Welcome back! This is where you left us. Not what you wanted?

Topic 5 Privacy impact analysis and compliance check

10 minutes

Learning objectives

  • Understand what a privacy impact analysis and compliance check is
  • Identify and assess the privacy impacts of your project
  • Ensure that your project complies with privacy law

Step 6 What is a privacy impact analysis?

A privacy impact analysis is one of the most important steps in the PIA process.

Your privacy impact analysis will identify and critically analyse how your project impacts upon privacy, both positively and negatively. Does your project have acceptable privacy outcomes or unacceptable privacy outcomes? Can any negative privacy outcomes be improved?

Conducting a privacy impact analysis will assist you to improve the privacy impacts of your project and will be beneficial to the overall success of your project.

Did you know?

Remember, even minimal amounts of personal information, handled inappropriately, may impact on someone’s privacy in ways that you did not intend.

What should I consider in my privacy impact analysis?

Your analysis should consider questions like:

  • Will individuals be required to give up control of their personal information or change the way they interact with your organisation, for example through more frequent identity checks or increased costs?
  • Will decisions that have consequences for individuals be made as a result of the way personal information is handled in the project (such as decisions about services or benefits)?
  • Does the project recognise the risk of function creep? (For example, is there an interest in using the personal information collected for the project for other purposes that might occur in the future?)
  • Is there a complaint handling mechanism? Is it visible, comprehensive and effective?
  • How will you handle privacy breaches?
  • Are there audit and oversight measures in place in case a system fails?
  • How valuable would the information be to unauthorised users?
  • Are any negative privacy impacts, including any intrusion or surveillance, fully justified and in proportion to your project’s anticipated benefits? Is it the only way of achieving the aims of your project, and done in the least privacy intrusive manner?
  • Does the use of personal information in your project align with community expectations?

Your analysis should include any stakeholder or public consultation results that may assist you to work out how to improve the project’s privacy outcomes.

Ultimately, your privacy impact analysis should consider:

  • Are the privacy impacts of your project necessary or avoidable?
  • How will the privacy impacts affect your project’s broad goals?

The above list is not exhaustive. The nature and scope of your project will determine the issues that you need to investigate as part of your privacy impact analysis.

True or false?

A privacy impact could be positive or negative.
Correct! A privacy impact can be positive (privacy enhancing) or negative (privacy invasive)
Incorrect. A privacy impact can be positive (privacy enhancing) or negative (privacy invasive).
Did you know?

You do not need to identify and eliminate every possible privacy impact, however you should identify any impacts that aren’t unrealistically remote or trivial and assess the severity of those impacts.

What is a compliance check?

While a PIA is more than a compliance check, it is essential that you consider compliance with privacy law.

Consider whether your project complies with each of the Australian Privacy PrinciplesLink opens in new window (APPs). For each APP, ask yourself:

  • Is the APP relevant to the project? If not, why not? Will it become relevant to the project at a later stage?
  • Does my project comply with the APP?
  • Are there any risks to compliance?

You should document and provide specific details about how your project complies with the APP, or why you are not required to comply, and any considerations you took into account.

Australian Government agencies should also be aware that there may be other privacy-related legislation and rules that apply to your agency, such as secrecy provisions or information handling obligations in other legislation.

The OAIC’s Guide to Undertaking Privacy Impact AssessmentsLink opens in new window provides example questions for each APP to assist you to complete your compliance check.

You may also find the APP GuidelinesLink opens in new window a useful resource to assist you to interpret and apply the APPs.

Did you know?

Your analysis should consider community attitudes towards your project. Even if it complies with privacy law, negative privacy impacts may still arise from community perceptions and expectations about it.

Case study
Your information flow diagram has helped you and your colleagues to identify the potential privacy impacts of the project.

Select whether the following privacy impacts are positive or negative.
Start
We Sell Stuff’s IT team has developed an encryption tool that will ensure the security of the existing customer database when it is sent to HelpingU
We Sell Stuff will de-identify customer information before disclosing it to the data analytics company
We Sell Stuff’s customers have not been informed that their personal information is being collected by HelpingU, and that HelpingU will have access to We Sell Stuff’s customer database
We Sell Stuff’s legal team has included a clause in the contract to ensure that the data analytics company does not re-identify the de-identified customer information it receives
HelpingU has not provided details to We Sell Stuff about how customer information will be secured
HelpingU has a policy of refusing to deal with anonymous callers
Positive Negative
Complete

Positive privacy impacts

  • We Sell Stuff’s IT team has developed an encryption tool that will ensure the security of the existing customer database when it is sent to HelpingU
  • We Sell Stuff will de-identify customer information before disclosing it to the data analytics company
  • We Sell Stuff’s legal team has included a clause in the contract to ensure that the data analytics company does not re-identify the de-identified customer information it receives

Negative privacy impacts

  • We Sell Stuff’s customers have not been informed that their personal information is being collected by HelpingU, and that HelpingU will have access to We Sell Stuff’s customer database
  • HelpingU has a policy of refusing to deal with anonymous callers
  • HelpingU has not provided details to We Sell Stuff about how customer information will be secured

Over to you Your PIA worksheet

In ‘Your PIA’ worksheet, list some of the negative and positive privacy impacts of your project. Assess whether your project complies with the APPs.

You will refer back to any negative privacy impacts that you identify in Step 7 of the PIA process: addressing privacy risks.

  Previous Next