22/03/2024
Griffin Legal endorses a ‘privacy-by-design’ approach, where organisations proactively embed good privacy practices into the design and development of a program that involves any collection, use, or disclosure of personal information. Every decision and new process must be approached via a privacy-first mindset, promoting both functionality and privacy protection.
Organisations of all sizes are encouraged to keep privacy at the forefront of their minds. This is particularly important given the rapid integration and use of emerging technologies across business operations, the concerning rise in the scope and volume of data breach incidents, and anticipated reforms to the Privacy Act 1988 (Cth).
A privacy impact assessment (PIA) provides a good way to integrate a privacy-by-design approach; demonstrating compliance with Privacy Act, building public trust and confidence in your organisation’s programs and policies, and safeguarding against legal risks in the event of a data breach incident.
What is a PIA?
A PIA is a systematic assessment of a project that helps identify and assess a project’s privacy risks early, and sets out recommendations for managing, minimising or eliminating those risks.
Undertaking a PIA will provide oversight over:
- How personal information flows in a project
- Possible impacts on individuals’ privacy
- Options for avoiding, minimizing, or mitigating negative privacy impacts
- Building privacy considerations into a project’s design
- Opportunities to achieve the project’s goals while minimising the negative, and enhancing the positive, privacy impacts.
The benefits of undertaking a PIA early in a project include compliance with privacy laws, demonstrating transparency, reducing future resource costs and minimising the risk of negative publicity, increasing internal privacy awareness, and embedding good risk management processes.
It is important to have sufficient safeguards in place for information systems and processes, to protect data from privacy violations. This is particularly useful in situations where privacy issues form part of a cyber security incident or data breach. PIAs may also be used to inform subsequent enterprise cyber security needs, and represent the first step in helping organisations uplift their overall approach to IT governance.
When to undertake a PIA
Special rules apply for government agencies. For example, under the Privacy (Australian Government Agencies – Governance) APP Code 2017, an agency must conduct a PIA for all high privacy risk projects. A project may be a high privacy risk if it involves a new or changed way of handling personal information that is likely to have a significant impact on the privacy of individuals.
For example, a PIA may be required when:
- introducing a new ICT system or transitioning to a new provider;
- changing methods for service delivery; or
- considering a new or amended system for data storage.
In determining whether a PIA is necessary, a threshold assessment is first needed to determine whether your project’s potential privacy impact qualifies as a high privacy risk project.
PIAs are not always necessary and can be short or complex, depending on the amount of personal information affected and the level of risk. PIAs can be revisited and updated to account for changes to information handling.
Reach out to Griffin Legal if you would like to discuss a PIA or other ways to build in ‘privacy by design’.