Assess agency privacy risk

Establishing the privacy context is a vital part of understanding your agency’s privacy risks.

Common aspects of your agency’s privacy context include:

• the legislation that governs how it can collect, use, share and dispose of personal information (for example, the Privacy Act, Public Records Act 2005, Customs and Excise Act 2018, and Births, Deaths, Marriages and Relationships Registration Act 1995)
• the volume and sensitivity of the personal information that an agency holds
• your agency’s business objectives, culture, and policies.

Questions to ask

• What personal information does your agency handle, for what purposes and under what governing legislation?
• How many individuals does your agency collect information about?
• How much personal information does your agency collect about each individual and how sensitive is that information (for example, health information)?
• How essential is personal information to your business operations and organisational objectives?
• How is privacy reflected in your agency’s values, policies and culture?

Completing a data inventory is an important component of an effective privacy risk assessment. A data inventory provides an agency with a comprehensive view of the personal information that the agency handles, including:

• what personal information is held
• where it’s located
• how it’s stored
• who has access to it
• how it’s shared — internally and externally
• how it’s used
• when it’s disposed of.

A data inventory identifies personal information as it moves across the agency’s various systems. As a result, it can highlight the privacy risks associated with the agency’s systems and processes.

To complete a data inventory, an agency needs to identify the repositories in which personal information is held. A repository is any place that holds data, makes data available to use, and organises data in a logical manner (for example, database, spreadsheet, paper file). An agency is likely to have multiple repositories.

It’s recommended that a range of business groups contribute to the completion of the data inventory, including:

• ICT
• information security
• information management
• records management
• risk and assurance
• legal
• HR
• finance
• procurement
• service delivery/operations.

Questions to ask

• What is the repository (for example, database, spreadsheet, paper file)?
• What is the purpose of the repository?
• Who is the owner of the repository?
• What kind of personal information is held in the repository?
• How much personal information is held in the repository?
• How is the personal information being used?
• Who has access to the personal information (for example, business units, roles)?
• How does personal information move between repositories?
• Who is the personal information shared with (internally and externally)?
• In which country or countries is the personal information stored?
• From which country or countries is the personal information accessed?
• When and how is personal information deleted from the repository?

In today’s operating environment, agencies rely on third party providers to provide a wide variety of products and services. To accurately assess its privacy risks, an agency needs to know what personal information third party providers can access and handle during the course of delivering its product or service.

Conducting a third party inventory is not a one-size-fits-all model and will vary depending upon the agency’s specific context. An agency needs to find an approach to collecting the relevant information about its third party providers that fits with its business and the types of third party providers it engages with.

For agencies with contract management systems, it will be a straight-forward exercise to collect information from contracts. For others, though, a more productive approach may be to start with a list of products and services that the agency consumes, and then gather vendor and contract information.

It’s recommended that a range of business groups contribute to the completion of the third party inventory, including:

• procurement/corporate
• finance
• legal
• ICT
• service delivery/operations
• HR.

Questions to ask

• Who is the provider?
• What product(s) or service(s) do they provide? To what business unit(s)?
• What personal information do they access and use (volume and type)?
• Do they have subcontractors? If so, who are they?
• Do they work onsite or offsite?
• Where is the personal information stored — does it remain on the agency’s systems, on the contractor’s system, or on the contractor’s individual devices?
• Does the contract include adequate privacy and security provisions?

To identify the risks associated with an agency’s handling of personal information, the inventory information collected in step 1 needs to be reviewed alongside the agency’s privacy maturity.

Using privacy maturity

An agency’s privacy maturity can be assessed using the Privacy Maturity Assessment Framework (PMAF) and its 9 elements:

• governance, leadership and accountability
• culture
• assurance
• information management
• privacy risk assessment
• privacy programme
• business processes
• implementation of the Information Privacy Principles
• breach and incident management.

More information

• Privacy Maturity Assessment Framework (PMAF)

Using information life cycle

When identifying privacy risks, the information life cycle is another useful framework. The information life cycle consists of:

• collection
• storage and security
• use
• access and correction
• disclosure
• retention
• disposal.

Questions to ask

Maturity

• Does your agency have robust privacy policies and procedures that are widely disseminated and used?
• Is privacy considered to be everyone’s responsibility?
• Are staff adequately trained to handle personal information appropriately?
• Does your agency have an incident response plan? Has the incident response plan been tested or used?
• Does your agency have a process for assessing the privacy risks associated with new products, services or processes, or material changes to existing products, services or processes (for example, Privacy Threshold Assessments and Privacy Impact Assessments)?
• Does your agency implement Privacy by Design?
• Does your agency use data-oriented strategies for privacy protection (for example, minimising data, separating data, abstracting data and hiding data)?

Assess project privacy risk

Collection, retention and disposal

• Does your agency only collect the personal information it requires? Is there a pattern of over collection?
• Are individuals aware of the personal information you are collecting, why you are collecting it, how it’s being used, how they can access or correct it, and when it will be deleted?
• How is this communicated to customers, clients and staff?
• Is there a pattern of retaining personal information for longer than required?

Security, access and correction

• Is personal information stored securely?
• Are there appropriate access controls?
• Is there a process for providing individuals with access to their personal information?
• Is there a process for allowing individuals to correct their personal information?
• Are processes in place to ensure personal information is accurate before it’s used?

Use and disclosure

• Is information only used for its intended purpose?
• Do third parties (contractors and subcontractors) have access to large volumes of personal information and/or sensitive personal information? Where is the personal information stored (for example, remains on the agency’s systems, is on the contractor’s system, is on the contractor’s individual devices)?
• Do staff understand when and how to share personal information? Is there a process for ensuring there’s a legal basis for disclosing personal information?
• Will any information be transferred or disclosed offshore?

Having identified the privacy risks, an agency will need to understand the:

• possible consequences
• likelihood of each risk occurring to assign a rating to each risk.

An agency’s risk and assurance team is likely to have an existing risk rating matrix that can be used.

In addition to establishing the consequence and likelihood of a risk, calculating the cost of the risk actualising can be a useful exercise to communicate the severity of the risk and create a compelling story.

Questions to ask

• If the identified risk eventuates and becomes an issue for your agency, what consequences would there be for affected individuals? Harm to an individual can be:
  • loss, detriment, damage or injury to an individual
  • adverse effect on rights, benefits, privileges, obligations or interests
  • significant humiliation, significant loss of dignity or significant injury to the feelings of that individual
• If the identified risk eventuates and becomes an issue for your agency, what consequences would there be for your agency? Consequences for your agency may include:
  • reputational damage and loss of public trust and confidence
  • additional resources required to mitigate future risks (for example, reconfiguration of systems, processes, etc.)
  • possible enquiry, investigation and compliance notice
  • possible fines or monetary compensation.
• What is the likelihood that the identified risk will eventuate?
• What information is available to support the answers to these questions? If there’s a lack of information available, further work may be required to gather this information.

Having rated the privacy risks, an agency will need to determine its response to each of the identified risks. Common responses include:

• Avoid/eliminate — reducing the probability of the risk eventuating to zero.
• Mitigate — reducing the consequence and/or likelihood of the risk.
• Accept — accepting the risk and its consequences.

When deciding which response to adopt, consider the feasibility of the mitigation, the cost of the mitigation, and the cost of remedying any harm caused to individuals. Different agencies will manage privacy risks differently depending on their risk appetite.

Contracting out services is not a risk treatment as the agency will remain responsible and accountable for how personal information is managed.

Managing risks can also be an opportunity to improve how an agency handles personal information.

Common agency privacy risks can include staff who are inadequately trained in handling personal information, more personal information being collected than is required, and third party providers not handling personal information appropriately.

Read about common agency privacy risks, find out who to involve and potential mitigations. 

The ongoing effectiveness of privacy risk assessment requires monitoring, reviewing and updating.

The consequences and/or likelihood of privacy risks may change over time depending on factors both internal and external to an agency.

The effectiveness of the mitigations of the risks may also change over time and an agency may need to be reconsider risks which were previously accepted.

A privacy risk assessment is a valuable communication tool that can raise awareness within an agency of the risks associated with collecting, using, storing, accessing and sharing personal information.

Regular and continuous consultation with an agency’s staff and stakeholders is essential in ensuring the context and nature of the risk is understood by staff who are responsible for managing these privacy risks.