The role of privacy impact assessments (PIAs) in building trust among government agencies has been underscored by a privacy risk-management company.
Annelies Moens, the managing director of Privcore, has issued a warning to government agencies about the potential financial and privacy costs of a data breach. She believes that as more data is being shared with the introduction of new technologies, more data breaches are likely to occur.
“Properly assessing that risk early on can mitigate negative effects to citizens and save the government money it would otherwise have to spend to rectify harms that eventuate,” Ms Moens said.
Publishing a mandated registry of PIAs is one way the Australian government has tried to manage the high-risk processing activities of public agencies. Some departments also publish the PIAs they outsource to consultants, in addition to their own PIA registers.
NSW and Victoria have their own guidance one what a good PIA comprises but broadly speaking, it is a risk assessment of any “new or existing processes, technology, laws or regulations, systems or programs involving personal information,” a Privcore report on PIAs states.
PIAs are designed to identify the privacy risks of handling the personal information in the project. They can also be used to draw out positive aspects of the project, such as greater security or minimal data collection. Once privacy risks are identified, recommendations can be made to manage, mitigate, prevent or eliminate identified privacy risks.
Ms Moens used a recent incident in the Netherlands, where a database for COVID-19 test results and contact tracing systems was compromised, to warn Australian agencies not to take the same risks.
RTL News reported in January that two employees of the Dutch Municipal Health Services — known as the CGD — had attempted to sell the personal data of COVID-19 test subjects on platforms including Wickr and Snapchat. The people attempting to sell the citizen data were eventually arrested but it is unclear whether they were successful in trading the information for money.
What’s more, the system issues that allowed the employees to extract citizen data had reportedly been raised by staff with senior management. The employees were able to search the data and download it with ease, using a simple export function within one of the programs that managed the database, to obtain addresses, social security numbers, test results, and possibly additional medical details.
“As new technologies are deployed every day, more data is shared and more data breaches occur, both of which have massive impact on citizens,” Ms Moens said.