As agencies and businesses continue to grow and evolve over time, so does the way they do things. An entity might someday outgrow its ICT infrastructure, require new accounting software or start working on an exciting new project. It remains important for growing businesses and adapting organisations to keep privacy at the forefront of their minds.
What is a PIA?
A Privacy Impact Assessment (PIA) is an assessment of the inherent privacy risks associated with a new project, process or endeavour. It involves identifying privacy risks which you may not have even realised existed and designing practical steps and structures to mitigate those risks.
Though they may seem intimidating, PIA’s don’t have to be. PIA’s can be short or complex, depending on the amount of personal information affected and the level of risk. And when you outsource them to an expert, the process becomes all the more simple and provides an agency with peace of mind. PIAs can be revisited and updated to account for changes in collection, storage or disclosure in the future.
Why do I need a PIA?
PIA’s are an important tool for an agency to discharge its privacy obligations. Failing to complete one, especially for a significant change within an organisation, may lead to both violations of the Privacy Act 1988 (Cth) or severe privacy breaches and damage. PIA’s help to promote transparency to individuals and stakeholders. The privacy risk mitigation strategies that organisations gain through PIA’s can be used now and into the future as part of good privacy practice.
When do I need a PIA?
In line with OAIC guidance, we recommend organisations consider commissioning a PIA as early as possible and provide for a PIA in the project planning phase. Projects which are likely to require a PIA include:
- implementing a new employee policy which changes the way their personal information is collected;
- introducing a new ICT system or transitioning to a new provider;
- introducing a new method of service delivery;
- introducing new employee screening or monitoring initiatives;
- introducing a COVID-19 or other infectious disease policy requiring the collection of personal and sometimes sensitive information, such as vaccination records;
- transferring to a new operating system e.g. Windows, Mac/IOS etc; or
- introducing a new online portal for clients, employees or other users.
Griffin Legal endorses the OAIC’s “privacy by design approach”. PIAs help to identify privacy risks early and ensure new projects are undertaken with privacy risks anticipated and management strategies clear.
To speak to one of our privacy experts, please contact our office for more information.