Topic 1 Introduction to the PIA process

10 minutes

Learning objectives

Understand what personal information is
Understand what a PIA is, and the benefits of completing one

Video transcript

[ON SCREEN] Privacy impact assessments: An introduction

[VOICEOVER] If you are designing a new product or service, or changing a process that involves personal information, you need to think about privacy. Issues around privacy can determine the success or failure of your project. Any project that involves personal information can be risky. If you ignore privacy, you could:

lose your customers’ trust
damage your reputation
fail to meet community expectations
breach the Australian Privacy Principles.

A privacy impact assessment or PIA is an essential tool to help manage, minimise and eliminate privacy risks. If your project involves personal information, it’s likely you will need to conduct a PIA. By doing this at the beginning of your project, you’ll be able to adjust its design if needed, to ensure all personal data is safely handled. Depending on the size and complexity of the project, you may even need to conduct more than one.

A PIA can help to ensure that any personal information used is respected and protected. Using PIAs is a great way to improve your organisation’s privacy practices and the Office of the Australian Information Commissioner is here to help. Make PIAs part of your business-as-usual thinking and build privacy in from the start. For more information, visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/_NCBvyAq9d4. If YouTube is blocked, try this video.

What is a privacy impact assessment?

A PIA is a systematic assessment of a project that:

identifies the impact that the project might have on the privacy of individuals
sets out recommendations for managing, minimising or eliminating that impact.

Why do a PIA?

A PIA should ‘tell the story’ of a project from a privacy perspective. It’s an opportunity to make sure your project complies with privacy laws, but also to go beyond compliance, and consider the project’s broader privacy implications and risks. It can help you to identify whether the community will accept the planned uses of personal information or sensitive information in the project.

What is personal information?

Personal information is defined in the Privacy Act as:

information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in a material form or not.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances. The OAIC’s What is personal information? resource contains more information about when an individual may be ‘reasonably identifiable’.

Sensitive information is a subset of personal information, and is generally given a higher level of protection under the Privacy Act than other personal information. It includes an individual’s health, genetic and biometric information, and information about an individual’s race or ethnicity, political opinions or associations, religious or philosophical beliefs, sexual orientation or criminal record.

Is a PIA necessary?

If your project involves the handling of personal information, the OAIC recommends that you conduct a PIA and publish the report. Demonstrating that your organisation has properly considered privacy can help to create stakeholder trust and willingness to adopt a new product or service.

Incorporating PIAs into your organisation’s risk management framework can also help to demonstrate that your organisation has robust and effective privacy practices, procedures and systems.

The Privacy Commissioner can direct an Australian Government agency to conduct a PIA in some circumstances.

The first step in this process is to conduct a threshold assessment (more about this in the next topic) that will tell you whether you need to complete a full PIA. The greater the project’s complexity and privacy scope, the more likely it is that you will require a comprehensive PIA, to determine and manage your project’s privacy impacts.

Personal information may be collected directly from an individual or indirectly from another source.

What projects would benefit from a PIA?

You should consider undertaking a PIA for any project that handles personal information, including designing new products, service delivery or legislation. Some situations where a PIA would be necessary include:

Undertaking a data matching activity
Designing a mobile app
Implementing a new loyalty program
Considering proposed legislation
Integrating databases
Collecting new categories of customer data for direct marketing
Engaging a third party contractor to manage data handling
Working on a high risk project

Australian Government agencies must take contractual measures to ensure that contracted service providers do not breach the Australian Privacy Principles when undertaking activities under a Commonwealth contract.

When to do a PIA

To be effective, a PIA should be an integral part of the project planning process, not an afterthought. Build a PIA into your project planning timeline from the beginning. You should undertake the PIA early in the development of a project, so that it is still possible to influence the project design, or if there are significant negative privacy impacts, reconsider proceeding with the project. This will also help you to avoid potential unnecessary costs in addressing privacy concerns after a project has concluded.

Activity time Risk or benefit?

Categorise the following statements as either a BENEFIT of doing a PIA or a RISK of not doing a PIA.

Start

An organisation’s reputation could be damaged if the project fails to meet expectations about how personal information will be protected

Privacy risks could be identified too late in the project development

An organisation’s credibility could be lost through lack of transparency in response to public concern about handling personal information

Project will be compliant with privacy laws

Community values and expectations around privacy will be reflected in the project design

Stakeholders will know that the project has been designed with privacy in mind

Risk Benefit

Complete

Risks of not doing a PIA

An organisation’s reputation could be damaged if the project fails to meet expectations about how personal information will be protected
Privacy risks could be identified too late in the project development
An organisation’s credibility could be lost through lack of transparency in response to public concern about handling personal information

Benefits of doing a PIA

Project will be compliant with privacy laws
Community values and expectations around privacy will be reflected in the project design
Stakeholders will know that the project has been designed with privacy in mind

Case study

You are a project manager working for We Sell Stuff — a business that is about to partner with HelpingU to manage its customer helpline. It is your job to identify the privacy impacts of this partnership.

It’s expected that HelpingU will receive phone calls from customers asking about We Sell Stuff’s products, following up on orders, and making complaints. HelpingU will use its own customer records management system to record and manage these calls. HelpingU will also record the outcome of these calls in We Sell Stuff’s customer database.

In the future, We Sell Stuff hopes to work with a data analytics company to analyse the data HelpingU collects, so that they can learn how to market popular products more effectively, and identify any common complaints.

Your colleagues are excited about the new partnership and eager to ask questions!

This is an exploratory activity — don't worry about getting it right or wrong, just explore the options and have fun!