Privacy Impact Assessment Services
Helping NSW Government manage data private effectively for the security of Australians.
A large government department was developing a new customer management system, which was to act as a centralised point for staff, customers and third-party organisations. Each of these stakeholder groups would have an entry point to the system which was to act as a key platform for both the department’s internal and customer-facing functions. Before finalising the development of the system, the department asked us to consider the system’s compliance with the government privacy principles and inform them of the best way to tackle their areas of risk.
This business consulting project was to achieve two broad objectives: to satisfy governmental requirements when it comes to the collection of personal information through the system; and to satisfy customer expectations of how their personal information was to be stored and used. Complete transparency in the collection, use and storage arrangements was key to both of these, and therefore became the guiding principle for the project.
As privacy touches a variety of points in the development process, complexities arose as to where the privacy risk could be managed. What are the specific legislative requirements for the department? Were they addressed in the contract with the vendors? Can they be solved by changes in design? What was being communicated to both staff and customers about the collection of personal information? We were able to work through these complexities in a methodical and rigorous manner, guided by government privacy requirements but informed too by existing business structures and feedback from key stakeholders. The process was not a box ticking exercise, but an exploration of what enhanced risk minimisation and customer information protection practices should result from the new system’s implementation – protecting both customers and the staff.
Over the course of the project, specific areas of risk for this particular department began to make themselves clear. The hosting of the system storage off-shore, the direct access customers would have into the system and the moderation of what they could upload there were some concerning issues that the Doll Martin team were able to address.
The end result of the project was a privacy impact assessment that gave the department the confidence that they not only complied with government privacy regulations, but that the new customer management system would be a privacy-positive move for the way they did business.