What is a Privacy Impact Assessment?
In this article, our inhouse privacy expert Darius Vitlin breaks down what is a privacy impact assessment (PIA) and how to read and understand one.
The purpose of a privacy impact assessment (PIA) is to be a clear and independent review of the privacy aspects of any new or changed system or process.
Importantly it should be one that the general public can access and read. They can be weighty documents, but they are written to be read by members of the general public and should not require any technical or insider knowledge to understand.
Let’s run through what a PIA is, and what it can tell you, so you can make your own informed privacy decisions.
What is a Privacy Impact Assessment?
A privacy impact assessment is a review of a new or changed system or process. The purpose of it is to assess the impact of the system or process against a set of privacy principles. In most cases, these will be the Australian Privacy Principles as published by the Office of the Australian Information Commissioner (OAIC).
These can be found on the OAIC’s website here. If you are a government agency or state-owned corporation, the PIA may use your State or Territory government’s information privacy principles. Either way, it will follow a similar structure and be aligned with similar privacy principles.
Broadly, a PIA answers:
- What personal information is being collected, and how is it being collected?
- How is the personal information stored, and is this secure?
- Who can access the personal information, and are appropriate data protections in place?
- How is the personal information being used?
- How are people’s privacy rights being protected, such as the right to request access to the personal information that may be held about them and to correct any personal information that may be incorrect?
PIAs should be performed on any change to the way an organisation collects and uses personal information, no matter how small or large. As such, PIAs may be short, targeted assessments, or it may be a longer documents. In either case, the document should be clear and understandable and should follow the same format.
The system/product description
The PIA should start with a description of the system or process being assessed. It should give some context about the organisation and what the subject of the PIA is. This should describe, for instance, how a new system works. It will identify the types of personal information that are intended to be collected, such as names, addresses, driver’s licence numbers and so on. What you should look for in this section is whether the assessment describes why personal information is being collected and used.
The best way to mitigate privacy risks is to not collect personal information at all. So for every type of information that is being collected, the PIA should make it clear why that information is needed.
The Information Flow
Another key element used in understanding the proposed system or process is the information flow. The information flow should be a diagrammatic representation of how the personal information is collected, used and stored, and which parties have access to it. It is not a technical system diagram – or shouldn’t be – rather it is supposed to communicate in a clear manner where the personal information is flowing from and to.
The assessment itself looks at the compliance of the new or changed system or process with the Australian Privacy Principles. It should do this in a methodical manner, addressing each principle and assessing the configuration as described on the product description with the requirement of that particular privacy principle.
There are thirteen Australian Privacy Principles and though communicated in a more reader friendly manner, they closely reflect the requirements of the Privacy Act 1988. There are as follows:
APP 1 OPEN AND TRANSPARENT MANAGEMENT OF PERSONAL INFORMATION
You should be told how the personal information is being managed.
APP 2 ANONYMITY AND PSEUDONYMITY
You should be able to access services anonymously or using a pseudonym.
APP 3 COLLECTION OF SOLICITED PERSONAL INFORMATION
You should be protected when supplying information about yourself.
APP 4 DEALING WITH UNSOLICITED PERSONAL INFORMATION
You should be protected when information about you is being provided by someone else.
APP 5 NOTIFICATION OF THE COLLECTION OF PERSONAL INFORMATION
You should be notified about certain matters associated with the collection of your personal information.
APP 6 USE OF DISCLOSURE OF PERSONAL INFORMATION
Your personal information should only be used or disclosed for a permitted purpose.
APP 7 DIRECT MARKETING
Your personal information should not be used for direct marketing, except in certain circumstances.
APP 8 CROSS-BORDER DISCLOSURE OF PERSONAL INFORMATION
Your personal information should not be sent overseas unless certain conditions are met.
APP 9 ADOPTION, USE OR DISCLOSURE OF GOVERNMENT RELATED IDENTIFIERS
Existing government identifiers should only be used in limited circumstances.
APP 10 QUALITY OF PERSONAL INFORMATION
Your personal information should be accurate, up to date and complete.
APP 11 SECURITY OF PERSONAL INFORMATION
Your personal information should be protected from misuse, interference, loss and from any unauthorised parties.
APP 12 ACCESS TO PERSONAL INFORMATION
You should be able to access to the personal information held about you.
APP 13 CORRECTION OF PERSONAL INFORMATION
You should be able to correct the personal information held about you.
The assessment will identify how the new system or process complies with the principles or else will identify areas of non-compliance. There are certain exemptions to the privacy principles, and these should be clearly identified and referenced in the PIA.
Remember that PIAs for state or local government organisations will assess against state or territory privacy principles instead but will follow the same method.
What do you do with recommendations?
Recommendations are a key part of the PIA process.
Where there are areas of partial or non-compliance, a recommendation should be made which describes how full compliance can be achieved.
Just because there are recommendations, it does not mean the system is non-compliant. The PIA should suggest ways the system can be strengthened over and above the level of compliance, and also identify any privacy-positive actions that organisations can make.
It takes time for recommendations to be accepted and implemented, and this is why it is important that PIAs be performed before the implementation of a system or process, ideally alongside the design and build phase, as changes may need to be made.
What isn’t in a Privacy Impact Assessment?
A PIA isn’t going to answer all the questions you may have. Remember that a PIA concerns privacy, which is specifically the treatment of personal information, or information that relates to identified or identifiable persons. A PIA will not tell you how corporate or commercial information is being handled, for instance. Nor is it required (though it’s still advised!) where systems and processes use information that has been anonymised and de-identified.
Lastly, the PIA is not an assessment of the functionality of the solution. Its purpose is not to test whether the solution meets its intended business goals, or even that it works correctly, except for the components that protect privacy. It is not a technical document. It is a privacy assessment, which means its goal should be to communicate in a clear, non-technical and consumable manner exactly how our personal information is being protected.
If you have any further questions about performing privacy impact assessments or how privacy might be managed in your organisation, please contact Customer Science Group or complete the form below.
Written by Darius Vitlin