OAIC publishes PIA guidance for agencies
The Office of the Australian Information Commissioner has published guidance detailing when government agencies must complete a privacy impact assessment.
Under the Privacy (Australian Government Agencies – Governance) APP Code 2017, all agencies must conduct such an assessment for all high-privacy-risk project.
A project can be deemed high risk if the agency reasonably considers that the project involves new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.
According to the OAIC, the approach taken to completing an assessment should be proportionate to the level of risk.
As a first step, a threshold assessment can determine a project’s potential privacy impacts to determine whether the requirement applies. The OAIC has published a template that agencies can use to design such an assessment.
‘New or changed ways of handling personal information’ should meanwhile be interpreted broadly, the agency said. It can include a new or changed way of collecting, using, disclosing, storing, destroying or de-identifying personal information, but not all such projects would be considered high risk.
Instead, the project would be considered high privacy risk if these new ways of handling the personal information are ‘likely to have a significant impact on the privacy of individuals’.
Such an impact could involve negative impacts on physical and mental wellbeing, reduced access to public services, discrimination, financial loss or identity theft.
Alternatively, projects could be covered if they have potential impacts on society rather than specific individuals. Examples include increased surveillance and monitoring activities, or the establishment of sensitive personal information sharing arrangements between the Commonwealth and other entities.
A project may be considered high risk if it does not meet this test but does meet other criteria, such as if an agency is developing new legislation to modify the operation of one or more Australian Privacy Principles, the OAIC added.
Due to the broadness of scope for potential impacts, “the OAIC strongly encourages agencies to conduct PIAs as a matter of course for projects that involve any new or changed ways of handling personal information, regardless of their potential risk profile”, the guidance states.
Besides assuring compliance with privacy laws and regulations, the potential benefits for undertaking a PIA include increasing community buy-in of the project, demonstrating to stakeholders that the project has been designed with privacy in mind, and reducing future costs in management time, legal expenses and potential negative publicity.
Geopolitical and economic pull factors could shape the future of global citizen data systems in...
A privacy impact assessment demonstrates a commitment to accountable and transparent privacy...
A new report urges the UK government to ramp up its digital transformation efforts and take steps...