Don’t let privacy go MIA, complete a PIA!

As agencies and businesses continue to grow and evolve over time, so does the way they do things. An entity might someday outgrow its ICT infrastructure, require new accounting software or start working on an exciting new project. It remains important for growing businesses and adapting organisations to keep privacy at the forefront of their minds.

What is a PIA?

A Privacy Impact Assessment (PIA) is an assessment of the inherent privacy risks associated with a new project, process or endeavour. It involves identifying privacy risks which you may not have even realised existed and designing practical steps and structures to mitigate those risks.

Though they may seem intimidating, PIA’s don’t have to be. PIA’s can be short or complex, depending on the amount of personal information affected and the level of risk. And when you outsource them to an expert, the process becomes all the more simple and provides an agency with peace of mind. PIAs can be revisited and updated to account for changes in collection, storage or disclosure in the future.

Why do I need a PIA?

PIA’s are an important tool for an agency to discharge its privacy obligations. Failing to complete one, especially for a significant change within an organisation, may lead to both violations of the Privacy Act 1988 (Cth) or severe privacy breaches and damage. PIA’s help to promote transparency to individuals and stakeholders. The privacy risk mitigation strategies that organisations gain through PIA’s can be used now and into the future as part of good privacy practice.

When do I need a PIA?

In line with OAIC guidance, we recommend organisations consider commissioning a PIA as early as possible and provide for a PIA in the project planning phase. Projects which are likely to require a PIA include:

  • implementing a new employee policy which changes the way their personal information is collected;
  • introducing a new ICT system or transitioning to a new provider;
  • introducing a new method of service delivery;
  • introducing new employee screening or monitoring initiatives;
  • introducing a COVID-19 or other infectious disease policy requiring the collection of personal and sometimes sensitive information, such as vaccination records;
  • transferring to a new operating system e.g. Windows, Mac/IOS etc; or
  • introducing a new online portal for clients, employees or other users.

Griffin Legal endorses the OAIC’s “privacy by design approach”. PIAs help to identify privacy risks early and ensure new projects are undertaken with privacy risks anticipated and management strategies clear.

To speak to one of our privacy experts, please contact our office for more information.

Through to the keeper: Do you know your sporting organisation’s privacy obligations?

Despite being 30 years old, organisations can still be confused about their obligations under the Privacy Act 1988 (Cth) (Privacy Act). Whether the Privacy Act even applies can be a minefield for sporting organisations such as sporting clubs, gyms, and governing bodies. Unfortunately, ignorance of the law excuses no one, and fines for a breach of the …
Read more

OAIC Privacy Survey Reveals Insights from COVID-19 Australia

The Office of the Australian Information Commissioner (OAIC) has recently published the 2020 Australian Community Attitudes to Privacy Survey (ACAPS). The ACAPS provides insights to Australians’ views and understanding of privacy and privacy-related issues. Interestingly, the ACAPS also includes a snapshot of those views during the COVID-19 outbreak. COVID-19 Interestingly, the survey was carried out …
Read more

Notifiable Data Breaches – 6 months of lessons from the OAIC

Notifiable Data Breaches Report (July-December 2020) The Office of the Australian Information Commissioner (OAIC) has released its twice-yearly report on notifiable data breaches reported in the second half of 2020 539 data breaches were notified to the OAIC under the Notifiable Data Breach Scheme (NDB Scheme) in the second half of last year, with 38% …
Read more