How Do Privacy Impact Assessments Work?

A comprehensive program helps organizations ensure compliance with current state, federal and international legislations and maintain trust between employers, employees, customers, and vendors. It’s not enough to store data securely – companies must be able to explain to everyone affected how their private information is being used. Taking such considerations into account gives organizations a competitive edge and ensures the ethical treatment of all involved parties.

How are PIA and DPIA Different?

A Privacy Impact Assessment (PIA) helps organizations prioritize privacy from the beginning when launching a new business, introducing a new product, or acquiring an existing one. 

Similarly, with personal data processing taking place all the time within an organization and risks continually evolving due to changes in technology and other factors — Data Protection Impact Assessments (DPIAs) must be conducted on an ongoing basis. In addition to being essential for businesses’ own risk management strategies, DPIA completion is also mandatory according to the European Union General Data Protection Regulation (GDPR).

What is Not a PIA?

Here are some of the misconceptions about PIAs:

• A superficial checklist of legal requirements
• A one-time event
• A marketing tool that only shows a project’s benefits
• Justification for existing policies or practices
• A lengthy, complicated, and resource-intensive process

When is a PIA Required?

The Directive on Privacy Impact Assessment mandates that organizations complete PIA’s whenever an individual’s personal information is at risk of being affected by a program or activity. Here are some activities that would require a PIA:

• Using individuals’ data in a decision-making process that directly impacts them
• A significant change to existing services or activities that involve the use of personal data for administrative purposes (which essentially means that it is part of a decision-making process with direct implications on the individual)
• Substantive modifications whenever the government wants to transfer programs or activities to other levels of government or private entities

What Should a PIA Include?

To generate a comprehensive PIA report, consider including the following:

• A description of the planned program or activity and its goals
• An assessment of your program’s privacy compliance and potential privacy impacts
• Compliance with the Privacy Act, applicable policies, directives, and guidelines, as well as best practices for minimizing impacts

How to Do a PIA

Follow these steps for an efficient PIA process:

Step 1: Conduct a Threshold Assessment

The first step of the PIA process is a threshold assessment wherein organizations determine if their program or activity falls within the scope of the Privacy Act and requires conducting a PIA.

Step 2: Plan the PIA

Once you have finished your threshold assessment, it’s time to organize how you will conduct your PIA. As you devise the plan for this vital task, consider the following:

• What are the evaluation criteria for the project?
• Where will the PIA fit in the project plan and timeframes?
• What resources are available for the PIA, and who will conduct it?
• What will be the timing and extent of stakeholder consultations?
• What steps will be taken after the PIA, including implementing recommendations and maintaining monitoring?

Step 3: Describe the Project

A distinct comprehension of the project’s purpose is a crucial foundation for everything else in the PIA procedure. Conducting a privacy impact assessment will help you identify the most privacy-sensitive way to design a project that achieves its goals. Here is the different information to include:

• The person responsible for the project
• Deliverables of the project
• Its objectives
• Benefits to the agency or community
• A program’s involvement in the project

Step 4: Identify and Consult With Stakeholders

It’s important to talk to stakeholders who will be affected by the project or are interested in it. Through their experience and expertise, they’ll be able to identify privacy impacts and solutions. Depending on the project, you may consult the following:

• Internal stakeholders – From the IT sector and data security to legal staff and procurement teams, as well as employees who will directly interact with customers while utilizing the new system or policy
• External stakeholders – From government agencies, suppliers, clients, and non-government organizations to advocacy groups and members of the public

Step 5: Map the Personal Information Flow

Identifying the types of personal information involved and handling is essential to the success of this project. It should include the following:

• What information will be collected, where will it come from, and how will it be collected?
• Who will have access to it, how will it be stored, and what safeguards will be in place?
• Who will use the personal information, and for what purposes?
• What is the purpose of routinely disclosing personal information, and to whom is it directed?
• How can individuals access and amend their personal information?
• What is the retention period of the information?

Step 6: Identify the Privacy Impacts

To determine if there are any privacy risks, you need to check how the project deals with personal information. It includes checking if the project follows privacy principles.

• Non-Health Agencies: Information Privacy Principles
• Health Agencies: National Privacy Principles (e.g., Health Insurance Portability & Accountability Act)
• All agencies must abide by the stringent regulations regarding the export of personal data outside Australia.
• All agencies must take all necessary measures to ensure that privacy principles bind their contracted service providers.

Step 7: Identify Privacy Risks and Options to Address Them

After identifying the privacy risks, deciding which action should be taken to mitigate them is essential. In some situations, there will be multiple solutions; for these cases, you may need to evaluate the costs associated with each option along with their benefits and risks to determine which one would work best.

Below are options that can help address privacy issues:

• Operational controls – policies and procedures, staff training, or communication strategies (e.g., collection notices)
• Technical controls – such as access controls, encryption, and design modifications
• Physical controls – such as doors or locks

Step 8: Produce a PIA Report

Prepare the report containing the following details:

• Describe the project’s information flows
• Provide a summary of the privacy impacts (both positive and negative) based on the privacy principles
• Give recommendations for removing or mitigating privacy risks
• Describe the consultation processes undertaken
• Determine whether the PIA requires reviewing during the project

Step 9: Respond and Review

Stakeholders should review and endorse the completed PIA. The project team needs to develop an action plan and timeline to address any risks or recommendations. It could involve further consultation with stakeholders, training of staff, revising procedures, or implementing additional privacy controls.

The PIA should be reviewed regularly during the project to ensure that it reflects any changes regarding privacy issues. PIAs should be updated if the project undergoes any significant changes.