The Office of the Australian Information Commissioner (OAIC) has launched a new resource to help federal government agencies determine when they should conduct a privacy-impact assessment.
Under the OAIC’s privacy code for federal agencies, entities must conduct a privacy-impact assessment for all “high-privacy-risk projects” — activities or initiatives that involve new or changed ways of handling personal information and that are likely to have a significant impact on the privacy of individuals.
Developed in consultation with several government agencies, the new resource explains how agencies can screen for potentially risky projects by completing a threshold assessment to determine whether a privacy impact assessment is required. It also sets out the benefits of conducting a privacy impact assessment, even when a project does not meet the high-privacy-risk threshold.
The guidance lists a range of activity-based risk factors that should be considered in the context of a project, including using personal information for behavioural predictions or for automated decision-making, as well as data matching, and systematic monitoring of individuals.
While the risks of not undertaking a privacy impact assessment include non-compliance with privacy laws, the potential for “negative publicity”, and unnecessary costs, the potential benefits of undertaking an assessment include contributing to broader agency risk-management processes and reflecting community values around privacy and personal information in the project design.
Australian information commissioner and privacy commissioner Angelene Falk notes that privacy-impact assessments are an important tool to ensure projects meet legislative privacy requirements and community privacy expectations.
“The process of undertaking a privacy-impact assessment provides an opportunity for Australian government agencies to consult and engage with stakeholders, and demonstrate their commitment to, and respect of, individuals’ privacy,” she says.
“Effective privacy practice requires ongoing commitment and effort. This new resource complements the existing resources we have developed to assist government agencies to understand and meet the obligations of the code. These include the Privacy Officer Toolkit, the Interactive Privacy Management Plan, a Privacy Impact Assessment Tool and the Privacy Impact Assessment eLearning Program.”
Agencies also must publish a register of privacy impact assessments they conduct, which “provides important transparency”, Falk says.
The resource states that privacy impact assessments can be incorporated into an agency’s business as usual activities, and often fit into existing assurance, risk management and policy development processes.
“Integrating PIAs into your agency’s standard processes may help you to avoid duplication or unnecessary work by leveraging, or updating, existing processes to help consider privacy risks associated with future projects,” it says.