed below under ‘Undertaking a PIA’)
to determine whether it will be necessary to undertake the rest of the steps involved in a
PIA. Under the Privacy Act 1988 (Privacy Act), information does not always have to
include details such as an individual’s name to qualify as personal information. It may
include other information that can identify an individual or allow their identity to be
determined.2 Personal information may be collected directly from an individual or
indirectly from another source.3
It will also be necessary for agencies to undertake a PIA if directed to do so by the OAIC.
Under the Privacy Act, the OAIC can direct an agency to provide a PIA about an activity or
function involving the handling of individuals’ personal information. Further information
is below under ‘Role of the OAIC’.
The OAIC strongly encourages entities to conduct PIAs as a matter of course for projects
that involve personal information. Undertaking a threshold assessment — the first step in
the PIA process, outlined below — can assist entities to determine whether a PIA is
necessary for a project, and should be routinely conducted for every project. The greater
the project’s complexity and privacy scope, the more likely it is that a comprehensive PIA
will be required, to determine and manage its privacy impacts.
When to do a PIA
To be effective, a PIA should be an integral part of the project planning process, not an
afterthought. It should be undertaken early enough in the development of a project that
2
See the Glossary for a full definition of ‘personal information’. A more detailed explanation of ‘personal
information’ is in the APP Guidelines — see Chapter B, Key Concepts.
3
This Guide discusses privacy of personal information, but a PIA may also consider other types of personal
privacy, such as bodily, behavioural and communications privacy.
Office of the Australian Information Commissioner 3
Guide to undertaking privacy impact assessments
it is still possible to influence the project design or, if there are significant negative
privacy impacts, reconsider proceeding with the project. A PIA works most effectively
when it evolves with and helps to shape the project’s development, ensuring that privacy
is considered throughout the planning process.
Making a PIA an integral part of a project from the beginning means that you can identify
any privacy risks early in the project and consider alternative, less privacy-intrusive
practices during development, instead of retrospectively. Also, consistent and early use of
a PIA ensures that all relevant staff consider privacy issues from the early stages of a
project.
Undertaking a PIA should be seen as a process that does not end with the publication of
the PIA report. A PIA may be useful more than once during the project’s development
and implementation. It should be revisited and updated when changes to the project are
considered. If there are substantial changes to how personal information will be handled
or changes to an existing project, it may be necessary to undertake another PIA.
Entities should consider whether their existing project management and risk assessment
processes incorporate a PIA and if any improvements should be made to these processes.
A report prepared for the UK Information Commissioner’s Office (ICO), Privacy impact
assessment and risk management, identifies stages in several commonly used project and
risk management processes where a PIA could be introduced, which may assist entities to
identify how PIAs can be integrated into their ‘business as usual’ practices.
The core principles of a PIA can be applied to any project or activity which impacts on the
privacy of individuals. Entities, in particular those that conduct regular PIAs, may find it
useful to develop their own PIA process, with accompanying guidance, which suits their
own business needs and functions. Consistent use of a PIA process will mitigate privacy
risks and increase awareness of privacy and data protection issues within the entity.
Role of the OAIC
Agencies
The Privacy Act gives the Information Commissioner a power (that is exercisable by the
Privacy Commissioner) to direct an agency to provide a PIA to the OAIC, if the
Commissioner considers that a proposed activity or function of the agency might have a
significant impact on the privacy of individuals.4 This includes when the agency proposes
to:
• engage in a new activity or function, or
• substantively change an existing activity or function. This includes a substantive
change to the system that delivers an existing function or activity.
There are two main circumstances in which consideration is likely to be given to
exercising this power:
4
See s 33D of the Privacy Act.
Office of the Australian Information Commissioner 4
Guide to undertaking privacy impact assessments
• when the OAIC, in the course of providing policy advice to an agency on a
proposed agency activity or function, considers that the activity or function might
have a significant impact on the privacy of individuals and recommends a PIA be
conducted and the agency does not conduct one
• when the OAIC otherwise becomes aware of an agency’s proposed activity or
function (for example, through a media report) and considers that it might have a
significant impact on the privacy of individuals and the agency has not conducted
a PIA.
Agencies who are directed to give the OAIC a PIA are required to prepare a written
assessment that:
• identifies the impact that the activity or function might have on the privacy of
individuals; and
• sets out recommendations for managing, minimising or eliminating that impact.
Further information on when and how the OAIC might exercise the power to direct
agencies to provide a PIA is available in the OAIC’s Privacy regulatory action policy and
Guide to the OAIC’s privacy regulatory action.
However, the OAIC expects agencies would recognise the benefits of conducting a PIA
and that a PIA direction would not generally be required. While the OAIC has no formal
role in the development, endorsement or approval of PIAs that have not been directed by
the OAIC, it may, subject to available resources, be able to assist agencies with advice
during the PIA process.