Assess project privacy risk

A PTA gathers the basic information about a project to assist with the decision as to whether or not a full PIA is required.

The PTA includes:

• a brief description of the project
• the personal information involved in the project
• high-level privacy assessment that sets out potential privacy risks and their initial risk rating.

Based on that information, a recommendation is provided as to whether or not a full PIA is required and why.

A PIA is a tool to identify and manage project privacy risks. While a PIA should be completed at the beginning of a project, it should be regularly refreshed to reflect any changes to the privacy impacts and risks as the project progresses or the regulatory context changes.

An agency should also have a process for regularly reviewing PIAs after a project has gone live.

Completing a PIA provides agencies with the ability to ensure compliance with applicable privacy laws, and identify and address privacy impacts, risks and opportunities to facilitate Privacy by Design.

A PIA usually includes:

• detailed project description
• personal information to be collected, its purpose and how it will be used
• how the personal information will be stored
• how individuals will be able to access and correct their information
• who the personal information will be shared with
• when and how the personal information will be disposed of
• risk table setting out:
  • privacy risks associated with the project
  • unmitigated consequence and likelihood of risks
  • proposed risk mitigations
  • mitigated consequence and likelihood of risks
• action plan
• sign off by responsible parties.

The Office of the Privacy Commissioner has a Privacy Impact Assessment Toolkit that uses the privacy principles in the Privacy Act as a framework for working through the privacy risks associated with a project.

The Privacy Impact Assessment Toolkit includes:

• how to do a Privacy Impact Assessment (step-by-step guide)
• Privacy Impact Assessment report (PIA template)
• Risk and mitigation table (common risks and mitigation associated with each of the IPPs).

Another approach, which may assist with identifying, grouping, and/or communicating privacy risks, is to use the information lifecycle framework mentioned above.  Map the IPPs to each of those stages of the information life cycle to ensure that any potential breaches of the IPPs have been identified.

Office of the Privacy Commissioner — Privacy Impact Assessment toolkit

• Is there a well-written introduction and executive summary?
• Are there clear roles and responsibilities (for example, who drafted the PIA, who was consulted, who reviewed the PIA, who owns the risks, who is responsible for updating the PIA)? What are their names and roles?
• Who will be undertaking the work outlined in the PIA?
• Does the PIA include links to related documents (for example, the business case or solution architecture document)?
• Is there a detailed description of the project?
• Is the scope of the PIA clear?
• Is it clear what personal information is involved in the project? Is there an information flow diagram?
• Is there a risk table setting out:
  • privacy risks associated with the project
  • unmitigated consequences and likelihood of risks
  • proposed risk mitigations
  • mitigated consequences and likelihood of risks?
• Is there an action plan for managing the risks?

• Is there a clear purpose for collecting each piece of personal information? Is the information necessary for that purpose?
• Could the project achieve its stated purpose(s) with less specific personal information? For example, could you collect an individual’s age range (50 – 60) or age (55) rather than their DOB (12/01/1965)?
• Is the information collected directly from the individuals it pertains to? If not, is there a lawful basis for collecting it from elsewhere?
• Is any personal information being collected from children or young people? If so, has their vulnerability been taken into account?
• Is it clear how the information is being collected (for example, by surveillance, via a form completed by the individual)? Is that way of collecting personal information fair in the circumstances?
• Will you need to update your privacy notice(s) in light of the project?

• Is it clear where and how personal information will be stored?
• Are the security measures protecting the information clearly described?
• Are there appropriate access controls (that is, access is only provided to individuals/roles that require access to the information)? Is access to the information monitored to detect suspicious behaviour (for example, staff browsing)?
• Has the information security team been consulted?

• Is it clear how the personal information is going to be used? Is the use consistent with the purpose for which it was collected?
• Does the project need to use personal information, or could it use aggregated/anonymised data and still satisfy its given purpose(s)?
• Is the use of personal information consistent with the notice provided to individuals?
• Is it clear which third parties have access to the information and how they can use it?

• Will individuals be able to access their personal information?
• Will the project impact your ability to satisfy an access request in a timely manner?
• Does the project impact your ability to correct information if an individual believes it is inaccurate? If the information can’t be changed, is there a mechanism to allow for a statement of correction to be attached to the information?
• If the project involves third parties, is there a process for informing them when an individual’s personal information is updated?

• Does the project involve information sharing between agencies? If so, is it clear what legal basis the project is relying on to justify this disclosure?
• Is it clear how the disclosure directly relates to the purpose of collection?
• Is the project disclosing the minimum amount of information required to be disclosed for the given purpose?
• Is the disclosure of personal information consistent with the notice provided to individuals?
• If the proposed disclosure is to an overseas organisation, has the project considered whether it is authorised to do so?

• Is it clear how long the information needs to be held for?
• Is there a process for disposing of the information once that time period has expired?
• Have you considered your legislative requirements (for example, the Public Records Act 2005)?