Welcome back! This is where you left us. Not what you wanted?

Topic 7 Recommend­ations and report

5 minutes

Learning objectives

  • Understand what is involved in making recommendations about your project and writing a PIA report
  • Develop recommendations about addressing the privacy impacts of your project
  • Write a PIA report

Video transcript

[ON SCREEN] Privacy impact assessments: Recommendations and report

[VOICEOVER] After the privacy impact analysis and compliance check, it is important that your PIA includes recommendations to remove or reduce any risks you may have identified.

Your recommendations could include:

  • making changes to the project to achieve a better balance between its goals, affected individuals and the organisation
  • introducing privacy management strategies, such as limiting the collection of personal information
  • the need for more consultation, or
  • putting the project on hold until the privacy impacts are addressed

Outline all recommendations in your PIA report and make sure you include a timeframe for their implementation. Your PIA report must be a practical document that can be easily interpreted and understood by both project stakeholders and staff in your organisation.

The OAIC encourages all organisations to publish PIA reports if possible. Being transparent about the privacy analysis you have undertaken can help to reduce community concern about how their personal information will be handled.

[ON SCREEN] For more information, visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/ultJgznCKx8. If YouTube is blocked, try this video.

Step 8 What should my recommendations include?

Your recommendations should identify avoidable impacts or risks and how they can be removed or reduced to a more acceptable level. A number of recommendations for the future of the project may emerge from the previous steps.

Your recommendations could:

  • Suggest changes that would achieve a more appropriate balance between your project’s goals, the interests of affected individuals and your organisation’s interests
  • Include privacy management strategies that will reduce or mitigate avoidable privacy risks
  • Suggest the need for further consultation
  • Note any remaining risks, which will need to be accepted by your organisation
  • Draw a conclusion as to whether the benefits of the project will outweigh any remaining risks – in some cases, you may need to recommend that the project not proceed at all

Recommendations should identify the individual or business area responsible for carrying out the recommended action, and set out a timeframe for implementation.

Step 9 Writing your PIA report

By the time you have documented your progress through the previous eight stages of the PIA process, you will have most of the content needed to complete your PIA report.

Your PIA report should include:

  • Your project description
  • The methodology you used to undertake your PIA
  • A description of the information flows involved in your project
  • The outcome of your privacy impact analysis and compliance checks, including positive privacy impacts and privacy risks, and strategies already in place to protect privacy
  • Your recommendations to remove or mitigate privacy risks
  • A description of any privacy risks that cannot be mitigated, the likely community response to these risks, and whether these risks are outweighed by the public benefit that will be delivered by the project

You may wish to include more detailed information in appendices — for example, about consultation processes and outcomes.

I’ve written my report, now what?

The OAIC strongly encourages organisations to publish their PIA reports.

Publication contributes to the transparency of your project’s development and intent, and demonstrates to stakeholders and the community that you have undertaken a critical privacy analysis of your project. This will potentially reduce community concerns about privacy.

The OAIC encourages you to release a summary or edited version of your PIA in circumstances where the full release of a PIA report may not be appropriate — for example, if your project is in its very early stages, or if there are security or commercial concerns.

The OAIC’s Guide to Undertaking Privacy Impact Assessments provides a suggested PIA report format, and links to sample PIA reports and templates developed by other organisations.

Activity time Recommendations

Here are three privacy risks and the recommendations for dealing with them.
Start
Complete

Risk #1

The personal information collected through the project’s website is not adequately protected.

Recommendation

Suspend collection of personal information through the website until a review of the organisation’s information security is completed.

Risk #2

Customers become upset if they discover that their personal information is being sent to another part of the organisation, based overseas.

Recommendation

Customers are notified before their personal information is collected that the information will be handled overseas.

Risk #3

The project is using customer personal information from a database that is five years old.

Recommendation

Ensure that whenever a customer contacts the organisation, a staff member will confirm with the customer that their personal information held in the database is up-to-date and accurate.

Does the recommendation remove or reduce the risk?

Case study

In Step 7 of the PIA process, you and your colleagues brainstormed strategies to remove or minimise privacy risks in the project.

You are now ready to make recommendations and write your report.

Click on your colleagues
to start the conversation.
Complete

Over to you Your PIA worksheet

Consider the mitigation strategies you have listed in Step 7 of the PIA process.

In ‘Your PIA’ worksheet, outline:

  • Which mitigation strategy you recommend your organisation adopts to address each privacy risk
  • The individual or business area responsible for carrying out the recommended action
  • Your suggested timeframe for implementation
  • The stakeholders (internal and external) that you will circulate your final PIA report to.
  Previous Next