View articles in:

New Privacy Impact Assessment Guide released

06 September 2006

The Office of the Privacy Commissioner has recently produced a Privacy Impact Assessment Guide (PIA guide). The PIA guide is a manual for managers and officers of government agencies to assess a project’s impact on individual privacy. It provides practical examples and modules to help individuals analyse how individual privacy will be effected over the course of a project.

A privacy impact assessment (PIA) analyses the flow of personal information in a project and evaluates how that flow will impact the privacy of individuals. The purpose of the assessment is to manage, minimise and eradicate invasions of privacy that can arise from a wide range of factors, including unnecessary data collection, loss of control over information, lack of appropriate accountability and lack of access to information. A thorough PIA not only avoids the risk of noncompliance but also the risk of losing credibility with their individual stakeholders and the costs associated with retrofitting a project to accommodate privacy concerns at a later stage of development or implementation.

The PIA guide allows an organisation to identify the relative value that it places on privacy; obtain advanced awareness of privacy impacts that may arise in the future (ie when a project moves away from its original design or when new legislation or technology is introduced); to proactively consider alternative project designs that are less privacy-intrusive; and to make informed choices regarding privacy. The information gathered in a PIA can also be used to support an organisation’s broader risk management strategies.

The PIA guide sets out five broad stages of a PIA:

Project description—Stating the overall project aim, the scope of the project, the project’s drivers, how the project links into the organisation and how personal information will be involved.
Mapping of information flows—Determining what personal information will be handled, how it will be collected and used, how it will move through the organisation, to whom it will be disclosed, which individuals will be responsible for it and how the it will be protected, stored and deleted.
Privacy impact analysis—Determining the sensitivity of the personal information collected, assessing any complaint-handling, audit and oversight mechanisms, measuring the degree of intrusiveness of the data collection and the proportionality of this intrusiveness to the goals of the project.
Privacy management—Identifying possible options which may help to eradicate or mitigate privacy impacts.
Recommendations—Identifying whether changes to project design need to be made, whether further consultation is required and, if the privacy impacts are too substantial, whether the project should go forward.

The PIA guide contains modules which outline practical methods to identify personal and sensitive information and to analyse whether something that doesn’t initially appear to be personal information will ultimately, if placed in certain contexts, identify individuals and, therefore, become personal or sensitive information. The modules contain considerations and questions that should be asked at each stage of a PIA. For example, the module related to data flows provides a comprehensive practical analysis of how the collection, use, disclosure, access, retention and destruction of personal information will manifest during a project:

Collection	Is the personal information being collected sufficiently circumscribed, necessary and justifiable? From where is the information collected (the individual directly or from other agencies)? Are the individual’s circumstances being considered when the personal information is collected (ie languages other than English, hearing impairments etc)? Is the purpose of the collection and the future uses of the information made known to the person? Is the method of collection covert or overt?
Use	How will the information be used over the course of the project? Are there measures in place to prevent use for unauthorised secondary purposes? Has all required consent been provided? Is there an intention that the personal information will be linked with other information already held? Will there be an audit trail to track information use and data-linking?
Disclosure	Does the individual know about any disclosure? Is disclosure required by law?
Access	Can the individual access and correct their personal information? What processes are available to ensure regular updating of personal information?
Security	Who has access to the information? What security measures have been taken internally (where data is handled in-house) or externally (where data is outsourced)? What happens in the event of a security breach?

The PIA guide also provides:

an Information Privacy Principles Compliance Checklist, for government agencies, to evaluate whether the personal information aspects of any project complies with section 14 of the Privacy Act, and
privacy management principles which can assist in managing ongoing privacy issues during the life of a project.

This article was written by Linda Melnychuk, Solicitor.

For more information please contact

Name : Duncan Giles
Title : Special Counsel
Office : Sydney
Phone : +61 2 9225 5954
Fax : +61 2 9322 4000
Email : duncan.giles@freehills.com

This article provides a summary only of the subject matter covered, without the assumption of a duty of care by Freehills or Freehills Patent & Trade Mark Attorneys. The summary is not intended to be nor should it be relied upon as a substitute for legal or other professional advice.

Copyright in this article is owned by Freehills or Freehills Patent & Trade Mark Attorneys. For permission to reproduce articles, please contact Freehills' Public Affairs Coordinator, Megan Williams, on 61 3 9288 1132.