Privacy impact assessments: when do agencies need to do one?

A privacy impact assessment builds public trust and confidence in an agency’s programs and policies.

The Privacy (Australian Government Agencies – Governance) APP Code 2017 requires Australian Government agencies to conduct a privacy impact assessment for all “high privacy risk projects”. A privacy impact assessment is a systematic assessment that identifies the impact a project might have on the privacy of individuals. It also sets out recommendations for managing, minimising or eliminating that impact.

But what is a high privacy risk project? And should privacy impact assessments only be reserved for projects that meet this threshold?

The Office of the Australian Information Commissioner (OAIC) recently released a privacy resource that provides guidance on both of these questions. The resource describes how Australian Government agencies can screen for potentially high privacy risk projects. It also sets out the benefits of conducting a privacy impact assessment, even when a project doesn’t meet the high privacy risk threshold.

What is a high privacy risk project?

A project may be a high privacy risk if it involves new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. Determining whether a project meets this threshold requires a thorough understanding of all aspects of a project.

The term “project” covers the full range of activities and initiatives undertaken by agencies that may have privacy implications. This could include new policy proposals, new or changed legislation, programs or activities, implementing IT systems or databases, or new or changed methods or procedures for service delivery or information handling. It might also include restructures or changes to business-as-usual activities.

“New or changed way of handling personal information” should be interpreted broadly. If a project involves a new or changed way of collecting, using, disclosing, storing, destroying or de-identifying personal information, the agency will need to consider whether the project has the potential to be a high privacy risk project.

Perhaps the most important concept to understand, however, is what may constitute a “significant impact”. A privacy impact in this context is anything that could adversely affect individuals’ information privacy. Impacts include interferences, such as the collection of new or additional types of personal information, or when the handling of personal information results in an individual losing control over their personal information. An impact on the privacy of individuals will be “significant” if the consequences of the impact are considerable.

The consequences of a privacy impact could be significant for one individual or a group of individuals, such as negative impacts on physical and mental wellbeing or identity theft. Sometimes projects can even have a significant collective impact on society — for example, increased surveillance and monitoring activities.

There isn’t a definitive threshold to determine when an impact is significant. Agencies are advised to screen for factors that may raise a project’s risk profile, such as handling large amounts of personal information, handling sensitive information and sensitivities in the context in which the project will operate, among others.

Whether a project has the potential to be a high privacy risk project is a contextual assessment based on the agency’s circumstances. It is the responsibility of each agency to be able to justify why a new or changed way of handling personal information does not have the potential to be high privacy risk.

Privacy impact assessments don’t need to be difficult

If an agency considers that there is the potential that a project is a high privacy risk project, it should undertake a privacy impact assessment.

It’s important to note this doesn’t mean the project can’t proceed. Rather, a privacy impact assessment will help to ensure that privacy risks and impacts that may be associated with the project are identified and mitigated. It will also help an agency consider whether any limitation on the right to privacy is reasonable, necessary and proportionate to its objective.

What’s more, not all privacy impact assessments need to be long or complex. Instead, the approach taken should be proportionate to the level of risk. A privacy impact assessment is intended to be a flexible and scalable tool that can be adapted based on the size, complexity and risk level of the project.

Benefits beyond box-ticking

Privacy impact assessments are more than just a compliance exercise. Our Australian Community Attitudes to Privacy Survey 2020 shows that privacy is a major concern for 70% of Australians and almost nine in 10 want more choice and control over their personal information.

This, combined with our finding that there’s been a general downward trend in trust in personal information handling by federal government departments since 2007, sends a strong signal that agencies should adopt a privacy-by-design approach.

Agencies should view the process of undertaking a privacy impact assessment as a good way to assess privacy risks more broadly and demonstrate a commitment to and respect of individuals’ privacy.

Not only can privacy issues impact the community’s trust in an agency, they can also undermine a project’s success. The risks of not undertaking a privacy impact assessment also include:

• non-compliance with privacy laws, potentially leading to a privacy breach and/or negative publicity;
• damage to an agency’s reputation if the project fails to meet expectations about how personal information will be protected; and
• identification of privacy risks at a late stage in the project development or implementation, resulting in unnecessary costs or inadequate solutions.
   

Weigh these with the potential benefits of undertaking a privacy impact assessment — of which there are many more not listed above — and it’s easy to see why undertaking a privacy impact assessment is increasingly being seen as a matter of best practice, regardless of whether one is required.

Effective privacy practice requires ongoing commitment and effort from agencies. The process of undertaking a privacy impact assessment demonstrates a commitment to accountable and transparent privacy practices and builds public trust and confidence in an agency’s programs and policies.

Find the privacy resource at oaic.gov.au/privacy/guidance-and-advice/when-do-agencies-need-to-conduct-a-privacy-impact-assessment.

Sarah Ghali is Principal Director, Regulation and Strategy Branch, in the Office of the Australian Information Commissioner.

Image credit: ©stock.adobe.com/au/peshkov